1 /*
2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15
16 #include <string.h>
17
18 #include <openssl/crypto.h>
19
20 #include "error/s2n_errno.h"
21
22 #include "crypto/s2n_cipher.h"
23 #include "crypto/s2n_openssl.h"
24
25 #include "tls/s2n_auth_selection.h"
26 #include "tls/s2n_kex.h"
27 #include "tls/s2n_security_policies.h"
28 #include "tls/s2n_tls.h"
29 #include "tls/s2n_tls13.h"
30 #include "utils/s2n_safety.h"
31 #include "tls/s2n_psk.h"
32 #include "pq-crypto/s2n_pq.h"
33
34 /*************************
35 * S2n Record Algorithms *
36 *************************/
37 const struct s2n_record_algorithm s2n_record_alg_null = {
38 .cipher = &s2n_null_cipher,
39 .hmac_alg = S2N_HMAC_NONE,
40 .flags = 0,
41 .encryption_limit = UINT64_MAX,
42 };
43
44 const struct s2n_record_algorithm s2n_record_alg_rc4_md5 = {
45 .cipher = &s2n_rc4,
46 .hmac_alg = S2N_HMAC_MD5,
47 .flags = 0,
48 .encryption_limit = UINT64_MAX,
49 };
50
51 const struct s2n_record_algorithm s2n_record_alg_rc4_sslv3_md5 = {
52 .cipher = &s2n_rc4,
53 .hmac_alg = S2N_HMAC_SSLv3_MD5,
54 .flags = 0,
55 .encryption_limit = UINT64_MAX,
56 };
57
58 const struct s2n_record_algorithm s2n_record_alg_rc4_sha = {
59 .cipher = &s2n_rc4,
60 .hmac_alg = S2N_HMAC_SHA1,
61 .flags = 0,
62 .encryption_limit = UINT64_MAX,
63 };
64
65 const struct s2n_record_algorithm s2n_record_alg_rc4_sslv3_sha = {
66 .cipher = &s2n_rc4,
67 .hmac_alg = S2N_HMAC_SSLv3_SHA1,
68 .flags = 0,
69 .encryption_limit = UINT64_MAX,
70 };
71
72 const struct s2n_record_algorithm s2n_record_alg_3des_sha = {
73 .cipher = &s2n_3des,
74 .hmac_alg = S2N_HMAC_SHA1,
75 .flags = 0,
76 .encryption_limit = UINT64_MAX,
77 };
78
79 const struct s2n_record_algorithm s2n_record_alg_3des_sslv3_sha = {
80 .cipher = &s2n_3des,
81 .hmac_alg = S2N_HMAC_SSLv3_SHA1,
82 .flags = 0,
83 .encryption_limit = UINT64_MAX,
84 };
85
86 const struct s2n_record_algorithm s2n_record_alg_aes128_sha = {
87 .cipher = &s2n_aes128,
88 .hmac_alg = S2N_HMAC_SHA1,
89 .flags = 0,
90 .encryption_limit = UINT64_MAX,
91 };
92
93 const struct s2n_record_algorithm s2n_record_alg_aes128_sslv3_sha = {
94 .cipher = &s2n_aes128,
95 .hmac_alg = S2N_HMAC_SSLv3_SHA1,
96 .flags = 0,
97 .encryption_limit = UINT64_MAX,
98 };
99
100 const struct s2n_record_algorithm s2n_record_alg_aes128_sha_composite = {
101 .cipher = &s2n_aes128_sha,
102 .hmac_alg = S2N_HMAC_NONE,
103 .flags = 0,
104 .encryption_limit = UINT64_MAX,
105 };
106
107 const struct s2n_record_algorithm s2n_record_alg_aes128_sha256 = {
108 .cipher = &s2n_aes128,
109 .hmac_alg = S2N_HMAC_SHA256,
110 .flags = 0,
111 .encryption_limit = UINT64_MAX,
112 };
113
114 const struct s2n_record_algorithm s2n_record_alg_aes128_sha256_composite = {
115 .cipher = &s2n_aes128_sha256,
116 .hmac_alg = S2N_HMAC_NONE,
117 .encryption_limit = UINT64_MAX,
118 };
119
120 const struct s2n_record_algorithm s2n_record_alg_aes256_sha = {
121 .cipher = &s2n_aes256,
122 .hmac_alg = S2N_HMAC_SHA1,
123 .flags = 0,
124 .encryption_limit = UINT64_MAX,
125 };
126
127 const struct s2n_record_algorithm s2n_record_alg_aes256_sslv3_sha = {
128 .cipher = &s2n_aes256,
129 .hmac_alg = S2N_HMAC_SSLv3_SHA1,
130 .flags = 0,
131 .encryption_limit = UINT64_MAX,
132 };
133
134 const struct s2n_record_algorithm s2n_record_alg_aes256_sha_composite = {
135 .cipher = &s2n_aes256_sha,
136 .hmac_alg = S2N_HMAC_NONE,
137 .flags = 0,
138 .encryption_limit = UINT64_MAX,
139 };
140
141 const struct s2n_record_algorithm s2n_record_alg_aes256_sha256 = {
142 .cipher = &s2n_aes256,
143 .hmac_alg = S2N_HMAC_SHA256,
144 .flags = 0,
145 .encryption_limit = UINT64_MAX,
146 };
147
148 const struct s2n_record_algorithm s2n_record_alg_aes256_sha256_composite = {
149 .cipher = &s2n_aes256_sha256,
150 .hmac_alg = S2N_HMAC_NONE,
151 .encryption_limit = UINT64_MAX,
152 };
153
154 const struct s2n_record_algorithm s2n_record_alg_aes256_sha384 = {
155 .cipher = &s2n_aes256,
156 .hmac_alg = S2N_HMAC_SHA384,
157 .flags = 0,
158 .encryption_limit = UINT64_MAX,
159 };
160
161 const struct s2n_record_algorithm s2n_record_alg_aes128_gcm = {
162 .cipher = &s2n_aes128_gcm,
163 .hmac_alg = S2N_HMAC_NONE,
164 .flags = S2N_TLS12_AES_GCM_AEAD_NONCE,
165 .encryption_limit = UINT64_MAX,
166 };
167
168 const struct s2n_record_algorithm s2n_record_alg_aes256_gcm = {
169 .cipher = &s2n_aes256_gcm,
170 .hmac_alg = S2N_HMAC_NONE,
171 .flags = S2N_TLS12_AES_GCM_AEAD_NONCE,
172 .encryption_limit = UINT64_MAX,
173 };
174
175 const struct s2n_record_algorithm s2n_record_alg_chacha20_poly1305 = {
176 .cipher = &s2n_chacha20_poly1305,
177 .hmac_alg = S2N_HMAC_NONE,
178 /* Per RFC 7905, ChaCha20-Poly1305 will use a nonce construction expected to be used in TLS1.3.
179 * Give it a distinct 1.2 nonce value in case this changes.
180 */
181 .flags = S2N_TLS12_CHACHA_POLY_AEAD_NONCE,
182 .encryption_limit = UINT64_MAX,
183 };
184
185 /* TLS 1.3 Record Algorithms */
186 const struct s2n_record_algorithm s2n_tls13_record_alg_aes128_gcm = {
187 .cipher = &s2n_tls13_aes128_gcm,
188 .hmac_alg = S2N_HMAC_NONE, /* previously used in 1.2 prf, we do not need this */
189 .flags = S2N_TLS13_RECORD_AEAD_NONCE,
190 .encryption_limit = S2N_TLS13_AES_GCM_MAXIMUM_RECORD_NUMBER,
191 };
192
193 const struct s2n_record_algorithm s2n_tls13_record_alg_aes256_gcm = {
194 .cipher = &s2n_tls13_aes256_gcm,
195 .hmac_alg = S2N_HMAC_NONE,
196 .flags = S2N_TLS13_RECORD_AEAD_NONCE,
197 .encryption_limit = S2N_TLS13_AES_GCM_MAXIMUM_RECORD_NUMBER,
198 };
199
200 const struct s2n_record_algorithm s2n_tls13_record_alg_chacha20_poly1305 = {
201 .cipher = &s2n_chacha20_poly1305,
202 .hmac_alg = S2N_HMAC_NONE,
203 /* this mirrors s2n_record_alg_chacha20_poly1305 with the exception of TLS 1.3 nonce flag */
204 .flags = S2N_TLS13_RECORD_AEAD_NONCE,
205 .encryption_limit = UINT64_MAX,
206 };
207
208 /*********************
209 * S2n Cipher Suites *
210 *********************/
211
212 /* This is the initial cipher suite, but is never negotiated */
213 struct s2n_cipher_suite s2n_null_cipher_suite = {
214 .available = 1,
215 .name = "TLS_NULL_WITH_NULL_NULL",
216 .iana_value = { TLS_NULL_WITH_NULL_NULL },
217 .key_exchange_alg = &s2n_rsa,
218 .auth_method = S2N_AUTHENTICATION_RSA,
219 .record_alg = &s2n_record_alg_null,
220 };
221
222 struct s2n_cipher_suite s2n_rsa_with_rc4_128_md5 = /* 0x00,0x04 */ {
223 .available = 0,
224 .name = "RC4-MD5",
225 .iana_value = { TLS_RSA_WITH_RC4_128_MD5 },
226 .key_exchange_alg = &s2n_rsa,
227 .auth_method = S2N_AUTHENTICATION_RSA,
228 .record_alg = NULL,
229 .all_record_algs = { &s2n_record_alg_rc4_md5 },
230 .num_record_algs = 1,
231 .sslv3_record_alg = &s2n_record_alg_rc4_sslv3_md5,
232 .prf_alg = S2N_HMAC_SHA256,
233 .minimum_required_tls_version = S2N_SSLv3,
234 };
235
236 struct s2n_cipher_suite s2n_rsa_with_rc4_128_sha = /* 0x00,0x05 */ {
237 .available = 0,
238 .name = "RC4-SHA",
239 .iana_value = { TLS_RSA_WITH_RC4_128_SHA },
240 .key_exchange_alg = &s2n_rsa,
241 .auth_method = S2N_AUTHENTICATION_RSA,
242 .record_alg = NULL,
243 .all_record_algs = { &s2n_record_alg_rc4_sha },
244 .num_record_algs = 1,
245 .sslv3_record_alg = &s2n_record_alg_rc4_sslv3_sha,
246 .prf_alg = S2N_HMAC_SHA256,
247 .minimum_required_tls_version = S2N_SSLv3,
248 };
249
250 struct s2n_cipher_suite s2n_rsa_with_3des_ede_cbc_sha = /* 0x00,0x0A */ {
251 .available = 0,
252 .name = "DES-CBC3-SHA",
253 .iana_value = { TLS_RSA_WITH_3DES_EDE_CBC_SHA },
254 .key_exchange_alg = &s2n_rsa,
255 .auth_method = S2N_AUTHENTICATION_RSA,
256 .record_alg = NULL,
257 .all_record_algs = { &s2n_record_alg_3des_sha },
258 .num_record_algs = 1,
259 .sslv3_record_alg = &s2n_record_alg_3des_sslv3_sha,
260 .prf_alg = S2N_HMAC_SHA256,
261 .minimum_required_tls_version = S2N_SSLv3,
262 };
263
264 struct s2n_cipher_suite s2n_dhe_rsa_with_3des_ede_cbc_sha = /* 0x00,0x16 */ {
265 .available = 0,
266 .name = "DHE-RSA-DES-CBC3-SHA",
267 .iana_value = { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA },
268 .key_exchange_alg = &s2n_dhe,
269 .auth_method = S2N_AUTHENTICATION_RSA,
270 .record_alg = NULL,
271 .all_record_algs = { &s2n_record_alg_3des_sha },
272 .num_record_algs = 1,
273 .sslv3_record_alg = &s2n_record_alg_3des_sslv3_sha,
274 .prf_alg = S2N_HMAC_SHA256,
275 .minimum_required_tls_version = S2N_SSLv3,
276 };
277
278 struct s2n_cipher_suite s2n_rsa_with_aes_128_cbc_sha = /* 0x00,0x2F */ {
279 .available = 0,
280 .name = "AES128-SHA",
281 .iana_value = { TLS_RSA_WITH_AES_128_CBC_SHA },
282 .key_exchange_alg = &s2n_rsa,
283 .auth_method = S2N_AUTHENTICATION_RSA,
284 .record_alg = NULL,
285 .all_record_algs = { &s2n_record_alg_aes128_sha_composite, &s2n_record_alg_aes128_sha },
286 .num_record_algs = 2,
287 .sslv3_record_alg = &s2n_record_alg_aes128_sslv3_sha,
288 .prf_alg = S2N_HMAC_SHA256,
289 .minimum_required_tls_version = S2N_SSLv3,
290 };
291
292 struct s2n_cipher_suite s2n_dhe_rsa_with_aes_128_cbc_sha = /* 0x00,0x33 */ {
293 .available = 0,
294 .name = "DHE-RSA-AES128-SHA",
295 .iana_value = { TLS_DHE_RSA_WITH_AES_128_CBC_SHA },
296 .key_exchange_alg = &s2n_dhe,
297 .auth_method = S2N_AUTHENTICATION_RSA,
298 .record_alg = NULL,
299 .all_record_algs = { &s2n_record_alg_aes128_sha_composite, &s2n_record_alg_aes128_sha },
300 .num_record_algs = 2,
301 .sslv3_record_alg = &s2n_record_alg_aes128_sslv3_sha,
302 .prf_alg = S2N_HMAC_SHA256,
303 .minimum_required_tls_version = S2N_SSLv3,
304 };
305
306 struct s2n_cipher_suite s2n_rsa_with_aes_256_cbc_sha = /* 0x00,0x35 */ {
307 .available = 0,
308 .name = "AES256-SHA",
309 .iana_value = { TLS_RSA_WITH_AES_256_CBC_SHA },
310 .key_exchange_alg = &s2n_rsa,
311 .auth_method = S2N_AUTHENTICATION_RSA,
312 .record_alg = NULL,
313 .all_record_algs = { &s2n_record_alg_aes256_sha_composite, &s2n_record_alg_aes256_sha },
314 .num_record_algs = 2,
315 .sslv3_record_alg = &s2n_record_alg_aes256_sslv3_sha,
316 .prf_alg = S2N_HMAC_SHA256,
317 .minimum_required_tls_version = S2N_SSLv3,
318 };
319
320 struct s2n_cipher_suite s2n_dhe_rsa_with_aes_256_cbc_sha = /* 0x00,0x39 */ {
321 .available = 0,
322 .name = "DHE-RSA-AES256-SHA",
323 .iana_value = { TLS_DHE_RSA_WITH_AES_256_CBC_SHA },
324 .key_exchange_alg = &s2n_dhe,
325 .auth_method = S2N_AUTHENTICATION_RSA,
326 .record_alg = NULL,
327 .all_record_algs = { &s2n_record_alg_aes256_sha_composite, &s2n_record_alg_aes256_sha },
328 .num_record_algs = 2,
329 .sslv3_record_alg = &s2n_record_alg_aes256_sslv3_sha,
330 .prf_alg = S2N_HMAC_SHA256,
331 .minimum_required_tls_version = S2N_SSLv3,
332 };
333
334 struct s2n_cipher_suite s2n_rsa_with_aes_128_cbc_sha256 = /* 0x00,0x3C */ {
335 .available = 0,
336 .name = "AES128-SHA256",
337 .iana_value = { TLS_RSA_WITH_AES_128_CBC_SHA256 },
338 .key_exchange_alg = &s2n_rsa,
339 .auth_method = S2N_AUTHENTICATION_RSA,
340 .record_alg = NULL,
341 .all_record_algs = { &s2n_record_alg_aes128_sha256_composite, &s2n_record_alg_aes128_sha256 },
342 .num_record_algs = 2,
343 .sslv3_record_alg = NULL,
344 .prf_alg = S2N_HMAC_SHA256,
345 .minimum_required_tls_version = S2N_TLS12,
346 };
347
348 struct s2n_cipher_suite s2n_rsa_with_aes_256_cbc_sha256 = /* 0x00,0x3D */ {
349 .available = 0,
350 .name = "AES256-SHA256",
351 .iana_value = { TLS_RSA_WITH_AES_256_CBC_SHA256 },
352 .key_exchange_alg = &s2n_rsa,
353 .auth_method = S2N_AUTHENTICATION_RSA,
354 .record_alg = NULL,
355 .all_record_algs = { &s2n_record_alg_aes256_sha256_composite, &s2n_record_alg_aes256_sha256 },
356 .num_record_algs = 2,
357 .sslv3_record_alg = NULL,
358 .prf_alg = S2N_HMAC_SHA256,
359 .minimum_required_tls_version = S2N_TLS12,
360 };
361
362 struct s2n_cipher_suite s2n_dhe_rsa_with_aes_128_cbc_sha256 = /* 0x00,0x67 */ {
363 .available = 0,
364 .name = "DHE-RSA-AES128-SHA256",
365 .iana_value = { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 },
366 .key_exchange_alg = &s2n_dhe,
367 .auth_method = S2N_AUTHENTICATION_RSA,
368 .record_alg = NULL,
369 .all_record_algs = { &s2n_record_alg_aes128_sha256_composite, &s2n_record_alg_aes128_sha256 },
370 .num_record_algs = 2,
371 .sslv3_record_alg = NULL,
372 .prf_alg = S2N_HMAC_SHA256,
373 .minimum_required_tls_version = S2N_TLS12,
374 };
375
376 struct s2n_cipher_suite s2n_dhe_rsa_with_aes_256_cbc_sha256 = /* 0x00,0x6B */ {
377 .available = 0,
378 .name = "DHE-RSA-AES256-SHA256",
379 .iana_value = { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 },
380 .key_exchange_alg = &s2n_dhe,
381 .auth_method = S2N_AUTHENTICATION_RSA,
382 .record_alg = NULL,
383 .all_record_algs = { &s2n_record_alg_aes256_sha256_composite, &s2n_record_alg_aes256_sha256 },
384 .num_record_algs = 2,
385 .sslv3_record_alg = NULL,
386 .prf_alg = S2N_HMAC_SHA256,
387 .minimum_required_tls_version = S2N_TLS12,
388 };
389
390 struct s2n_cipher_suite s2n_rsa_with_aes_128_gcm_sha256 = /* 0x00,0x9C */ {
391 .available = 0,
392 .name = "AES128-GCM-SHA256",
393 .iana_value = { TLS_RSA_WITH_AES_128_GCM_SHA256 },
394 .key_exchange_alg = &s2n_rsa,
395 .auth_method = S2N_AUTHENTICATION_RSA,
396 .record_alg = NULL,
397 .all_record_algs = { &s2n_record_alg_aes128_gcm },
398 .num_record_algs = 1,
399 .sslv3_record_alg = NULL,
400 .prf_alg = S2N_HMAC_SHA256,
401 .minimum_required_tls_version = S2N_TLS12,
402 };
403
404 struct s2n_cipher_suite s2n_rsa_with_aes_256_gcm_sha384 = /* 0x00,0x9D */ {
405 .available = 0,
406 .name = "AES256-GCM-SHA384",
407 .iana_value = { TLS_RSA_WITH_AES_256_GCM_SHA384 },
408 .key_exchange_alg = &s2n_rsa,
409 .auth_method = S2N_AUTHENTICATION_RSA,
410 .record_alg = NULL,
411 .all_record_algs = { &s2n_record_alg_aes256_gcm },
412 .num_record_algs = 1,
413 .sslv3_record_alg = NULL,
414 .prf_alg = S2N_HMAC_SHA384,
415 .minimum_required_tls_version = S2N_TLS12,
416 };
417
418 struct s2n_cipher_suite s2n_dhe_rsa_with_aes_128_gcm_sha256 = /* 0x00,0x9E */ {
419 .available = 0,
420 .name = "DHE-RSA-AES128-GCM-SHA256",
421 .iana_value = { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 },
422 .key_exchange_alg = &s2n_dhe,
423 .auth_method = S2N_AUTHENTICATION_RSA,
424 .record_alg = NULL,
425 .all_record_algs = { &s2n_record_alg_aes128_gcm },
426 .num_record_algs = 1,
427 .sslv3_record_alg = NULL,
428 .prf_alg = S2N_HMAC_SHA256,
429 .minimum_required_tls_version = S2N_TLS12,
430 };
431
432 struct s2n_cipher_suite s2n_dhe_rsa_with_aes_256_gcm_sha384 = /* 0x00,0x9F */ {
433 .available = 0,
434 .name = "DHE-RSA-AES256-GCM-SHA384",
435 .iana_value = { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 },
436 .key_exchange_alg = &s2n_dhe,
437 .auth_method = S2N_AUTHENTICATION_RSA,
438 .record_alg = NULL,
439 .all_record_algs = { &s2n_record_alg_aes256_gcm },
440 .num_record_algs = 1,
441 .sslv3_record_alg = NULL,
442 .prf_alg = S2N_HMAC_SHA384,
443 .minimum_required_tls_version = S2N_TLS12,
444 };
445
446 struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_128_cbc_sha = /* 0xC0,0x09 */ {
447 .available = 0,
448 .name = "ECDHE-ECDSA-AES128-SHA",
449 .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA },
450 .key_exchange_alg = &s2n_ecdhe,
451 .auth_method = S2N_AUTHENTICATION_ECDSA,
452 .record_alg = NULL,
453 .all_record_algs = { &s2n_record_alg_aes128_sha_composite, &s2n_record_alg_aes128_sha },
454 .num_record_algs = 2,
455 .sslv3_record_alg = &s2n_record_alg_aes128_sslv3_sha,
456 .prf_alg = S2N_HMAC_SHA256,
457 .minimum_required_tls_version = S2N_SSLv3,
458 };
459
460 struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_256_cbc_sha = /* 0xC0,0x0A */ {
461 .available = 0,
462 .name = "ECDHE-ECDSA-AES256-SHA",
463 .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA },
464 .key_exchange_alg = &s2n_ecdhe,
465 .auth_method = S2N_AUTHENTICATION_ECDSA,
466 .record_alg = NULL,
467 .all_record_algs = { &s2n_record_alg_aes256_sha_composite, &s2n_record_alg_aes256_sha },
468 .num_record_algs = 2,
469 .sslv3_record_alg = &s2n_record_alg_aes256_sslv3_sha,
470 .prf_alg = S2N_HMAC_SHA256,
471 .minimum_required_tls_version = S2N_SSLv3,
472 };
473
474 struct s2n_cipher_suite s2n_ecdhe_rsa_with_rc4_128_sha = /* 0xC0,0x11 */ {
475 .available = 0,
476 .name = "ECDHE-RSA-RC4-SHA",
477 .iana_value = { TLS_ECDHE_RSA_WITH_RC4_128_SHA },
478 .key_exchange_alg = &s2n_ecdhe,
479 .auth_method = S2N_AUTHENTICATION_RSA,
480 .record_alg = NULL,
481 .all_record_algs = { &s2n_record_alg_rc4_sha },
482 .num_record_algs = 1,
483 .sslv3_record_alg = &s2n_record_alg_rc4_sslv3_sha,
484 .prf_alg = S2N_HMAC_SHA256,
485 .minimum_required_tls_version = S2N_SSLv3,
486 };
487
488 struct s2n_cipher_suite s2n_ecdhe_rsa_with_3des_ede_cbc_sha = /* 0xC0,0x12 */ {
489 .available = 0,
490 .name = "ECDHE-RSA-DES-CBC3-SHA",
491 .iana_value = { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA },
492 .key_exchange_alg = &s2n_ecdhe,
493 .auth_method = S2N_AUTHENTICATION_RSA,
494 .record_alg = NULL,
495 .all_record_algs = { &s2n_record_alg_3des_sha },
496 .num_record_algs = 1,
497 .sslv3_record_alg = &s2n_record_alg_3des_sslv3_sha,
498 .prf_alg = S2N_HMAC_SHA256,
499 .minimum_required_tls_version = S2N_SSLv3,
500 };
501
502 struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_128_cbc_sha = /* 0xC0,0x13 */ {
503 .available = 0,
504 .name = "ECDHE-RSA-AES128-SHA",
505 .iana_value = { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA },
506 .key_exchange_alg = &s2n_ecdhe,
507 .auth_method = S2N_AUTHENTICATION_RSA,
508 .record_alg = NULL,
509 .all_record_algs = { &s2n_record_alg_aes128_sha_composite, &s2n_record_alg_aes128_sha },
510 .num_record_algs = 2,
511 .sslv3_record_alg = &s2n_record_alg_aes128_sslv3_sha,
512 .prf_alg = S2N_HMAC_SHA256,
513 .minimum_required_tls_version = S2N_SSLv3,
514 };
515
516 struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_256_cbc_sha = /* 0xC0,0x14 */ {
517 .available = 0,
518 .name = "ECDHE-RSA-AES256-SHA",
519 .iana_value = { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA },
520 .key_exchange_alg = &s2n_ecdhe,
521 .auth_method = S2N_AUTHENTICATION_RSA,
522 .record_alg = NULL,
523 .all_record_algs = { &s2n_record_alg_aes256_sha_composite, &s2n_record_alg_aes256_sha },
524 .num_record_algs = 2,
525 .sslv3_record_alg = &s2n_record_alg_aes256_sslv3_sha,
526 .prf_alg = S2N_HMAC_SHA256,
527 .minimum_required_tls_version = S2N_SSLv3,
528 };
529
530 struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256 = /* 0xC0,0x23 */ {
531 .available = 0,
532 .name = "ECDHE-ECDSA-AES128-SHA256",
533 .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 },
534 .key_exchange_alg = &s2n_ecdhe,
535 .auth_method = S2N_AUTHENTICATION_ECDSA,
536 .record_alg = NULL,
537 .all_record_algs = { &s2n_record_alg_aes128_sha256_composite, &s2n_record_alg_aes128_sha256 },
538 .num_record_algs = 2,
539 .sslv3_record_alg = NULL,
540 .prf_alg = S2N_HMAC_SHA256,
541 .minimum_required_tls_version = S2N_TLS12,
542 };
543
544 struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384 = /* 0xC0,0x24 */ {
545 .available = 0,
546 .name = "ECDHE-ECDSA-AES256-SHA384",
547 .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 },
548 .key_exchange_alg = &s2n_ecdhe,
549 .auth_method = S2N_AUTHENTICATION_ECDSA,
550 .record_alg = NULL,
551 .all_record_algs = { &s2n_record_alg_aes256_sha384 },
552 .num_record_algs = 1,
553 .sslv3_record_alg = NULL,
554 .prf_alg = S2N_HMAC_SHA384,
555 .minimum_required_tls_version = S2N_TLS12,
556 };
557
558 struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_128_cbc_sha256 = /* 0xC0,0x27 */ {
559 .available = 0,
560 .name = "ECDHE-RSA-AES128-SHA256",
561 .iana_value = { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 },
562 .key_exchange_alg = &s2n_ecdhe,
563 .auth_method = S2N_AUTHENTICATION_RSA,
564 .record_alg = NULL,
565 .all_record_algs = { &s2n_record_alg_aes128_sha256_composite, &s2n_record_alg_aes128_sha256 },
566 .num_record_algs = 2,
567 .sslv3_record_alg = NULL,
568 .prf_alg = S2N_HMAC_SHA256,
569 .minimum_required_tls_version = S2N_TLS12,
570 };
571
572 struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_256_cbc_sha384 = /* 0xC0,0x28 */ {
573 .available = 0,
574 .name = "ECDHE-RSA-AES256-SHA384",
575 .iana_value = { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 },
576 .key_exchange_alg = &s2n_ecdhe,
577 .auth_method = S2N_AUTHENTICATION_RSA,
578 .record_alg = NULL,
579 .all_record_algs = { &s2n_record_alg_aes256_sha384 },
580 .num_record_algs = 1,
581 .sslv3_record_alg = NULL,
582 .prf_alg = S2N_HMAC_SHA384,
583 .minimum_required_tls_version = S2N_TLS12,
584 };
585
586 struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256 = /* 0xC0,0x2B */ {
587 .available = 0,
588 .name = "ECDHE-ECDSA-AES128-GCM-SHA256",
589 .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 },
590 .key_exchange_alg = &s2n_ecdhe,
591 .auth_method = S2N_AUTHENTICATION_ECDSA,
592 .record_alg = NULL,
593 .all_record_algs = { &s2n_record_alg_aes128_gcm },
594 .num_record_algs = 1,
595 .sslv3_record_alg = NULL,
596 .prf_alg = S2N_HMAC_SHA256,
597 .minimum_required_tls_version = S2N_TLS12,
598 };
599
600 struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384 = /* 0xC0,0x2C */ {
601 .available = 0,
602 .name = "ECDHE-ECDSA-AES256-GCM-SHA384",
603 .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 },
604 .key_exchange_alg = &s2n_ecdhe,
605 .auth_method = S2N_AUTHENTICATION_ECDSA,
606 .record_alg = NULL,
607 .all_record_algs = { &s2n_record_alg_aes256_gcm },
608 .num_record_algs = 1,
609 .sslv3_record_alg = NULL,
610 .prf_alg = S2N_HMAC_SHA384,
611 .minimum_required_tls_version = S2N_TLS12,
612 };
613
614 struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_128_gcm_sha256 = /* 0xC0,0x2F */ {
615 .available = 0,
616 .name = "ECDHE-RSA-AES128-GCM-SHA256",
617 .iana_value = { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 },
618 .key_exchange_alg = &s2n_ecdhe,
619 .auth_method = S2N_AUTHENTICATION_RSA,
620 .record_alg = NULL,
621 .all_record_algs = { &s2n_record_alg_aes128_gcm },
622 .num_record_algs = 1,
623 .sslv3_record_alg = NULL,
624 .prf_alg = S2N_HMAC_SHA256,
625 .minimum_required_tls_version = S2N_TLS12,
626 };
627
628 struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_256_gcm_sha384 = /* 0xC0,0x30 */ {
629 .available = 0,
630 .name = "ECDHE-RSA-AES256-GCM-SHA384",
631 .iana_value = { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 },
632 .key_exchange_alg = &s2n_ecdhe,
633 .auth_method = S2N_AUTHENTICATION_RSA,
634 .record_alg = NULL,
635 .all_record_algs = { &s2n_record_alg_aes256_gcm },
636 .num_record_algs = 1,
637 .sslv3_record_alg = NULL,
638 .prf_alg = S2N_HMAC_SHA384,
639 .minimum_required_tls_version = S2N_TLS12,
640 };
641
642 struct s2n_cipher_suite s2n_ecdhe_rsa_with_chacha20_poly1305_sha256 = /* 0xCC,0xA8 */ {
643 .available = 0,
644 .name = "ECDHE-RSA-CHACHA20-POLY1305",
645 .iana_value = { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 },
646 .key_exchange_alg = &s2n_ecdhe,
647 .auth_method = S2N_AUTHENTICATION_RSA,
648 .record_alg = NULL,
649 .all_record_algs = { &s2n_record_alg_chacha20_poly1305 },
650 .num_record_algs = 1,
651 .sslv3_record_alg = NULL,
652 .prf_alg = S2N_HMAC_SHA256,
653 .minimum_required_tls_version = S2N_TLS12,
654 };
655
656 struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256 = /* 0xCC,0xA9 */ {
657 .available = 0,
658 .name = "ECDHE-ECDSA-CHACHA20-POLY1305",
659 .iana_value = { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 },
660 .key_exchange_alg = &s2n_ecdhe,
661 .auth_method = S2N_AUTHENTICATION_ECDSA,
662 .record_alg = NULL,
663 .all_record_algs = { &s2n_record_alg_chacha20_poly1305 },
664 .num_record_algs = 1,
665 .sslv3_record_alg = NULL,
666 .prf_alg = S2N_HMAC_SHA256,
667 .minimum_required_tls_version = S2N_TLS12,
668 };
669
670 struct s2n_cipher_suite s2n_dhe_rsa_with_chacha20_poly1305_sha256 = /* 0xCC,0xAA */ {
671 .available = 0,
672 .name = "DHE-RSA-CHACHA20-POLY1305",
673 .iana_value = { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 },
674 .key_exchange_alg = &s2n_dhe,
675 .auth_method = S2N_AUTHENTICATION_RSA,
676 .record_alg = NULL,
677 .all_record_algs = { &s2n_record_alg_chacha20_poly1305 },
678 .num_record_algs = 1,
679 .sslv3_record_alg = NULL,
680 .prf_alg = S2N_HMAC_SHA256,
681 .minimum_required_tls_version = S2N_TLS12,
682 };
683
684 /* From https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid */
685
686 struct s2n_cipher_suite s2n_ecdhe_kyber_rsa_with_aes_256_gcm_sha384 = /* 0xFF, 0x0C */ {
687 .available = 0,
688 .name = "ECDHE-KYBER-RSA-AES256-GCM-SHA384",
689 .iana_value = { TLS_ECDHE_KYBER_RSA_WITH_AES_256_GCM_SHA384 },
690 .key_exchange_alg = &s2n_hybrid_ecdhe_kem,
691 .auth_method = S2N_AUTHENTICATION_RSA,
692 .record_alg = NULL,
693 .all_record_algs = { &s2n_record_alg_aes256_gcm },
694 .num_record_algs = 1,
695 .sslv3_record_alg = NULL,
696 .prf_alg = S2N_HMAC_SHA384,
697 .minimum_required_tls_version = S2N_TLS12,
698 };
699
700 struct s2n_cipher_suite s2n_ecdhe_bike_rsa_with_aes_256_gcm_sha384 = /* 0xFF, 0x04 */ {
701 .available = 0,
702 .name = "ECDHE-BIKE-RSA-AES256-GCM-SHA384",
703 .iana_value = { TLS_ECDHE_BIKE_RSA_WITH_AES_256_GCM_SHA384 },
704 .key_exchange_alg = &s2n_hybrid_ecdhe_kem,
705 .auth_method = S2N_AUTHENTICATION_RSA,
706 .record_alg = NULL,
707 .all_record_algs = { &s2n_record_alg_aes256_gcm },
708 .num_record_algs = 1,
709 .sslv3_record_alg = NULL,
710 .prf_alg = S2N_HMAC_SHA384,
711 .minimum_required_tls_version = S2N_TLS12,
712 };
713
714 struct s2n_cipher_suite s2n_ecdhe_sike_rsa_with_aes_256_gcm_sha384 = /* 0xFF, 0x08 */ {
715 .available = 0,
716 .name = "ECDHE-SIKE-RSA-AES256-GCM-SHA384",
717 .iana_value = { TLS_ECDHE_SIKE_RSA_WITH_AES_256_GCM_SHA384 },
718 .key_exchange_alg = &s2n_hybrid_ecdhe_kem,
719 .auth_method = S2N_AUTHENTICATION_RSA,
720 .record_alg = NULL,
721 .all_record_algs = { &s2n_record_alg_aes256_gcm },
722 .num_record_algs = 1,
723 .sslv3_record_alg = NULL,
724 .prf_alg = S2N_HMAC_SHA384,
725 .minimum_required_tls_version = S2N_TLS12,
726 };
727
728 struct s2n_cipher_suite s2n_tls13_aes_128_gcm_sha256 = {
729 .available = 0,
730 .name = "TLS_AES_128_GCM_SHA256",
731 .iana_value = { TLS_AES_128_GCM_SHA256 },
732 .key_exchange_alg = NULL,
733 .auth_method = S2N_AUTHENTICATION_METHOD_TLS13,
734 .record_alg = NULL,
735 .all_record_algs = { &s2n_tls13_record_alg_aes128_gcm },
736 .num_record_algs = 1,
737 .sslv3_record_alg = NULL,
738 .prf_alg = S2N_HMAC_SHA256,
739 .minimum_required_tls_version = S2N_TLS13,
740 };
741
742 struct s2n_cipher_suite s2n_tls13_aes_256_gcm_sha384 = {
743 .available = 0,
744 .name = "TLS_AES_256_GCM_SHA384",
745 .iana_value = { TLS_AES_256_GCM_SHA384 },
746 .key_exchange_alg = NULL,
747 .auth_method = S2N_AUTHENTICATION_METHOD_TLS13,
748 .record_alg = NULL,
749 .all_record_algs = { &s2n_tls13_record_alg_aes256_gcm },
750 .num_record_algs = 1,
751 .sslv3_record_alg = NULL,
752 .prf_alg = S2N_HMAC_SHA384,
753 .minimum_required_tls_version = S2N_TLS13,
754 };
755
756 struct s2n_cipher_suite s2n_tls13_chacha20_poly1305_sha256 = {
757 .available = 0,
758 .name = "TLS_CHACHA20_POLY1305_SHA256",
759 .iana_value = { TLS_CHACHA20_POLY1305_SHA256 },
760 .key_exchange_alg = NULL,
761 .auth_method = S2N_AUTHENTICATION_METHOD_TLS13,
762 .record_alg = NULL,
763 .all_record_algs = { &s2n_tls13_record_alg_chacha20_poly1305 },
764 .num_record_algs = 1,
765 .sslv3_record_alg = NULL,
766 .prf_alg = S2N_HMAC_SHA256,
767 .minimum_required_tls_version = S2N_TLS13,
768 };
769
770 /* All of the cipher suites that s2n negotiates in order of IANA value.
771 * New cipher suites MUST be added here, IN ORDER, or they will not be
772 * properly initialized.
773 */
774 static struct s2n_cipher_suite *s2n_all_cipher_suites[] = {
775 &s2n_rsa_with_rc4_128_md5, /* 0x00,0x04 */
776 &s2n_rsa_with_rc4_128_sha, /* 0x00,0x05 */
777 &s2n_rsa_with_3des_ede_cbc_sha, /* 0x00,0x0A */
778 &s2n_dhe_rsa_with_3des_ede_cbc_sha, /* 0x00,0x16 */
779 &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
780 &s2n_dhe_rsa_with_aes_128_cbc_sha, /* 0x00,0x33 */
781 &s2n_rsa_with_aes_256_cbc_sha, /* 0x00,0x35 */
782 &s2n_dhe_rsa_with_aes_256_cbc_sha, /* 0x00,0x39 */
783 &s2n_rsa_with_aes_128_cbc_sha256, /* 0x00,0x3C */
784 &s2n_rsa_with_aes_256_cbc_sha256, /* 0x00,0x3D */
785 &s2n_dhe_rsa_with_aes_128_cbc_sha256, /* 0x00,0x67 */
786 &s2n_dhe_rsa_with_aes_256_cbc_sha256, /* 0x00,0x6B */
787 &s2n_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9C */
788 &s2n_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9D */
789 &s2n_dhe_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9E */
790 &s2n_dhe_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9F */
791
792 &s2n_tls13_aes_128_gcm_sha256, /* 0x13,0x01 */
793 &s2n_tls13_aes_256_gcm_sha384, /* 0x13,0x02 */
794 &s2n_tls13_chacha20_poly1305_sha256, /* 0x13,0x03 */
795
796 &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha, /* 0xC0,0x09 */
797 &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha, /* 0xC0,0x0A */
798 &s2n_ecdhe_rsa_with_rc4_128_sha, /* 0xC0,0x11 */
799 &s2n_ecdhe_rsa_with_3des_ede_cbc_sha, /* 0xC0,0x12 */
800 &s2n_ecdhe_rsa_with_aes_128_cbc_sha, /* 0xC0,0x13 */
801 &s2n_ecdhe_rsa_with_aes_256_cbc_sha, /* 0xC0,0x14 */
802 &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
803 &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
804 &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, /* 0xC0,0x27 */
805 &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, /* 0xC0,0x28 */
806 &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
807 &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
808 &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, /* 0xC0,0x2F */
809 &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, /* 0xC0,0x30 */
810 &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA8 */
811 &s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA9 */
812 &s2n_dhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xAA */
813 &s2n_ecdhe_bike_rsa_with_aes_256_gcm_sha384, /* 0xFF,0x04 */
814 &s2n_ecdhe_sike_rsa_with_aes_256_gcm_sha384, /* 0xFF,0x08 */
815 &s2n_ecdhe_kyber_rsa_with_aes_256_gcm_sha384, /* 0xFF,0x0C */
816 };
817
818 /* All supported ciphers. Exposed for integration testing. */
819 const struct s2n_cipher_preferences cipher_preferences_test_all = {
820 .count = s2n_array_len(s2n_all_cipher_suites),
821 .suites = s2n_all_cipher_suites,
822 };
823
824 /* All TLS12 Cipher Suites */
825
826 static struct s2n_cipher_suite *s2n_all_tls12_cipher_suites[] = {
827 &s2n_rsa_with_rc4_128_md5, /* 0x00,0x04 */
828 &s2n_rsa_with_rc4_128_sha, /* 0x00,0x05 */
829 &s2n_rsa_with_3des_ede_cbc_sha, /* 0x00,0x0A */
830 &s2n_dhe_rsa_with_3des_ede_cbc_sha, /* 0x00,0x16 */
831 &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
832 &s2n_dhe_rsa_with_aes_128_cbc_sha, /* 0x00,0x33 */
833 &s2n_rsa_with_aes_256_cbc_sha, /* 0x00,0x35 */
834 &s2n_dhe_rsa_with_aes_256_cbc_sha, /* 0x00,0x39 */
835 &s2n_rsa_with_aes_128_cbc_sha256, /* 0x00,0x3C */
836 &s2n_rsa_with_aes_256_cbc_sha256, /* 0x00,0x3D */
837 &s2n_dhe_rsa_with_aes_128_cbc_sha256, /* 0x00,0x67 */
838 &s2n_dhe_rsa_with_aes_256_cbc_sha256, /* 0x00,0x6B */
839 &s2n_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9C */
840 &s2n_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9D */
841 &s2n_dhe_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9E */
842 &s2n_dhe_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9F */
843
844 &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha, /* 0xC0,0x09 */
845 &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha, /* 0xC0,0x0A */
846 &s2n_ecdhe_rsa_with_rc4_128_sha, /* 0xC0,0x11 */
847 &s2n_ecdhe_rsa_with_3des_ede_cbc_sha, /* 0xC0,0x12 */
848 &s2n_ecdhe_rsa_with_aes_128_cbc_sha, /* 0xC0,0x13 */
849 &s2n_ecdhe_rsa_with_aes_256_cbc_sha, /* 0xC0,0x14 */
850 &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
851 &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
852 &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, /* 0xC0,0x27 */
853 &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, /* 0xC0,0x28 */
854 &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
855 &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
856 &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, /* 0xC0,0x2F */
857 &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, /* 0xC0,0x30 */
858 &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA8 */
859 &s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA9 */
860 &s2n_dhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xAA */
861 &s2n_ecdhe_bike_rsa_with_aes_256_gcm_sha384, /* 0xFF,0x04 */
862 &s2n_ecdhe_sike_rsa_with_aes_256_gcm_sha384, /* 0xFF,0x08 */
863 &s2n_ecdhe_kyber_rsa_with_aes_256_gcm_sha384, /* 0xFF,0x0C */
864 };
865
866 const struct s2n_cipher_preferences cipher_preferences_test_all_tls12 = {
867 .count = s2n_array_len(s2n_all_tls12_cipher_suites),
868 .suites = s2n_all_tls12_cipher_suites,
869 };
870
871 /* All of the cipher suites that s2n can negotiate when in FIPS mode,
872 * in order of IANA value. Exposed for the "test_all_fips" cipher preference list.
873 */
874 static struct s2n_cipher_suite *s2n_all_fips_cipher_suites[] = {
875 &s2n_rsa_with_3des_ede_cbc_sha, /* 0x00,0x0A */
876 &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
877 &s2n_rsa_with_aes_256_cbc_sha, /* 0x00,0x35 */
878 &s2n_rsa_with_aes_128_cbc_sha256, /* 0x00,0x3C */
879 &s2n_rsa_with_aes_256_cbc_sha256, /* 0x00,0x3D */
880 &s2n_dhe_rsa_with_aes_128_cbc_sha256, /* 0x00,0x67 */
881 &s2n_dhe_rsa_with_aes_256_cbc_sha256, /* 0x00,0x6B */
882 &s2n_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9C */
883 &s2n_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9D */
884 &s2n_dhe_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9E */
885 &s2n_dhe_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9F */
886 &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
887 &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
888 &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, /* 0xC0,0x27 */
889 &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, /* 0xC0,0x28 */
890 &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
891 &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
892 &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, /* 0xC0,0x2F */
893 &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, /* 0xC0,0x30 */
894 };
895
896 /* All supported FIPS ciphers. Exposed for integration testing. */
897 const struct s2n_cipher_preferences cipher_preferences_test_all_fips = {
898 .count = s2n_array_len(s2n_all_fips_cipher_suites),
899 .suites = s2n_all_fips_cipher_suites,
900 };
901
902 /* All of the ECDSA cipher suites that s2n can negotiate, in order of IANA
903 * value. Exposed for the "test_all_ecdsa" cipher preference list.
904 */
905 static struct s2n_cipher_suite *s2n_all_ecdsa_cipher_suites[] = {
906 &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha, /* 0xC0,0x09 */
907 &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha, /* 0xC0,0x0A */
908 &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
909 &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
910 &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
911 &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
912 &s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA9 */
913 };
914
915 /* All supported ECDSA cipher suites. Exposed for integration testing. */
916 const struct s2n_cipher_preferences cipher_preferences_test_all_ecdsa = {
917 .count = s2n_array_len(s2n_all_ecdsa_cipher_suites),
918 .suites = s2n_all_ecdsa_cipher_suites,
919 };
920
921 /* All cipher suites that uses RSA key exchange. Exposed for unit or integration tests. */
922 static struct s2n_cipher_suite *s2n_all_rsa_kex_cipher_suites[] = {
923 &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
924 &s2n_rsa_with_rc4_128_md5, /* 0x00,0x04 */
925 &s2n_rsa_with_rc4_128_sha, /* 0x00,0x05 */
926 &s2n_rsa_with_3des_ede_cbc_sha, /* 0x00,0x0A */
927 &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
928 &s2n_rsa_with_aes_256_cbc_sha, /* 0x00,0x35 */
929 &s2n_rsa_with_aes_128_cbc_sha256, /* 0x00,0x3C */
930 &s2n_rsa_with_aes_256_cbc_sha256, /* 0x00,0x3D */
931 &s2n_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9C */
932 &s2n_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9D */
933 };
934
935 /* Cipher preferences with rsa key exchange. Exposed for unit and integration tests. */
936 const struct s2n_cipher_preferences cipher_preferences_test_all_rsa_kex = {
937 .count = s2n_array_len(s2n_all_rsa_kex_cipher_suites),
938 .suites = s2n_all_rsa_kex_cipher_suites,
939 };
940
941 /* All ECDSA cipher suites first, then the rest of the supported ciphers that s2n can negotiate.
942 * Exposed for the "test_ecdsa_priority" cipher preference list.
943 */
944 static struct s2n_cipher_suite *s2n_ecdsa_priority_cipher_suites[] = {
945 &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha, /* 0xC0,0x09 */
946 &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha, /* 0xC0,0x0A */
947 &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
948 &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
949 &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
950 &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
951 &s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA9 */
952 &s2n_rsa_with_rc4_128_md5, /* 0x00,0x04 */
953 &s2n_rsa_with_rc4_128_sha, /* 0x00,0x05 */
954 &s2n_rsa_with_3des_ede_cbc_sha, /* 0x00,0x0A */
955 &s2n_dhe_rsa_with_3des_ede_cbc_sha, /* 0x00,0x16 */
956 &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
957 &s2n_dhe_rsa_with_aes_128_cbc_sha, /* 0x00,0x33 */
958 &s2n_rsa_with_aes_256_cbc_sha, /* 0x00,0x35 */
959 &s2n_dhe_rsa_with_aes_256_cbc_sha, /* 0x00,0x39 */
960 &s2n_rsa_with_aes_128_cbc_sha256, /* 0x00,0x3C */
961 &s2n_rsa_with_aes_256_cbc_sha256, /* 0x00,0x3D */
962 &s2n_dhe_rsa_with_aes_128_cbc_sha256, /* 0x00,0x67 */
963 &s2n_dhe_rsa_with_aes_256_cbc_sha256, /* 0x00,0x6B */
964 &s2n_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9C */
965 &s2n_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9D */
966 &s2n_dhe_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9E */
967 &s2n_dhe_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9F */
968 &s2n_ecdhe_rsa_with_rc4_128_sha, /* 0xC0,0x11 */
969 &s2n_ecdhe_rsa_with_3des_ede_cbc_sha, /* 0xC0,0x12 */
970 &s2n_ecdhe_rsa_with_aes_128_cbc_sha, /* 0xC0,0x13 */
971 &s2n_ecdhe_rsa_with_aes_256_cbc_sha, /* 0xC0,0x14 */
972 &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, /* 0xC0,0x27 */
973 &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, /* 0xC0,0x28 */
974 &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, /* 0xC0,0x2F */
975 &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, /* 0xC0,0x30 */
976 &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA8 */
977 &s2n_dhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xAA */
978 };
979
980 /* All cipher suites, but with ECDSA priority. Exposed for integration testing. */
981 const struct s2n_cipher_preferences cipher_preferences_test_ecdsa_priority = {
982 .count = s2n_array_len(s2n_ecdsa_priority_cipher_suites),
983 .suites = s2n_ecdsa_priority_cipher_suites,
984 };
985
986 static struct s2n_cipher_suite *s2n_all_tls13_cipher_suites[] = {
987 &s2n_tls13_aes_128_gcm_sha256, /* 0x13,0x01 */
988 &s2n_tls13_aes_256_gcm_sha384, /* 0x13,0x02 */
989 &s2n_tls13_chacha20_poly1305_sha256, /* 0x13,0x03 */
990 };
991
992 const struct s2n_cipher_preferences cipher_preferences_test_all_tls13 = {
993 .count = s2n_array_len(s2n_all_tls13_cipher_suites),
994 .suites = s2n_all_tls13_cipher_suites,
995 };
996
997 static bool should_init_crypto = true;
998 static bool crypto_initialized = false;
s2n_crypto_disable_init(void)999 int s2n_crypto_disable_init(void) {
1000 POSIX_ENSURE(!crypto_initialized, S2N_ERR_INITIALIZED);
1001 should_init_crypto = false;
1002 return S2N_SUCCESS;
1003 }
1004
1005 /* Determines cipher suite availability and selects record algorithms */
s2n_cipher_suites_init(void)1006 int s2n_cipher_suites_init(void)
1007 {
1008 const int num_cipher_suites = s2n_array_len(s2n_all_cipher_suites);
1009 for (int i = 0; i < num_cipher_suites; i++) {
1010 struct s2n_cipher_suite *cur_suite = s2n_all_cipher_suites[i];
1011 cur_suite->available = 0;
1012 cur_suite->record_alg = NULL;
1013
1014 /* Find the highest priority supported record algorithm */
1015 for (int j = 0; j < cur_suite->num_record_algs; j++) {
1016 /* Can we use the record algorithm's cipher? Won't be available if the system CPU architecture
1017 * doesn't support it or if the libcrypto lacks the feature. All hmac_algs are supported.
1018 */
1019 if (cur_suite->all_record_algs[j]->cipher->is_available()) {
1020 /* Found a supported record algorithm. Use it. */
1021 cur_suite->available = 1;
1022 cur_suite->record_alg = cur_suite->all_record_algs[j];
1023 break;
1024 }
1025 }
1026
1027 /* Mark PQ cipher suites as unavailable if PQ is disabled */
1028 if (s2n_kex_includes(cur_suite->key_exchange_alg, &s2n_kem) && !s2n_pq_is_enabled()) {
1029 cur_suite->available = 0;
1030 cur_suite->record_alg = NULL;
1031 }
1032
1033 /* Initialize SSLv3 cipher suite if SSLv3 utilizes a different record algorithm */
1034 if (cur_suite->sslv3_record_alg && cur_suite->sslv3_record_alg->cipher->is_available()) {
1035 struct s2n_blob cur_suite_mem = { .data = (uint8_t *) cur_suite, .size = sizeof(struct s2n_cipher_suite) };
1036 struct s2n_blob new_suite_mem = { 0 };
1037 POSIX_GUARD(s2n_dup(&cur_suite_mem, &new_suite_mem));
1038
1039 struct s2n_cipher_suite *new_suite = (struct s2n_cipher_suite *)(void *)new_suite_mem.data;
1040 new_suite->available = 1;
1041 new_suite->record_alg = cur_suite->sslv3_record_alg;
1042 cur_suite->sslv3_cipher_suite = new_suite;
1043 } else {
1044 cur_suite->sslv3_cipher_suite = cur_suite;
1045 }
1046 }
1047
1048 if (should_init_crypto) {
1049 #if !S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
1050 /*https://wiki.openssl.org/index.php/Manual:OpenSSL_add_all_algorithms(3)*/
1051 OpenSSL_add_all_algorithms();
1052 #else
1053 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
1054 #endif
1055 }
1056
1057 crypto_initialized = true;
1058
1059 return S2N_SUCCESS;
1060 }
1061
1062 /* Reset any selected record algorithms */
s2n_cipher_suites_cleanup(void)1063 int s2n_cipher_suites_cleanup(void)
1064 {
1065 const int num_cipher_suites = sizeof(s2n_all_cipher_suites) / sizeof(struct s2n_cipher_suite *);
1066 for (int i = 0; i < num_cipher_suites; i++) {
1067 struct s2n_cipher_suite *cur_suite = s2n_all_cipher_suites[i];
1068 cur_suite->available = 0;
1069 cur_suite->record_alg = NULL;
1070
1071 /* Release custom SSLv3 cipher suites */
1072 if (cur_suite->sslv3_cipher_suite != cur_suite) {
1073 POSIX_GUARD(s2n_free_object((uint8_t **)&cur_suite->sslv3_cipher_suite, sizeof(struct s2n_cipher_suite)));
1074 }
1075 cur_suite->sslv3_cipher_suite = NULL;
1076 }
1077
1078 if (should_init_crypto) {
1079 #if !S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
1080 /*https://wiki.openssl.org/index.php/Manual:OpenSSL_add_all_algorithms(3)*/
1081 EVP_cleanup();
1082
1083 /* per the reqs here https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html we don't explicitly call
1084 * cleanup in later versions */
1085 #endif
1086 }
1087
1088 return 0;
1089 }
1090
s2n_cipher_suite_from_iana(const uint8_t iana[],struct s2n_cipher_suite ** cipher_suite)1091 S2N_RESULT s2n_cipher_suite_from_iana(const uint8_t iana[], struct s2n_cipher_suite **cipher_suite)
1092 {
1093 RESULT_ENSURE_REF(cipher_suite);
1094 *cipher_suite = NULL;
1095 RESULT_ENSURE_REF(iana);
1096
1097 int low = 0;
1098 int top = s2n_array_len(s2n_all_cipher_suites) - 1;
1099
1100 /* Perform a textbook binary search */
1101 while (low <= top) {
1102 /* Check in the middle */
1103 size_t mid = low + ((top - low) / 2);
1104 int m = memcmp(s2n_all_cipher_suites[mid]->iana_value, iana, S2N_TLS_CIPHER_SUITE_LEN);
1105
1106 if (m == 0) {
1107 *cipher_suite = s2n_all_cipher_suites[mid];
1108 return S2N_RESULT_OK;
1109 } else if (m > 0) {
1110 top = mid - 1;
1111 } else if (m < 0) {
1112 low = mid + 1;
1113 }
1114 }
1115 RESULT_BAIL(S2N_ERR_CIPHER_NOT_SUPPORTED);
1116 }
1117
s2n_set_cipher_as_client(struct s2n_connection * conn,uint8_t wire[S2N_TLS_CIPHER_SUITE_LEN])1118 int s2n_set_cipher_as_client(struct s2n_connection *conn, uint8_t wire[S2N_TLS_CIPHER_SUITE_LEN])
1119 {
1120 POSIX_ENSURE_REF(conn);
1121 POSIX_ENSURE_REF(conn->secure.cipher_suite);
1122
1123 const struct s2n_security_policy *security_policy;
1124 POSIX_GUARD(s2n_connection_get_security_policy(conn, &security_policy));
1125 POSIX_ENSURE_REF(security_policy);
1126
1127 struct s2n_cipher_suite *cipher_suite = NULL;
1128 for (size_t i = 0; i < security_policy->cipher_preferences->count; i++) {
1129 const uint8_t *ours = security_policy->cipher_preferences->suites[i]->iana_value;
1130 if (memcmp(wire, ours, S2N_TLS_CIPHER_SUITE_LEN) == 0) {
1131 cipher_suite = security_policy->cipher_preferences->suites[i];
1132 break;
1133 }
1134 }
1135 POSIX_ENSURE(cipher_suite != NULL, S2N_ERR_CIPHER_NOT_SUPPORTED);
1136 POSIX_ENSURE(cipher_suite->available, S2N_ERR_CIPHER_NOT_SUPPORTED);
1137
1138 /** Clients MUST verify
1139 *= https://tools.ietf.org/rfc/rfc8446#section-4.2.11
1140 *# that the server selected a cipher suite
1141 *# indicating a Hash associated with the PSK
1142 **/
1143 if (conn->psk_params.chosen_psk) {
1144 POSIX_ENSURE(cipher_suite->prf_alg == conn->psk_params.chosen_psk->hmac_alg,
1145 S2N_ERR_CIPHER_NOT_SUPPORTED);
1146 }
1147
1148 /* Verify cipher suite sent in server hello is the same as sent in hello retry */
1149 if (s2n_is_hello_retry_handshake(conn) && !s2n_is_hello_retry_message(conn)) {
1150 POSIX_ENSURE(conn->secure.cipher_suite->iana_value == cipher_suite->iana_value, S2N_ERR_CIPHER_NOT_SUPPORTED);
1151 return S2N_SUCCESS;
1152 }
1153
1154 conn->secure.cipher_suite = cipher_suite;
1155
1156 /* For SSLv3 use SSLv3-specific ciphers */
1157 if (conn->actual_protocol_version == S2N_SSLv3) {
1158 conn->secure.cipher_suite = conn->secure.cipher_suite->sslv3_cipher_suite;
1159 POSIX_ENSURE_REF(conn->secure.cipher_suite);
1160 }
1161
1162 return 0;
1163 }
1164
s2n_wire_ciphers_contain(const uint8_t * match,const uint8_t * wire,uint32_t count,uint32_t cipher_suite_len)1165 static int s2n_wire_ciphers_contain(const uint8_t *match, const uint8_t *wire, uint32_t count, uint32_t cipher_suite_len)
1166 {
1167 for (uint32_t i = 0; i < count; i++) {
1168 const uint8_t *theirs = wire + (i * cipher_suite_len) + (cipher_suite_len - S2N_TLS_CIPHER_SUITE_LEN);
1169
1170 if (!memcmp(match, theirs, S2N_TLS_CIPHER_SUITE_LEN)) {
1171 return 1;
1172 }
1173 }
1174
1175 return 0;
1176 }
1177
s2n_set_cipher_as_server(struct s2n_connection * conn,uint8_t * wire,uint32_t count,uint32_t cipher_suite_len)1178 static int s2n_set_cipher_as_server(struct s2n_connection *conn, uint8_t *wire, uint32_t count, uint32_t cipher_suite_len)
1179 {
1180 uint8_t renegotiation_info_scsv[S2N_TLS_CIPHER_SUITE_LEN] = { TLS_EMPTY_RENEGOTIATION_INFO_SCSV };
1181 struct s2n_cipher_suite *higher_vers_match = NULL;
1182
1183 /* RFC 7507 - If client is attempting to negotiate a TLS Version that is lower than the highest supported server
1184 * version, and the client cipher list contains TLS_FALLBACK_SCSV, then the server must abort the connection since
1185 * TLS_FALLBACK_SCSV should only be present when the client previously failed to negotiate a higher TLS version.
1186 */
1187 if (conn->client_protocol_version < conn->server_protocol_version) {
1188 uint8_t fallback_scsv[S2N_TLS_CIPHER_SUITE_LEN] = { TLS_FALLBACK_SCSV };
1189 if (s2n_wire_ciphers_contain(fallback_scsv, wire, count, cipher_suite_len)) {
1190 conn->closed = 1;
1191 POSIX_BAIL(S2N_ERR_FALLBACK_DETECTED);
1192 }
1193 }
1194
1195 /* RFC5746 Section 3.6: A server must check if TLS_EMPTY_RENEGOTIATION_INFO_SCSV is included */
1196 if (s2n_wire_ciphers_contain(renegotiation_info_scsv, wire, count, cipher_suite_len)) {
1197 conn->secure_renegotiation = 1;
1198 }
1199
1200 const struct s2n_security_policy *security_policy;
1201 POSIX_GUARD(s2n_connection_get_security_policy(conn, &security_policy));
1202
1203 /* s2n supports only server order */
1204 for (int i = 0; i < security_policy->cipher_preferences->count; i++) {
1205 const uint8_t *ours = security_policy->cipher_preferences->suites[i]->iana_value;
1206
1207 if (s2n_wire_ciphers_contain(ours, wire, count, cipher_suite_len)) {
1208 /* We have a match */
1209 struct s2n_cipher_suite *match = security_policy->cipher_preferences->suites[i];
1210
1211 /* Never use TLS1.3 ciphers on a pre-TLS1.3 connection, and vice versa */
1212 if ((conn->actual_protocol_version >= S2N_TLS13) != (match->minimum_required_tls_version >= S2N_TLS13)) {
1213 continue;
1214 }
1215
1216 /* If connection is for SSLv3, use SSLv3 version of suites */
1217 if (conn->client_protocol_version == S2N_SSLv3) {
1218 match = match->sslv3_cipher_suite;
1219 }
1220
1221 /* Skip the suite if we don't have an available implementation */
1222 if (!match->available) {
1223 continue;
1224 }
1225
1226 /* Make sure the cipher is valid for available certs */
1227 if (s2n_is_cipher_suite_valid_for_auth(conn, match) != S2N_SUCCESS) {
1228 continue;
1229 }
1230
1231 /* TLS 1.3 does not include key exchange in cipher suites */
1232 if (match->minimum_required_tls_version < S2N_TLS13) {
1233 /* If the kex is not supported continue to the next candidate */
1234 bool kex_supported = false;
1235 POSIX_GUARD_RESULT(s2n_kex_supported(match, conn, &kex_supported));
1236 if (!kex_supported) {
1237 continue;
1238 }
1239
1240 /* If the kex is not configured correctly continue to the next candidate */
1241 if (s2n_result_is_error(s2n_configure_kex(match, conn))) {
1242 continue;
1243 }
1244 }
1245
1246 /**
1247 *= https://tools.ietf.org/rfc/rfc8446#section-4.2.11
1248 *# The server MUST ensure that it selects a compatible PSK
1249 *# (if any) and cipher suite.
1250 **/
1251 if (conn->psk_params.chosen_psk != NULL) {
1252 if (match->prf_alg != conn->psk_params.chosen_psk->hmac_alg) {
1253 continue;
1254 }
1255 }
1256
1257 /* Don't immediately choose a cipher the connection shouldn't be able to support */
1258 if (conn->actual_protocol_version < match->minimum_required_tls_version) {
1259 if (!higher_vers_match) {
1260 higher_vers_match = match;
1261 }
1262 continue;
1263 }
1264
1265 conn->secure.cipher_suite = match;
1266 return S2N_SUCCESS;
1267 }
1268 }
1269
1270 /* Settle for a cipher with a higher required proto version, if it was set */
1271 if (higher_vers_match) {
1272 conn->secure.cipher_suite = higher_vers_match;
1273 return S2N_SUCCESS;
1274 }
1275
1276 POSIX_BAIL(S2N_ERR_CIPHER_NOT_SUPPORTED);
1277 }
1278
s2n_set_cipher_as_sslv2_server(struct s2n_connection * conn,uint8_t * wire,uint16_t count)1279 int s2n_set_cipher_as_sslv2_server(struct s2n_connection *conn, uint8_t *wire, uint16_t count)
1280 {
1281 return s2n_set_cipher_as_server(conn, wire, count, S2N_SSLv2_CIPHER_SUITE_LEN);
1282 }
1283
s2n_set_cipher_as_tls_server(struct s2n_connection * conn,uint8_t * wire,uint16_t count)1284 int s2n_set_cipher_as_tls_server(struct s2n_connection *conn, uint8_t *wire, uint16_t count)
1285 {
1286 return s2n_set_cipher_as_server(conn, wire, count, S2N_TLS_CIPHER_SUITE_LEN);
1287 }
1288
s2n_cipher_suite_requires_ecc_extension(struct s2n_cipher_suite * cipher)1289 bool s2n_cipher_suite_requires_ecc_extension(struct s2n_cipher_suite *cipher)
1290 {
1291 if(!cipher) {
1292 return false;
1293 }
1294
1295 /* TLS1.3 does not include key exchange algorithms in its cipher suites,
1296 * but the elliptic curves extension is always required. */
1297 if (cipher->minimum_required_tls_version >= S2N_TLS13) {
1298 return true;
1299 }
1300
1301 if (s2n_kex_includes(cipher->key_exchange_alg, &s2n_ecdhe)) {
1302 return true;
1303 }
1304
1305 return false;
1306 }
1307
s2n_cipher_suite_requires_pq_extension(struct s2n_cipher_suite * cipher)1308 bool s2n_cipher_suite_requires_pq_extension(struct s2n_cipher_suite *cipher)
1309 {
1310 if(!cipher) {
1311 return false;
1312 }
1313
1314 if (s2n_kex_includes(cipher->key_exchange_alg, &s2n_kem)) {
1315 return true;
1316 }
1317 return false;
1318 }
1319