From b1818acc327e1d33e3a52660471c037bc3245b20 Mon Sep 17 00:00:00 2001
From: Michael Graeb <graebm@amazon.com>
Date: Fri, 14 Jul 2023 00:25:11 +0000
Subject: [PATCH] Check that s2n_config_set_cipher_preferences() actually
 succeeds. Log a useful message that you probably need to update S2N.

---
 source/s2n/s2n_tls_channel_handler.c | 41 ++++++++++++++++++----------
 tests/tls_handler_test.c             |  1 +
 2 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/source/s2n/s2n_tls_channel_handler.c b/source/s2n/s2n_tls_channel_handler.c
index 6082d12c7..bc30ca73b 100644
--- a/source/s2n/s2n_tls_channel_handler.c
+++ b/source/s2n/s2n_tls_channel_handler.c
@@ -1372,21 +1372,22 @@ static struct aws_tls_ctx *s_tls_ctx_new(
         goto cleanup_s2n_config;
     }
 
+    const char *security_policy = NULL;
     if (options->custom_key_op_handler != NULL) {
-        /* When custom_key_op_handler is set, don't use cipher preferences that allow TLS 1.3.
+        /* When custom_key_op_handler is set, don't use security policy that allow TLS 1.3.
          * This hack is necessary until our PKCS#11 custom_key_op_handler supports RSA PSS */
         switch (options->minimum_tls_version) {
             case AWS_IO_SSLv3:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "CloudFront-SSL-v-3");
+                security_policy = "CloudFront-SSL-v-3";
                 break;
             case AWS_IO_TLSv1:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "CloudFront-TLS-1-0-2014");
+                security_policy = "CloudFront-TLS-1-0-2014";
                 break;
             case AWS_IO_TLSv1_1:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "ELBSecurityPolicy-TLS-1-1-2017-01");
+                security_policy = "ELBSecurityPolicy-TLS-1-1-2017-01";
                 break;
             case AWS_IO_TLSv1_2:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "ELBSecurityPolicy-TLS-1-2-Ext-2018-06");
+                security_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06";
                 break;
             case AWS_IO_TLSv1_3:
                 AWS_LOGF_ERROR(AWS_LS_IO_TLS, "TLS 1.3 with PKCS#11 is not supported yet.");
@@ -1394,29 +1395,29 @@ static struct aws_tls_ctx *s_tls_ctx_new(
                 goto cleanup_s2n_config;
             case AWS_IO_TLS_VER_SYS_DEFAULTS:
             default:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "ELBSecurityPolicy-TLS-1-1-2017-01");
+                security_policy = "ELBSecurityPolicy-TLS-1-1-2017-01";
         }
     } else {
-        /* No custom_key_op_handler is set, use normal cipher preferences */
+        /* No custom_key_op_handler is set, use normal security policies */
         switch (options->minimum_tls_version) {
             case AWS_IO_SSLv3:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-SSLv3.0-2023");
+                security_policy = "AWS-CRT-SDK-SSLv3.0-2023";
                 break;
             case AWS_IO_TLSv1:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.0-2023");
+                security_policy = "AWS-CRT-SDK-TLSv1.0-2023";
                 break;
             case AWS_IO_TLSv1_1:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.1-2023");
+                security_policy = "AWS-CRT-SDK-TLSv1.1-2023";
                 break;
             case AWS_IO_TLSv1_2:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.2-2023");
+                security_policy = "AWS-CRT-SDK-TLSv1.2-2023";
                 break;
             case AWS_IO_TLSv1_3:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.3-2023");
+                security_policy = "AWS-CRT-SDK-TLSv1.3-2023";
                 break;
             case AWS_IO_TLS_VER_SYS_DEFAULTS:
             default:
-                s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.0-2023");
+                security_policy = "AWS-CRT-SDK-TLSv1.0-2023";
         }
     }
 
@@ -1425,7 +1426,7 @@ static struct aws_tls_ctx *s_tls_ctx_new(
             /* No-Op, if the user configured a minimum_tls_version then a version-specific Cipher Preference was set */
             break;
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05:
-            s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "PQ-TLS-1-0-2021-05-26");
+            security_policy = "PQ-TLS-1-0-2021-05-26";
             break;
         default:
             AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Unrecognized TLS Cipher Preference: %d", options->cipher_pref);
@@ -1433,6 +1434,18 @@ static struct aws_tls_ctx *s_tls_ctx_new(
             goto cleanup_s2n_config;
     }
 
+    AWS_ASSERT(security_policy != NULL);
+    if (s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, security_policy)) {
+        AWS_LOGF_ERROR(
+            AWS_LS_IO_TLS,
+            "ctx: Failed setting security policy '%s' (newer S2N required?): %s (%s)",
+            security_policy,
+            s2n_strerror(s2n_errno, "EN"),
+            s2n_strerror_debug(s2n_errno, "EN"));
+        aws_raise_error(AWS_IO_TLS_CTX_ERROR);
+        goto cleanup_s2n_config;
+    }
+
     if (aws_tls_options_buf_is_set(&options->certificate) && aws_tls_options_buf_is_set(&options->private_key)) {
         AWS_LOGF_DEBUG(AWS_LS_IO_TLS, "ctx: Certificate and key have been set, setting them up now.");
 
diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c
index 3718f675c..b44bc70fa 100644
--- a/tests/tls_handler_test.c
+++ b/tests/tls_handler_test.c
@@ -1114,6 +1114,7 @@ static int s_verify_good_host(
     }
 
     struct aws_tls_ctx *client_ctx = aws_tls_client_ctx_new(allocator, &client_ctx_options);
+    ASSERT_NOT_NULL(client_ctx);
 
     struct aws_tls_connection_options tls_client_conn_options;
     aws_tls_connection_options_init_from_ctx(&tls_client_conn_options, client_ctx);