Popularity

8.1

Declining

Activity

9.4

Stars 4,446

Watchers 172

Forks 690

Last Commit about 8 hours ago

Code Quality Rank: L3

Programming language: C

License: Apache License 2.0

Tags: Cryptography

Latest version: v0.10.22

s2n alternatives and similar libraries

Based on the "Cryptography" category.
Alternatively, view s2n alternatives based on common mentions on social networks and blogs.

OpenSSL

9.8 9.9 L2 s2n VS OpenSSL

TLS/SSL and crypto library
libsodium

9.3 8.7 L3 s2n VS libsodium

A modern, portable, easy to use crypto library.

WorkOS - The modern identity platform for B2B SaaS

The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

Promo workos.com

mbedTLS

8.8 10.0 L2 s2n VS mbedTLS

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
Crypto++

8.4 8.0 L1 s2n VS Crypto++

free C++ class library of cryptographic schemes
Tiny AES128 in C

8.3 0.0 L5 s2n VS Tiny AES128 in C

Small portable AES128/192/256 in C
Botan

7.3 9.8 L1 s2n VS Botan

Cryptography Toolkit
LibTomCrypt

6.7 7.3 L3 s2n VS LibTomCrypt

LibTomCrypt is a fairly comprehensive, modular and portable cryptographic toolkit that provides developers with a vast array of well known published block ciphers, one-way hash functions, chaining modes, pseudo-random number generators, public key cryptography and a plethora of other routines.
Themis by Cossack Labs

6.2 5.9 L3 s2n VS Themis by Cossack Labs

Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.
LibreSSL

6.1 9.5 L4 s2n VS LibreSSL

LibreSSL Portable itself. This includes the build scaffold and compatibility layer that builds portable LibreSSL from the OpenBSD source code. Pull requests or patches sent to [email protected] are welcome.
Bcrypt

5.6 9.1 L3 s2n VS Bcrypt

Modern(-ish) password hashing for your software and your servers
libhydrogen

4.4 7.3 s2n VS libhydrogen

A lightweight, secure, easy-to-use crypto library suitable for constrained environments.
digestpp

3.0 3.3 s2n VS digestpp

C++11 header-only message digest library
retter

2.3 0.0 L3 s2n VS retter

A collection of hash functions, ciphers, tools, libraries, and materials related to cryptography & security. :closed_lock_with_key::closed_lock_with_key::closed_lock_with_key::closed_lock_with_key::closed_lock_with_key: (project was renamed, libchaos is main)
mbedcrypto

1.9 0.0 s2n VS mbedcrypto

a portable, small, easy to use and fast c++14 library for cryptography.
GnuTLS

1.1 0.0 L2 s2n VS GnuTLS

GnuTLS
GnuPG

1.0 0.0 L1 s2n VS GnuPG

Mirror of git://git.gnupg.org/gnupg.git — master branch contains no changes from upstream.
BeeCrypt

- s2n VS BeeCrypt

A portable and fast cryptography library. [LGPLv2.1+]
Nettle

- s2n VS Nettle

A low-level cryptographic library. [LGPL]
Libgcrypt

- s2n VS Libgcrypt

A general purpose cryptographic library originally based on code from GnuPG. [LGPLv2.1+]

* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.

Do you think we are missing an alternative of s2n or a related project?

Add another 'Cryptography' Library

Popular Comparisons

README

s2n-tls is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority. It is released and licensed under the Apache License 2.0.

Quickstart for Ubuntu

Fork s2n-tls on GitHub
Run the following commands on Ubuntu. ``` git clone https://github.com/${YOUR_GITHUB_ACCOUNT_NAME}/s2n-tls.git cd s2n-tls

Pick an "env" line from the codebuild/codebuild.config file and run it, in this case choose the openssl-1.1.1 with GCC 9 build

S2N_LIBCRYPTO=openssl-1.1.1 BUILD_S2N=true TESTS=integration GCC_VERSION=9

sudo codebuild/bin/s2n_install_test_dependencies.sh codebuild/bin/s2n_codebuild.sh


## Quickstart for OSX (or other platforms)

If you are building on OSX, or simply don't want to execute the entire build script above, you can use build tools like Ninja.

### OSX

An example of building on OSX:

```sh
# Install required dependencies using homebrew
brew install ninja cmake coreutils [email protected]

# Clone the s2n-tls source repository into the `s2n-tls` directory
git clone https://github.com/${YOUR_GITHUB_ACCOUNT_NAME}/s2n-tls.git
cd s2n-tls

# Create a build directory, and build s2n-tls with debug symbols and a specific OpenSSL version.
cmake . -Bbuild -GNinja \
    -DCMAKE_BUILD_TYPE=Debug \
    -DCMAKE_PREFIX_PATH=$(dirname $(dirname $(brew list [email protected]|grep libcrypto.dylib)))
cmake --build ./build -j $(nproc)
CTEST_PARALLEL_LEVEL=$(nproc) ninja -C build test

Amazonlinux2

Install dependencies with ./codebuild/bin/install_al2_dependencies.sh after cloning.

git clone https://github.com/${YOUR_GITHUB_ACCOUNT_NAME}/s2n-tls.git
cd s2n-tls
cmake . -Bbuild -DCMAKE_EXE_LINKER_FLAGS="-lcrypto -lz" -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
cmake --build ./build -j $(nproc)
CTEST_PARALLEL_LEVEL=$(nproc) make -C build test

Have a Question?

If you have any questions about Submitting PR's, Opening Issues, s2n-tls API usage, or something similar, we have a public chatroom available here to answer your questions: https://gitter.im/awslabs/s2n

Otherwise, if you think you might have found a security impacting issue, please instead follow our Security Notification Process.

Documentation

s2n-tls uses Doxygen to document its public API. The latest s2n-tls documentation can be found on GitHub pages.

Documentation for older versions or branches of s2n-tls can be generated locally. To generate the documentation, install doxygen and run doxygen docs/doxygen/Doxyfile. The doxygen documentation can now be found at docs/doxygen/output/html/index.html.

Doxygen installation instructions are available at the Doxygen webpage.

Using s2n-tls

The s2n-tls I/O APIs are designed to be intuitive to developers familiar with the widely-used POSIX I/O APIs, and s2n-tls supports blocking, non-blocking, and full-duplex I/O. Additionally there are no locks or mutexes within s2n-tls.

/* Create a server mode connection handle */
struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
if (conn == NULL) {
    ... error ...
}

/* Associate a connection with a file descriptor */
if (s2n_connection_set_fd(conn, fd) < 0) {
    ... error ...
}

/* Negotiate the TLS handshake */
s2n_blocked_status blocked;
if (s2n_negotiate(conn, &blocked) < 0) {
    ... error ...
}

/* Write data to the connection */
int bytes_written;
bytes_written = s2n_send(conn, "Hello World", sizeof("Hello World"), &blocked);

For details on building the s2n-tls library and how to use s2n-tls in an application you are developing, see the usage guide.

s2n-tls features

s2n-tls implements SSLv3, TLS1.0, TLS1.1, TLS1.2, and TLS1.3. For encryption, s2n-tls supports 128-bit and 256-bit AES in the CBC and GCM modes, ChaCha20, 3DES, and RC4. For forward secrecy, s2n-tls supports both DHE and ECDHE. s2n-tls also supports the Server Name Indicator (SNI), Application-Layer Protocol Negotiation (ALPN), and Online Certificate Status Protocol (OCSP) TLS extensions. SSLv3, RC4, 3DES, and DHE are each disabled by default for security reasons.

As it can be difficult to keep track of which encryption algorithms and protocols are best to use, s2n-tls features a simple API to use the latest "default" set of preferences. If you prefer to remain on a specific version for backwards compatibility, that is also supported.

/* Use the latest s2n-tls "default" set of ciphersuite and protocol preferences */
s2n_config_set_cipher_preferences(config, "default");

/* Use a specific set of preferences, update when you're ready */
s2n_config_set_cipher_preferences(config, "20150306")

s2n-tls safety mechanisms

Internally s2n-tls takes a systematic approach to data protection and includes several mechanisms designed to improve safety.

Small and auditable code base

Ignoring tests, blank lines and comments, s2n-tls is about 6,000 lines of code. s2n's code is also structured and written with a focus on reviewability. All s2n-tls code is subject to code review, and we plan to complete security evaluations of s2n-tls on an annual basis.

To date there have been two external code-level reviews of s2n-tls, including one by a commercial security vendor. s2n-tls has also been shared with some trusted members of the broader cryptography, security, and Open Source communities. Any issues discovered are always recorded in the s2n-tls issue tracker.

Static analysis, fuzz-testing and penetration testing

In addition to code reviews, s2n-tls is subject to regular static analysis, fuzz-testing, and penetration testing. Several penetration tests have occurred, including two by commercial vendors.

Unit tests and end-to-end testing

s2n-tls includes positive and negative unit tests and end-to-end test cases.

Erase on read

s2n-tls encrypts or erases plaintext data as quickly as possible. For example, decrypted data buffers are erased as they are read by the application.

Built-in memory protection

s2n-tls uses operating system features to protect data from being swapped to disk or appearing in core dumps.

Minimalist feature adoption

s2n-tls avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example there is no support for session renegotiation or DTLS.

Compartmentalized random number generation

The security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n-tls provides every thread with two separate random number generators. One for "public" randomly generated data that may appear in the clear, and one for "private" data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts.

Modularized encryption

s2n-tls has been structured so that different encryption libraries may be used. Today s2n-tls supports OpenSSL (versions 1.0.2, 1.1.1 and 3.0.x), LibreSSL, BoringSSL, and the Apple Common Crypto framework to perform the underlying cryptographic operations.

Timing blinding

s2n-tls includes structured support for blinding time-based side-channels that may leak sensitive data. For example, if s2n-tls fails to parse a TLS record or handshake message, s2n-tls will add a randomized delay of between 10 and 30 seconds, granular to nanoseconds, before responding. This raises the complexity of real-world timing side-channel attacks by a factor of at least tens of trillions.

Table based state-machines

s2n-tls uses simple tables to drive the TLS/SSL state machines, making it difficult for invalid out-of-order states to arise.

C safety

s2n-tls is written in C, but makes light use of standard C library functions and wraps all memory handling, string handling, and serialization in systematic boundary-enforcing checks.

Security issue notifications

If you discover a potential security issue in s2n-tls we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public github issue.

If you package or distribute s2n-tls, or use s2n-tls as part of a large multi-user service, you may be eligible for pre-notification of future s2n-tls releases. Please contact [email protected].

Contributing to s2n-tls

If you are interested in contributing to s2n-tls, please see our development guide.

Language Bindings for s2n-tls

See our language bindings list for language bindings for s2n-tls that we're aware of.

*Note that all licence references and agreements mentioned in the s2n README section above are relevant to that project's source code only.

s2n

An implementation of the TLS/SSL protocols