Revert "fail on default_fips usage"

This reverts commit 4870588.
aws · Sep 25, 2024 · 695c27d · 695c27d
1 parent 715363b
commit 695c27d
Show file tree

Hide file tree

Showing 6 changed files with 0 additions and 45 deletions.
diff --git a/tests/unit/s2n_config_test.c b/tests/unit/s2n_config_test.c
@@ -71,9 +71,7 @@ int main(int argc, char **argv)
 
     const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL;
     EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy));
-    dbg_bail = false;
     EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
-    dbg_bail = true;
     EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));
 
     char cert[S2N_MAX_TEST_PEM_SIZE] = { 0 };

diff --git a/tests/unit/s2n_connection_preferences_test.c b/tests/unit/s2n_connection_preferences_test.c
@@ -30,9 +30,7 @@ int main(int argc, char **argv)
 
     const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL;
     EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy));
-    dbg_bail = false;
     EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
-    dbg_bail = true;
     EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));
 
     /* Test default TLS1.2 */

diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c
@@ -507,9 +507,7 @@ int main(int argc, char **argv)
 
         for (size_t i = 0; i < s2n_array_len(tls12_only_security_policy_strings); i++) {
             security_policy = NULL;
-            dbg_bail = false;
             EXPECT_SUCCESS(s2n_find_security_policy_from_version(tls12_only_security_policy_strings[i], &security_policy));
-            dbg_bail = true;
             EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy));
         }
 
@@ -972,15 +970,11 @@ int main(int argc, char **argv)
         {
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20230317, "default", rsa_chain_and_key));
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20230317, "default_tls13", rsa_chain_and_key));
-            dbg_bail = false;
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20230317, "default_fips", rsa_chain_and_key));
-            dbg_bail = true;
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20230317, "20230317", rsa_chain_and_key));
 
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20230317, "default_tls13", ecdsa_chain_and_key));
-            dbg_bail = false;
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20230317, "default_fips", ecdsa_chain_and_key));
-            dbg_bail = true;
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20230317, "20230317", ecdsa_chain_and_key));
 
             if (s2n_is_rsa_pss_certs_supported()) {
@@ -1004,21 +998,17 @@ int main(int argc, char **argv)
                     "default", rsa_chain_and_key));
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240331,
                     "default_tls13", rsa_chain_and_key));
-            dbg_bail = false;
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240331,
                     "default_fips", rsa_chain_and_key));
-            dbg_bail = true;
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240331,
                     "20230317", rsa_chain_and_key));
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240331,
                     "20240331", rsa_chain_and_key));
 
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240331,
                     "default_tls13", ecdsa_chain_and_key));
-            dbg_bail = false;
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240331,
                     "default_fips", ecdsa_chain_and_key));
-            dbg_bail = true;
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240331,
                     "20230317", ecdsa_chain_and_key));
             EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240331,
@@ -1094,11 +1084,9 @@ int main(int argc, char **argv)
                 { .cert = ecdsa_chain_and_key },
             };
 
-            dbg_bail = false;
             EXPECT_OK(s2n_test_default_backwards_compatible("default_fips",
                     versioned_policies, s2n_array_len(versioned_policies),
                     supported_certs, s2n_array_len(supported_certs)));
-            dbg_bail = true;
         };
     };
 

diff --git a/tls/s2n_config.c b/tls/s2n_config.c
@@ -51,10 +51,6 @@ static int monotonic_clock(void *data, uint64_t *nanoseconds)
     return 0;
 }
 
-/* Used to add exception when creating a new config */
-bool dbg_config_init = true;
-/* Control exception to the "default" policy usage */
-bool dbg_bail = true;
 static int wall_clock(void *data, uint64_t *nanoseconds)
 {
     struct timespec current_time = { 0 };
@@ -108,11 +104,7 @@ static int s2n_config_init(struct s2n_config *config)
     if (s2n_use_default_tls13_config()) {
         POSIX_GUARD(s2n_config_setup_tls13(config));
     } else if (s2n_is_in_fips_mode()) {
-        /* TODO remove */
-        /* avoid bailing when creating a new config `s2n_config_new()` */
-        dbg_config_init = false;
         POSIX_GUARD(s2n_config_setup_fips(config));
-        dbg_config_init = true;
     }
 
     POSIX_GUARD_PTR(config->domain_name_to_cert_map = s2n_map_new_with_initial_capacity(1));

diff --git a/tls/s2n_config.h b/tls/s2n_config.h
@@ -31,10 +31,6 @@
 #include "utils/s2n_blob.h"
 #include "utils/s2n_set.h"
 
-/* TODO remove */
-extern bool dbg_config_init;
-extern bool dbg_bail;
-
 #define S2N_MAX_TICKET_KEYS       48
 #define S2N_MAX_TICKET_KEY_HASHES 500 /* 10KB */
 

diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c
@@ -18,7 +18,6 @@
 #include "api/s2n.h"
 #include "tls/s2n_certificate_keys.h"
 #include "tls/s2n_connection.h"
-#include "utils/s2n_init.h"
 #include "utils/s2n_safety.h"
 
 /* TLS1.2 default as of 05/24 */
@@ -1271,22 +1270,6 @@ int s2n_find_security_policy_from_version(const char *version, const struct s2n_
     POSIX_ENSURE_REF(version);
     POSIX_ENSURE_REF(security_policy);
 
-    bool matches_default = strcmp(version, "default_fips") == 0;
-    bool should_bail =
-            /* allow for exception for tests which actually want to test the "default" policy */
-            dbg_bail &&
-            /* allow for s2n_config_new object creation */
-            dbg_config_init &&
-            /* s2n_init() creates a "default" static config so only bail after initialization is complete; */
-            s2n_is_initialized() &&
-            /* attempting to use the "default" policy */
-            matches_default;
-
-    if (should_bail) {
-        printf("\nBail------- s2n_find_from_version: config_init: %d", dbg_config_init);
-        POSIX_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
-    }
-
     for (int i = 0; security_policy_selection[i].version != NULL; i++) {
         if (!strcasecmp(version, security_policy_selection[i].version)) {
             *security_policy = security_policy_selection[i].security_policy;