Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_security_policies.h"
17 : :
18 : : #include "api/s2n.h"
19 : : #include "crypto/s2n_pq.h"
20 : : #include "tls/s2n_certificate_keys.h"
21 : : #include "tls/s2n_connection.h"
22 : : #include "utils/s2n_safety.h"
23 : :
24 : : /* Default as of 10/13 */
25 : : const struct s2n_security_policy security_policy_20251014 = {
26 : : .minimum_protocol_version = S2N_TLS12,
27 : : .cipher_preferences = &cipher_preferences_20251014,
28 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
29 : : .signature_preferences = &s2n_signature_preferences_20240501,
30 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
31 : : .rules = {
32 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
33 : : },
34 : : };
35 : :
36 : : /* FIPS default as of 10/13 */
37 : : const struct s2n_security_policy security_policy_20251015 = {
38 : : .minimum_protocol_version = S2N_TLS12,
39 : : .cipher_preferences = &cipher_preferences_20251015,
40 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
41 : : .signature_preferences = &s2n_signature_preferences_20240501,
42 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
43 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
44 : : .rules = {
45 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
46 : : [S2N_FIPS_140_3] = true,
47 : : },
48 : : };
49 : :
50 : : const struct s2n_security_policy security_policy_20240501 = {
51 : : .minimum_protocol_version = S2N_TLS12,
52 : : .cipher_preferences = &cipher_preferences_20240331,
53 : : .kem_preferences = &kem_preferences_null,
54 : : .signature_preferences = &s2n_signature_preferences_20240501,
55 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
56 : : .rules = {
57 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
58 : : },
59 : : };
60 : :
61 : : const struct s2n_security_policy security_policy_20240502 = {
62 : : .minimum_protocol_version = S2N_TLS12,
63 : : .cipher_preferences = &cipher_preferences_20240331,
64 : : .kem_preferences = &kem_preferences_null,
65 : : .signature_preferences = &s2n_signature_preferences_20240501,
66 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
67 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
68 : : .rules = {
69 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
70 : : [S2N_FIPS_140_3] = true,
71 : : },
72 : : };
73 : :
74 : : /* TLS1.3 default as of 05/24 */
75 : : const struct s2n_security_policy security_policy_20240503 = {
76 : : .minimum_protocol_version = S2N_TLS12,
77 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
78 : : .kem_preferences = &kem_preferences_null,
79 : : .signature_preferences = &s2n_signature_preferences_20240501,
80 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
81 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
82 : : .rules = {
83 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
84 : : },
85 : : };
86 : :
87 : : /* PQ default as of 07/24 */
88 : : const struct s2n_security_policy security_policy_20240730 = {
89 : : .minimum_protocol_version = S2N_TLS12,
90 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
91 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
92 : : .signature_preferences = &s2n_signature_preferences_20240501,
93 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
94 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
95 : : .rules = {
96 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
97 : : },
98 : : };
99 : :
100 : : const struct s2n_security_policy security_policy_20241001 = {
101 : : .minimum_protocol_version = S2N_TLS12,
102 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
103 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
104 : : .signature_preferences = &s2n_signature_preferences_20240501,
105 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
106 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
107 : : .rules = {
108 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
109 : : },
110 : : };
111 : :
112 : : /* 20241001, but with ML-DSA added */
113 : : const struct s2n_security_policy security_policy_20250512 = {
114 : : .minimum_protocol_version = S2N_TLS12,
115 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
116 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
117 : : .signature_preferences = &s2n_signature_preferences_20250512,
118 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
119 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
120 : : .rules = {
121 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
122 : : },
123 : : };
124 : :
125 : : const struct s2n_security_policy security_policy_20250721 = {
126 : : .minimum_protocol_version = S2N_TLS12,
127 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
128 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
129 : : .signature_preferences = &s2n_signature_preferences_20250512,
130 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
131 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
132 : : .rules = {
133 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
134 : : },
135 : : };
136 : :
137 : : const struct s2n_security_policy security_policy_20241001_pq_mixed = {
138 : : .minimum_protocol_version = S2N_TLS12,
139 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
140 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
141 : : .signature_preferences = &s2n_signature_preferences_20240501,
142 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
143 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
144 : : .rules = {
145 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
146 : : },
147 : : };
148 : :
149 : : const struct s2n_security_policy security_policy_20240603 = {
150 : : .minimum_protocol_version = S2N_TLS12,
151 : : .cipher_preferences = &cipher_preferences_20240603,
152 : : .kem_preferences = &kem_preferences_null,
153 : : .signature_preferences = &s2n_signature_preferences_20240501,
154 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
155 : : .ecc_preferences = &s2n_ecc_preferences_20240603,
156 : : };
157 : :
158 : : const struct s2n_security_policy security_policy_20170210 = {
159 : : .minimum_protocol_version = S2N_TLS10,
160 : : .cipher_preferences = &cipher_preferences_20170210,
161 : : .kem_preferences = &kem_preferences_null,
162 : : .signature_preferences = &s2n_signature_preferences_20140601,
163 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
164 : : };
165 : :
166 : : const struct s2n_security_policy security_policy_20240417 = {
167 : : .minimum_protocol_version = S2N_TLS10,
168 : : .cipher_preferences = &cipher_preferences_20210831,
169 : : .kem_preferences = &kem_preferences_null,
170 : : .signature_preferences = &s2n_signature_preferences_20200207,
171 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
172 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
173 : : };
174 : :
175 : : /*
176 : : * This security policy is derived from the following specification:
177 : : * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
178 : : *
179 : : * Supports TLS1.2
180 : : */
181 : : const struct s2n_security_policy security_policy_20240416 = {
182 : : .minimum_protocol_version = S2N_TLS12,
183 : : .cipher_preferences = &cipher_preferences_default_fips,
184 : : .kem_preferences = &kem_preferences_null,
185 : : .signature_preferences = &s2n_signature_preferences_default_fips,
186 : : .certificate_signature_preferences = &s2n_signature_preferences_default_fips,
187 : : .ecc_preferences = &s2n_ecc_preferences_default_fips,
188 : : .rules = {
189 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
190 : : [S2N_FIPS_140_3] = true,
191 : : },
192 : : };
193 : :
194 : : const struct s2n_security_policy security_policy_20230317 = {
195 : : .minimum_protocol_version = S2N_TLS12,
196 : : .cipher_preferences = &cipher_preferences_20230317,
197 : : .kem_preferences = &kem_preferences_null,
198 : : .signature_preferences = &s2n_signature_preferences_20230317,
199 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
200 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
201 : : .rules = {
202 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
203 : : [S2N_FIPS_140_3] = true,
204 : : },
205 : : };
206 : :
207 : : const struct s2n_security_policy security_policy_20240331 = {
208 : : .minimum_protocol_version = S2N_TLS12,
209 : : .cipher_preferences = &cipher_preferences_20240331,
210 : : .kem_preferences = &kem_preferences_null,
211 : : .signature_preferences = &s2n_signature_preferences_20230317,
212 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
213 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
214 : : .rules = {
215 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
216 : : [S2N_FIPS_140_3] = true,
217 : : },
218 : : };
219 : :
220 : : const struct s2n_security_policy security_policy_20190801 = {
221 : : .minimum_protocol_version = S2N_TLS10,
222 : : .cipher_preferences = &cipher_preferences_20190801,
223 : : .kem_preferences = &kem_preferences_null,
224 : : /* The discrepancy in the date exists because the signature preferences
225 : : * were named when cipher preferences and signature preferences were
226 : : * tracked separately, and we chose to keep the cipher preference
227 : : * name because customers use it.
228 : : */
229 : : .signature_preferences = &s2n_signature_preferences_20200207,
230 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
231 : : };
232 : :
233 : : const struct s2n_security_policy security_policy_20190802 = {
234 : : .minimum_protocol_version = S2N_TLS10,
235 : : .cipher_preferences = &cipher_preferences_20190801,
236 : : .kem_preferences = &kem_preferences_null,
237 : : /* The discrepancy in the date exists because the signature preferences
238 : : * were named when cipher preferences and signature preferences were
239 : : * tracked separately, and we chose to keep the cipher preference
240 : : * name because customers use it.
241 : : */
242 : : .signature_preferences = &s2n_signature_preferences_20200207,
243 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
244 : : };
245 : :
246 : : const struct s2n_security_policy security_policy_20170405 = {
247 : : .minimum_protocol_version = S2N_TLS10,
248 : : .cipher_preferences = &cipher_preferences_20170405,
249 : : .kem_preferences = &kem_preferences_null,
250 : : .signature_preferences = &s2n_signature_preferences_20140601,
251 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
252 : : };
253 : :
254 : : const struct s2n_security_policy security_policy_20170405_gcm = {
255 : : .minimum_protocol_version = S2N_TLS10,
256 : : .cipher_preferences = &cipher_preferences_20170405_gcm,
257 : : .kem_preferences = &kem_preferences_null,
258 : : .signature_preferences = &s2n_signature_preferences_20140601,
259 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
260 : : };
261 : :
262 : : const struct s2n_security_policy security_policy_elb_2015_04 = {
263 : : .minimum_protocol_version = S2N_TLS10,
264 : : .cipher_preferences = &elb_security_policy_2015_04,
265 : : .kem_preferences = &kem_preferences_null,
266 : : .signature_preferences = &s2n_signature_preferences_20140601,
267 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
268 : : };
269 : :
270 : : const struct s2n_security_policy security_policy_elb_2016_08 = {
271 : : .minimum_protocol_version = S2N_TLS10,
272 : : .cipher_preferences = &elb_security_policy_2016_08,
273 : : .kem_preferences = &kem_preferences_null,
274 : : .signature_preferences = &s2n_signature_preferences_20140601,
275 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
276 : : };
277 : :
278 : : const struct s2n_security_policy security_policy_elb_tls_1_1_2017_01 = {
279 : : .minimum_protocol_version = S2N_TLS11,
280 : : .cipher_preferences = &elb_security_policy_tls_1_1_2017_01,
281 : : .kem_preferences = &kem_preferences_null,
282 : : .signature_preferences = &s2n_signature_preferences_20140601,
283 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
284 : : };
285 : :
286 : : const struct s2n_security_policy security_policy_elb_tls_1_2_2017_01 = {
287 : : .minimum_protocol_version = S2N_TLS12,
288 : : .cipher_preferences = &elb_security_policy_tls_1_2_2017_01,
289 : : .kem_preferences = &kem_preferences_null,
290 : : .signature_preferences = &s2n_signature_preferences_20140601,
291 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
292 : : };
293 : :
294 : : const struct s2n_security_policy security_policy_elb_tls_1_2_ext_2018_06 = {
295 : : .minimum_protocol_version = S2N_TLS12,
296 : : .cipher_preferences = &elb_security_policy_tls_1_2_ext_2018_06,
297 : : .kem_preferences = &kem_preferences_null,
298 : : .signature_preferences = &s2n_signature_preferences_20140601,
299 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
300 : : };
301 : :
302 : : const struct s2n_security_policy security_policy_elb_fs_2018_06 = {
303 : : .minimum_protocol_version = S2N_TLS10,
304 : : .cipher_preferences = &elb_security_policy_fs_2018_06,
305 : : .kem_preferences = &kem_preferences_null,
306 : : .signature_preferences = &s2n_signature_preferences_20140601,
307 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
308 : : .rules = {
309 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
310 : : },
311 : : };
312 : :
313 : : const struct s2n_security_policy security_policy_elb_fs_1_2_2019_08 = {
314 : : .minimum_protocol_version = S2N_TLS12,
315 : : .cipher_preferences = &elb_security_policy_fs_1_2_2019_08,
316 : : .kem_preferences = &kem_preferences_null,
317 : : .signature_preferences = &s2n_signature_preferences_20140601,
318 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
319 : : .rules = {
320 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
321 : : },
322 : : };
323 : :
324 : : const struct s2n_security_policy security_policy_elb_fs_1_1_2019_08 = {
325 : : .minimum_protocol_version = S2N_TLS11,
326 : : .cipher_preferences = &elb_security_policy_fs_1_1_2019_08,
327 : : .kem_preferences = &kem_preferences_null,
328 : : .signature_preferences = &s2n_signature_preferences_20140601,
329 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
330 : : .rules = {
331 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
332 : : },
333 : : };
334 : :
335 : : const struct s2n_security_policy security_policy_elb_fs_1_2_Res_2019_08 = {
336 : : .minimum_protocol_version = S2N_TLS12,
337 : : .cipher_preferences = &elb_security_policy_fs_1_2_Res_2019_08,
338 : : .kem_preferences = &kem_preferences_null,
339 : : .signature_preferences = &s2n_signature_preferences_20140601,
340 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
341 : : .rules = {
342 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
343 : : },
344 : : };
345 : :
346 : : /* CloudFront upstream */
347 : : const struct s2n_security_policy security_policy_cloudfront_upstream = {
348 : : .minimum_protocol_version = S2N_SSLv3,
349 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream,
350 : : .kem_preferences = &kem_preferences_null,
351 : : .signature_preferences = &s2n_signature_preferences_20140601,
352 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
353 : : };
354 : :
355 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls10 = {
356 : : .minimum_protocol_version = S2N_TLS10,
357 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls10,
358 : : .kem_preferences = &kem_preferences_null,
359 : : .signature_preferences = &s2n_signature_preferences_20140601,
360 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
361 : : };
362 : :
363 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls11 = {
364 : : .minimum_protocol_version = S2N_TLS11,
365 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls11,
366 : : .kem_preferences = &kem_preferences_null,
367 : : .signature_preferences = &s2n_signature_preferences_20140601,
368 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
369 : : };
370 : :
371 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls12 = {
372 : : .minimum_protocol_version = S2N_TLS12,
373 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls12,
374 : : .kem_preferences = &kem_preferences_null,
375 : : .signature_preferences = &s2n_signature_preferences_20140601,
376 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
377 : : };
378 : :
379 : : /* CloudFront upstream 2025 -- same as original upstream above, but with:
380 : : * 1. TLSv1.3 enabled and
381 : : * 2. signature preferences updated to 2020-10-21, expanding support for RSA
382 : : * PSS while preserving support for legacy signature algorithms
383 : : */
384 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08 = {
385 : : .minimum_protocol_version = S2N_SSLv3,
386 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
387 : : .kem_preferences = &kem_preferences_null,
388 : : .signature_preferences = &s2n_signature_preferences_20250820,
389 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
390 : : };
391 : :
392 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls10 = {
393 : : .minimum_protocol_version = S2N_TLS10,
394 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
395 : : .kem_preferences = &kem_preferences_null,
396 : : .signature_preferences = &s2n_signature_preferences_20250820,
397 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
398 : : };
399 : :
400 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls11 = {
401 : : .minimum_protocol_version = S2N_TLS11,
402 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
403 : : .kem_preferences = &kem_preferences_null,
404 : : .signature_preferences = &s2n_signature_preferences_20250820,
405 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
406 : : };
407 : :
408 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls12 = {
409 : : .minimum_protocol_version = S2N_TLS12,
410 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
411 : : .kem_preferences = &kem_preferences_null,
412 : : .signature_preferences = &s2n_signature_preferences_20250820,
413 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
414 : : };
415 : :
416 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls13 = {
417 : : .minimum_protocol_version = S2N_TLS13,
418 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
419 : : .kem_preferences = &kem_preferences_null,
420 : : .signature_preferences = &s2n_signature_preferences_20250820,
421 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
422 : : };
423 : :
424 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_pq = {
425 : : .minimum_protocol_version = S2N_SSLv3,
426 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
427 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
428 : : .signature_preferences = &s2n_signature_preferences_20250821,
429 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
430 : : };
431 : :
432 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls10_pq = {
433 : : .minimum_protocol_version = S2N_TLS10,
434 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
435 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
436 : : .signature_preferences = &s2n_signature_preferences_20250821,
437 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
438 : : };
439 : :
440 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls11_pq = {
441 : : .minimum_protocol_version = S2N_TLS11,
442 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
443 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
444 : : .signature_preferences = &s2n_signature_preferences_20250821,
445 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
446 : : };
447 : :
448 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls12_pq = {
449 : : .minimum_protocol_version = S2N_TLS12,
450 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
451 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
452 : : .signature_preferences = &s2n_signature_preferences_20250821,
453 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
454 : : };
455 : :
456 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls13_pq = {
457 : : .minimum_protocol_version = S2N_TLS13,
458 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
459 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
460 : : .signature_preferences = &s2n_signature_preferences_20250821,
461 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
462 : : };
463 : :
464 : : /* CloudFront viewer facing */
465 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3 = {
466 : : .minimum_protocol_version = S2N_SSLv3,
467 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3,
468 : : .kem_preferences = &kem_preferences_null,
469 : : .signature_preferences = &s2n_signature_preferences_20200207,
470 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
471 : : };
472 : :
473 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014 = {
474 : : .minimum_protocol_version = S2N_TLS10,
475 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014,
476 : : .kem_preferences = &kem_preferences_null,
477 : : .signature_preferences = &s2n_signature_preferences_20200207,
478 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
479 : : };
480 : :
481 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016 = {
482 : : .minimum_protocol_version = S2N_TLS10,
483 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
484 : : .kem_preferences = &kem_preferences_null,
485 : : .signature_preferences = &s2n_signature_preferences_20200207,
486 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
487 : : };
488 : :
489 : : /* Same as security_policy_cloudfront_tls_1_0_2016, but with TLS 1.2 as minimum */
490 : : const struct s2n_security_policy security_policy_20241106 = {
491 : : .minimum_protocol_version = S2N_TLS12,
492 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
493 : : .kem_preferences = &kem_preferences_null,
494 : : .signature_preferences = &s2n_signature_preferences_20200207,
495 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
496 : : };
497 : :
498 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016 = {
499 : : .minimum_protocol_version = S2N_TLS11,
500 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016,
501 : : .kem_preferences = &kem_preferences_null,
502 : : .signature_preferences = &s2n_signature_preferences_20200207,
503 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
504 : : };
505 : :
506 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2017 = {
507 : : .minimum_protocol_version = S2N_TLS12,
508 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2017,
509 : : .kem_preferences = &kem_preferences_null,
510 : : .signature_preferences = &s2n_signature_preferences_20200207,
511 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
512 : : };
513 : :
514 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018 = {
515 : : .minimum_protocol_version = S2N_TLS12,
516 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018,
517 : : .kem_preferences = &kem_preferences_null,
518 : : .signature_preferences = &s2n_signature_preferences_20200207,
519 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
520 : : };
521 : :
522 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019 = {
523 : : .minimum_protocol_version = S2N_TLS12,
524 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
525 : : .kem_preferences = &kem_preferences_null,
526 : : .signature_preferences = &s2n_signature_preferences_20200207,
527 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
528 : : .rules = {
529 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
530 : : },
531 : : };
532 : :
533 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021 = {
534 : : .minimum_protocol_version = S2N_TLS12,
535 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
536 : : .kem_preferences = &kem_preferences_null,
537 : : .signature_preferences = &s2n_signature_preferences_20200207,
538 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
539 : : .rules = {
540 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
541 : : },
542 : : };
543 : :
544 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_chacha20_boosted = {
545 : : .minimum_protocol_version = S2N_TLS12,
546 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021_chacha20_boosted,
547 : : .kem_preferences = &kem_preferences_null,
548 : : .signature_preferences = &s2n_signature_preferences_20200207,
549 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
550 : : .rules = {
551 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
552 : : },
553 : : };
554 : :
555 : : /* CloudFront viewer facing legacy TLS 1.2 policies */
556 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3_legacy = {
557 : : .minimum_protocol_version = S2N_SSLv3,
558 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3_legacy,
559 : : .kem_preferences = &kem_preferences_null,
560 : : .signature_preferences = &s2n_signature_preferences_20140601,
561 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
562 : : };
563 : :
564 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_legacy = {
565 : : .minimum_protocol_version = S2N_TLS10,
566 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014_legacy,
567 : : .kem_preferences = &kem_preferences_null,
568 : : .signature_preferences = &s2n_signature_preferences_20140601,
569 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
570 : : };
571 : :
572 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016_legacy = {
573 : : .minimum_protocol_version = S2N_TLS10,
574 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016_legacy,
575 : : .kem_preferences = &kem_preferences_null,
576 : : .signature_preferences = &s2n_signature_preferences_20140601,
577 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
578 : : };
579 : :
580 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016_legacy = {
581 : : .minimum_protocol_version = S2N_TLS11,
582 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016_legacy,
583 : : .kem_preferences = &kem_preferences_null,
584 : : .signature_preferences = &s2n_signature_preferences_20140601,
585 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
586 : : };
587 : :
588 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_legacy = {
589 : : .minimum_protocol_version = S2N_TLS12,
590 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018_legacy,
591 : : .kem_preferences = &kem_preferences_null,
592 : : .signature_preferences = &s2n_signature_preferences_20140601,
593 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
594 : : };
595 : :
596 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019_legacy = {
597 : : .minimum_protocol_version = S2N_TLS12,
598 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019_legacy,
599 : : .kem_preferences = &kem_preferences_null,
600 : : .signature_preferences = &s2n_signature_preferences_20140601,
601 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
602 : : .rules = {
603 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
604 : : },
605 : : };
606 : :
607 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3 = {
608 : : .minimum_protocol_version = S2N_SSLv3,
609 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
610 : : .kem_preferences = &kem_preferences_null,
611 : : .signature_preferences = &s2n_signature_preferences_20200207,
612 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
613 : : };
614 : :
615 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10 = {
616 : : .minimum_protocol_version = S2N_TLS10,
617 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
618 : : .kem_preferences = &kem_preferences_null,
619 : : .signature_preferences = &s2n_signature_preferences_20200207,
620 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
621 : : };
622 : :
623 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11 = {
624 : : .minimum_protocol_version = S2N_TLS11,
625 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
626 : : .kem_preferences = &kem_preferences_null,
627 : : .signature_preferences = &s2n_signature_preferences_20200207,
628 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
629 : : };
630 : :
631 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12 = {
632 : : .minimum_protocol_version = S2N_TLS12,
633 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
634 : : .kem_preferences = &kem_preferences_null,
635 : : .signature_preferences = &s2n_signature_preferences_20200207,
636 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
637 : : };
638 : :
639 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13 = {
640 : : .minimum_protocol_version = S2N_TLS13,
641 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
642 : : .kem_preferences = &kem_preferences_null,
643 : : .signature_preferences = &s2n_signature_preferences_20200207,
644 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
645 : : .rules = {
646 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
647 : : },
648 : : };
649 : :
650 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3_06_23 = {
651 : : .minimum_protocol_version = S2N_SSLv3,
652 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
653 : : .kem_preferences = &kem_preferences_null,
654 : : .signature_preferences = &s2n_signature_preferences_20200207,
655 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
656 : : };
657 : :
658 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_06_23 = {
659 : : .minimum_protocol_version = S2N_TLS10,
660 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
661 : : .kem_preferences = &kem_preferences_null,
662 : : .signature_preferences = &s2n_signature_preferences_20200207,
663 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
664 : : };
665 : :
666 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11_06_23 = {
667 : : .minimum_protocol_version = S2N_TLS11,
668 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
669 : : .kem_preferences = &kem_preferences_null,
670 : : .signature_preferences = &s2n_signature_preferences_20200207,
671 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
672 : : };
673 : :
674 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23 = {
675 : : .minimum_protocol_version = S2N_TLS12,
676 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
677 : : .kem_preferences = &kem_preferences_null,
678 : : .signature_preferences = &s2n_signature_preferences_20200207,
679 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
680 : : };
681 : :
682 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_30_06_25 = {
683 : : .minimum_protocol_version = S2N_TLS12,
684 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_2025,
685 : : .kem_preferences = &kem_preferences_null,
686 : : .signature_preferences = &s2n_signature_preferences_20240501,
687 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
688 : : .rules = {
689 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
690 : : [S2N_FIPS_140_3] = true,
691 : : },
692 : : };
693 : :
694 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_06_23 = {
695 : : .minimum_protocol_version = S2N_TLS13,
696 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
697 : : .kem_preferences = &kem_preferences_null,
698 : : .signature_preferences = &s2n_signature_preferences_20200207,
699 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
700 : : .rules = {
701 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
702 : : },
703 : : };
704 : :
705 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2018_10 = {
706 : : .minimum_protocol_version = S2N_TLS10,
707 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2018_10,
708 : : .kem_preferences = &kem_preferences_null,
709 : : .signature_preferences = &s2n_signature_preferences_20140601,
710 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
711 : : .rules = {
712 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
713 : : },
714 : : };
715 : :
716 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2021_08 = {
717 : : .minimum_protocol_version = S2N_TLS10,
718 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
719 : : .kem_preferences = &kem_preferences_null,
720 : : .signature_preferences = &s2n_signature_preferences_20200207,
721 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
722 : : .rules = {
723 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
724 : : },
725 : : };
726 : :
727 : : const struct s2n_security_policy security_policy_kms_tls_1_2_2023_06 = {
728 : : .minimum_protocol_version = S2N_TLS12,
729 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
730 : : .kem_preferences = &kem_preferences_null,
731 : : .signature_preferences = &s2n_signature_preferences_20200207,
732 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
733 : : .rules = {
734 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
735 : : },
736 : : };
737 : :
738 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2019_06 = {
739 : : .minimum_protocol_version = S2N_TLS10,
740 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2019_06,
741 : : .kem_preferences = &kem_preferences_null,
742 : : .signature_preferences = &s2n_signature_preferences_20140601,
743 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
744 : : .rules = {
745 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
746 : : },
747 : : };
748 : :
749 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_02 = {
750 : : .minimum_protocol_version = S2N_TLS10,
751 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_02,
752 : : .kem_preferences = &kem_preferences_null,
753 : : .signature_preferences = &s2n_signature_preferences_20140601,
754 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
755 : : .rules = {
756 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
757 : : },
758 : : };
759 : :
760 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_07 = {
761 : : .minimum_protocol_version = S2N_TLS10,
762 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_07,
763 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
764 : : .signature_preferences = &s2n_signature_preferences_20140601,
765 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
766 : : .rules = {
767 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
768 : : },
769 : : };
770 : :
771 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2020_12 = {
772 : : .minimum_protocol_version = S2N_TLS10,
773 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2020_12,
774 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
775 : : .signature_preferences = &s2n_signature_preferences_20200207,
776 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
777 : : .rules = {
778 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
779 : : },
780 : : };
781 : :
782 : : const struct s2n_security_policy security_policy_pq_tls_1_1_2021_05_17 = {
783 : : .minimum_protocol_version = S2N_TLS11,
784 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_17,
785 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
786 : : .signature_preferences = &s2n_signature_preferences_20140601,
787 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
788 : : };
789 : :
790 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_18 = {
791 : : .minimum_protocol_version = S2N_TLS10,
792 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_18,
793 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
794 : : .signature_preferences = &s2n_signature_preferences_20140601,
795 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
796 : : };
797 : :
798 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_19 = {
799 : : .minimum_protocol_version = S2N_TLS10,
800 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_19,
801 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
802 : : .signature_preferences = &s2n_signature_preferences_20140601,
803 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
804 : : };
805 : :
806 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_20 = {
807 : : .minimum_protocol_version = S2N_TLS10,
808 : : /* Yes, this is the same cipher_preferences as kms_pq_tls_1_0_2020_07. The difference between these policies is
809 : : * the ecc_preferences, with this one adding support for x25519. */
810 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_07,
811 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
812 : : .signature_preferences = &s2n_signature_preferences_20140601,
813 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
814 : : .rules = {
815 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
816 : : },
817 : : };
818 : :
819 : : const struct s2n_security_policy security_policy_pq_tls_1_1_2021_05_21 = {
820 : : .minimum_protocol_version = S2N_TLS11,
821 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
822 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
823 : : .signature_preferences = &s2n_signature_preferences_20200207,
824 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
825 : : };
826 : :
827 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_22 = {
828 : : .minimum_protocol_version = S2N_TLS10,
829 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
830 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
831 : : .signature_preferences = &s2n_signature_preferences_20200207,
832 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
833 : : };
834 : :
835 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_23 = {
836 : : .minimum_protocol_version = S2N_TLS10,
837 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_23,
838 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
839 : : .signature_preferences = &s2n_signature_preferences_20200207,
840 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
841 : : };
842 : :
843 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_24 = {
844 : : .minimum_protocol_version = S2N_TLS10,
845 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
846 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
847 : : .signature_preferences = &s2n_signature_preferences_20200207,
848 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
849 : : .rules = {
850 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
851 : : },
852 : : };
853 : :
854 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_25 = {
855 : : .minimum_protocol_version = S2N_TLS10,
856 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_25,
857 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
858 : : .signature_preferences = &s2n_signature_preferences_20140601,
859 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
860 : : };
861 : :
862 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_26 = {
863 : : .minimum_protocol_version = S2N_TLS10,
864 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
865 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
866 : : .signature_preferences = &s2n_signature_preferences_20200207,
867 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
868 : : };
869 : :
870 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2023_01_24 = {
871 : : .minimum_protocol_version = S2N_TLS10,
872 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
873 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2023_01,
874 : : .signature_preferences = &s2n_signature_preferences_20200207,
875 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
876 : : .rules = {
877 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
878 : : },
879 : : };
880 : :
881 : : /* Same as security_policy_pq_tls_1_1_2021_05_21, but with TLS 1.2 as minimum */
882 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_07 = {
883 : : .minimum_protocol_version = S2N_TLS12,
884 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
885 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
886 : : .signature_preferences = &s2n_signature_preferences_20200207,
887 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
888 : : };
889 : :
890 : : /* Same as security_policy_pq_tls_1_0_2021_05_22, but with TLS 1.2 as minimum */
891 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_08 = {
892 : : .minimum_protocol_version = S2N_TLS12,
893 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
894 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
895 : : .signature_preferences = &s2n_signature_preferences_20200207,
896 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
897 : : };
898 : :
899 : : /* Same as security_policy_pq_tls_1_0_2021_05_24, but with TLS 1.2 as minimum */
900 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_09 = {
901 : : .minimum_protocol_version = S2N_TLS12,
902 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
903 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
904 : : .signature_preferences = &s2n_signature_preferences_20200207,
905 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
906 : : .rules = {
907 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
908 : : },
909 : : };
910 : :
911 : : /* Same as security_policy_pq_tls_1_0_2021_05_26, but with TLS 1.2 as minimum */
912 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_10 = {
913 : : .minimum_protocol_version = S2N_TLS12,
914 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
915 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
916 : : .signature_preferences = &s2n_signature_preferences_20200207,
917 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
918 : : };
919 : :
920 : : const struct s2n_security_policy security_policy_pq_tls_1_3_2023_06_01 = {
921 : : .minimum_protocol_version = S2N_TLS12,
922 : : .cipher_preferences = &cipher_preferences_pq_tls_1_3_2023_06_01,
923 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
924 : : .signature_preferences = &s2n_signature_preferences_20200207,
925 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
926 : : };
927 : :
928 : : /* Same as security_policy_pq_tls_1_2_2023_04_07, but with updated KEM prefs */
929 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_07 = {
930 : : .minimum_protocol_version = S2N_TLS12,
931 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
932 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
933 : : .signature_preferences = &s2n_signature_preferences_20200207,
934 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
935 : : };
936 : :
937 : : /* Same as security_policy_pq_tls_1_2_2023_04_08, but with updated KEM prefs */
938 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_08 = {
939 : : .minimum_protocol_version = S2N_TLS12,
940 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
941 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
942 : : .signature_preferences = &s2n_signature_preferences_20200207,
943 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
944 : : };
945 : :
946 : : /* Same as security_policy_pq_tls_1_2_2023_04_09, but with updated KEM prefs */
947 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_09 = {
948 : : .minimum_protocol_version = S2N_TLS12,
949 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
950 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
951 : : .signature_preferences = &s2n_signature_preferences_20200207,
952 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
953 : : .rules = {
954 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
955 : : },
956 : : };
957 : :
958 : : /* Same as security_policy_pq_tls_1_2_2023_04_10, but with updated KEM prefs */
959 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10 = {
960 : : .minimum_protocol_version = S2N_TLS12,
961 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
962 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
963 : : .signature_preferences = &s2n_signature_preferences_20200207,
964 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
965 : : };
966 : :
967 : : /* General purpose "mostly" FIPS + PQ policy (with the exception of supporting RSA Key Exchange for backwards compatibility). */
968 : : const struct s2n_security_policy security_policy_pq_20231213 = {
969 : : .minimum_protocol_version = S2N_TLS12,
970 : : .cipher_preferences = &cipher_preferences_20231213,
971 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
972 : : .signature_preferences = &s2n_signature_preferences_20230317,
973 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
974 : : };
975 : :
976 : : /* General purpose FIPS + PQ policy that meets all current FIPS requirements. */
977 : : const struct s2n_security_policy security_policy_pq_20231214 = {
978 : : .minimum_protocol_version = S2N_TLS12,
979 : : .cipher_preferences = &cipher_preferences_20231214,
980 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
981 : : .signature_preferences = &s2n_signature_preferences_20230317,
982 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
983 : : .rules = {
984 : : [S2N_FIPS_140_3] = true,
985 : : },
986 : : };
987 : :
988 : : /* FIPS + PQ Policy that uses KMS's FIPS cipher preference list and meets all current FIPS requirements. */
989 : : const struct s2n_security_policy security_policy_pq_20231215 = {
990 : : .minimum_protocol_version = S2N_TLS12,
991 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
992 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
993 : : .signature_preferences = &s2n_signature_preferences_20230317,
994 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
995 : : .rules = {
996 : : [S2N_FIPS_140_3] = true,
997 : : },
998 : : };
999 : :
1000 : : /* Same as security_policy_aws_crt_sdk_tls_10_06_23 but with (IETF-standardized) ML-KEM Support */
1001 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_07_25_pq = {
1002 : : .minimum_protocol_version = S2N_TLS10,
1003 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
1004 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
1005 : : .signature_preferences = &s2n_signature_preferences_20200207,
1006 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1007 : : };
1008 : :
1009 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with (IETF-standardized) ML-KEM Support */
1010 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_07_25_pq = {
1011 : : .minimum_protocol_version = S2N_TLS12,
1012 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
1013 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
1014 : : .signature_preferences = &s2n_signature_preferences_20200207,
1015 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1016 : : };
1017 : :
1018 : : /* Same as security_policy_aws_crt_sdk_tls_13_06_23 but with (IETF-standardized) ML-KEM Support */
1019 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_07_25_pq = {
1020 : : .minimum_protocol_version = S2N_TLS13,
1021 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
1022 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
1023 : : .signature_preferences = &s2n_signature_preferences_20200207,
1024 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1025 : : };
1026 : :
1027 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with ML-KEM Support */
1028 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23_pq = {
1029 : : .minimum_protocol_version = S2N_TLS12,
1030 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
1031 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1032 : : .signature_preferences = &s2n_signature_preferences_20200207,
1033 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1034 : : };
1035 : :
1036 : : /* Same as security_policy_pq_tls_1_2_2023_10_07, but with TLS 1.2 Kyber removed, and added ML-KEM support */
1037 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_07 = {
1038 : : .minimum_protocol_version = S2N_TLS12,
1039 : : .cipher_preferences = &elb_security_policy_tls13_1_2_Ext2_2021_06,
1040 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1041 : : .signature_preferences = &s2n_signature_preferences_20200207,
1042 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1043 : : };
1044 : :
1045 : : /* Same as security_policy_pq_tls_1_2_2023_10_08, but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
1046 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08 = {
1047 : : .minimum_protocol_version = S2N_TLS12,
1048 : : .cipher_preferences = &cipher_preferences_20241008,
1049 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1050 : : .signature_preferences = &s2n_signature_preferences_20200207,
1051 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1052 : : };
1053 : :
1054 : : /* Same as security_policy_pq_tls_1_2_2023_10_10, but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
1055 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08_gcm = {
1056 : : .minimum_protocol_version = S2N_TLS12,
1057 : : .cipher_preferences = &cipher_preferences_20241008_gcm,
1058 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1059 : : .signature_preferences = &s2n_signature_preferences_20200207,
1060 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1061 : : };
1062 : :
1063 : : /* Same as security_policy_pq_tls_1_2_2023_10_09 but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
1064 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_09 = {
1065 : : .minimum_protocol_version = S2N_TLS12,
1066 : : .cipher_preferences = &cipher_preferences_20241009,
1067 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1068 : : .signature_preferences = &s2n_signature_preferences_20200207,
1069 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1070 : : .rules = {
1071 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1072 : : },
1073 : : };
1074 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = {
1075 : : .minimum_protocol_version = S2N_TLS12,
1076 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2018_10,
1077 : : .kem_preferences = &kem_preferences_null,
1078 : : .signature_preferences = &s2n_signature_preferences_20140601,
1079 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1080 : : .rules = {
1081 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1082 : : },
1083 : : };
1084 : :
1085 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2021_08 = {
1086 : : .minimum_protocol_version = S2N_TLS12,
1087 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
1088 : : .kem_preferences = &kem_preferences_null,
1089 : : .signature_preferences = &s2n_signature_preferences_20200207,
1090 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1091 : : .rules = {
1092 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1093 : : },
1094 : : };
1095 : :
1096 : : /* Same as security_policy_pq_20231215, but with only ML-KEM Support */
1097 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2024_10 = {
1098 : : .minimum_protocol_version = S2N_TLS12,
1099 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
1100 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
1101 : : .signature_preferences = &s2n_signature_preferences_20230317,
1102 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1103 : : .rules = {
1104 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1105 : : [S2N_FIPS_140_3] = true,
1106 : : },
1107 : : };
1108 : :
1109 : : const struct s2n_security_policy security_policy_20140601 = {
1110 : : .minimum_protocol_version = S2N_SSLv3,
1111 : : .cipher_preferences = &cipher_preferences_20140601,
1112 : : .kem_preferences = &kem_preferences_null,
1113 : : .signature_preferences = &s2n_signature_preferences_20140601,
1114 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1115 : : };
1116 : :
1117 : : const struct s2n_security_policy security_policy_20141001 = {
1118 : : .minimum_protocol_version = S2N_TLS10,
1119 : : .cipher_preferences = &cipher_preferences_20141001,
1120 : : .kem_preferences = &kem_preferences_null,
1121 : : .signature_preferences = &s2n_signature_preferences_20140601,
1122 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1123 : : };
1124 : :
1125 : : const struct s2n_security_policy security_policy_20150202 = {
1126 : : .minimum_protocol_version = S2N_TLS10,
1127 : : .cipher_preferences = &cipher_preferences_20150202,
1128 : : .kem_preferences = &kem_preferences_null,
1129 : : .signature_preferences = &s2n_signature_preferences_20140601,
1130 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1131 : : };
1132 : :
1133 : : const struct s2n_security_policy security_policy_20150214 = {
1134 : : .minimum_protocol_version = S2N_TLS10,
1135 : : .cipher_preferences = &cipher_preferences_20150214,
1136 : : .kem_preferences = &kem_preferences_null,
1137 : : .signature_preferences = &s2n_signature_preferences_20140601,
1138 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1139 : : };
1140 : :
1141 : : const struct s2n_security_policy security_policy_20160411 = {
1142 : : .minimum_protocol_version = S2N_TLS10,
1143 : : .cipher_preferences = &cipher_preferences_20160411,
1144 : : .kem_preferences = &kem_preferences_null,
1145 : : .signature_preferences = &s2n_signature_preferences_20140601,
1146 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1147 : : };
1148 : :
1149 : : const struct s2n_security_policy security_policy_20150306 = {
1150 : : .minimum_protocol_version = S2N_TLS10,
1151 : : .cipher_preferences = &cipher_preferences_20150306,
1152 : : .kem_preferences = &kem_preferences_null,
1153 : : .signature_preferences = &s2n_signature_preferences_20140601,
1154 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1155 : : };
1156 : :
1157 : : const struct s2n_security_policy security_policy_20160804 = {
1158 : : .minimum_protocol_version = S2N_TLS10,
1159 : : .cipher_preferences = &cipher_preferences_20160804,
1160 : : .kem_preferences = &kem_preferences_null,
1161 : : .signature_preferences = &s2n_signature_preferences_20140601,
1162 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1163 : : };
1164 : :
1165 : : const struct s2n_security_policy security_policy_20160824 = {
1166 : : .minimum_protocol_version = S2N_TLS10,
1167 : : .cipher_preferences = &cipher_preferences_20160824,
1168 : : .kem_preferences = &kem_preferences_null,
1169 : : .signature_preferences = &s2n_signature_preferences_20140601,
1170 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1171 : : };
1172 : :
1173 : : const struct s2n_security_policy security_policy_20190122 = {
1174 : : .minimum_protocol_version = S2N_TLS10,
1175 : : .cipher_preferences = &cipher_preferences_20190122,
1176 : : .kem_preferences = &kem_preferences_null,
1177 : : .signature_preferences = &s2n_signature_preferences_20140601,
1178 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1179 : : };
1180 : :
1181 : : const struct s2n_security_policy security_policy_20190121 = {
1182 : : .minimum_protocol_version = S2N_TLS10,
1183 : : .cipher_preferences = &cipher_preferences_20190121,
1184 : : .kem_preferences = &kem_preferences_null,
1185 : : .signature_preferences = &s2n_signature_preferences_20140601,
1186 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1187 : : };
1188 : :
1189 : : const struct s2n_security_policy security_policy_20190120 = {
1190 : : .minimum_protocol_version = S2N_TLS10,
1191 : : .cipher_preferences = &cipher_preferences_20190120,
1192 : : .kem_preferences = &kem_preferences_null,
1193 : : .signature_preferences = &s2n_signature_preferences_20140601,
1194 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1195 : : };
1196 : :
1197 : : const struct s2n_security_policy security_policy_20190214 = {
1198 : : .minimum_protocol_version = S2N_TLS10,
1199 : : .cipher_preferences = &cipher_preferences_20190214,
1200 : : .kem_preferences = &kem_preferences_null,
1201 : : .signature_preferences = &s2n_signature_preferences_20140601,
1202 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1203 : : };
1204 : :
1205 : : const struct s2n_security_policy security_policy_20190214_gcm = {
1206 : : .minimum_protocol_version = S2N_TLS10,
1207 : : .cipher_preferences = &cipher_preferences_20190214_gcm,
1208 : : .kem_preferences = &kem_preferences_null,
1209 : : .signature_preferences = &s2n_signature_preferences_20140601,
1210 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1211 : : };
1212 : :
1213 : : const struct s2n_security_policy security_policy_20210825 = {
1214 : : .minimum_protocol_version = S2N_TLS10,
1215 : : .cipher_preferences = &cipher_preferences_20210825,
1216 : : .kem_preferences = &kem_preferences_null,
1217 : : .signature_preferences = &s2n_signature_preferences_20200207,
1218 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1219 : : };
1220 : :
1221 : : const struct s2n_security_policy security_policy_20210825_gcm = {
1222 : : .minimum_protocol_version = S2N_TLS10,
1223 : : .cipher_preferences = &cipher_preferences_20210825_gcm,
1224 : : .kem_preferences = &kem_preferences_null,
1225 : : .signature_preferences = &s2n_signature_preferences_20200207,
1226 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1227 : : };
1228 : :
1229 : : const struct s2n_security_policy security_policy_20170328 = {
1230 : : .minimum_protocol_version = S2N_TLS10,
1231 : : .cipher_preferences = &cipher_preferences_20170328,
1232 : : .kem_preferences = &kem_preferences_null,
1233 : : .signature_preferences = &s2n_signature_preferences_20140601,
1234 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1235 : : };
1236 : :
1237 : : const struct s2n_security_policy security_policy_20170328_gcm = {
1238 : : .minimum_protocol_version = S2N_TLS10,
1239 : : .cipher_preferences = &cipher_preferences_20170328_gcm,
1240 : : .kem_preferences = &kem_preferences_null,
1241 : : .signature_preferences = &s2n_signature_preferences_20140601,
1242 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1243 : : };
1244 : :
1245 : : const struct s2n_security_policy security_policy_20170718 = {
1246 : : .minimum_protocol_version = S2N_TLS10,
1247 : : .cipher_preferences = &cipher_preferences_20170718,
1248 : : .kem_preferences = &kem_preferences_null,
1249 : : .signature_preferences = &s2n_signature_preferences_20140601,
1250 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1251 : : };
1252 : :
1253 : : const struct s2n_security_policy security_policy_20170718_gcm = {
1254 : : .minimum_protocol_version = S2N_TLS10,
1255 : : .cipher_preferences = &cipher_preferences_20170718_gcm,
1256 : : .kem_preferences = &kem_preferences_null,
1257 : : .signature_preferences = &s2n_signature_preferences_20140601,
1258 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1259 : : };
1260 : :
1261 : : const struct s2n_security_policy security_policy_20201021 = {
1262 : : .minimum_protocol_version = S2N_TLS10,
1263 : : .cipher_preferences = &cipher_preferences_20190122,
1264 : : .kem_preferences = &kem_preferences_null,
1265 : : .signature_preferences = &s2n_signature_preferences_20201021,
1266 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1267 : : };
1268 : :
1269 : : const struct s2n_security_policy security_policy_20210816 = {
1270 : : .minimum_protocol_version = S2N_TLS12,
1271 : : .cipher_preferences = &cipher_preferences_20210816,
1272 : : .kem_preferences = &kem_preferences_null,
1273 : : .signature_preferences = &s2n_signature_preferences_20210816,
1274 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1275 : : .rules = {
1276 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1277 : : [S2N_FIPS_140_3] = true,
1278 : : },
1279 : : };
1280 : :
1281 : : const struct s2n_security_policy security_policy_20210816_gcm = {
1282 : : .minimum_protocol_version = S2N_TLS12,
1283 : : .cipher_preferences = &cipher_preferences_20210816_gcm,
1284 : : .kem_preferences = &kem_preferences_null,
1285 : : .signature_preferences = &s2n_signature_preferences_20210816,
1286 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1287 : : .rules = {
1288 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1289 : : [S2N_FIPS_140_3] = true,
1290 : : },
1291 : : };
1292 : :
1293 : : /*
1294 : : * This security policy is derived from the following specification:
1295 : : * https://datatracker.ietf.org/doc/html/rfc9151
1296 : : */
1297 : : const struct s2n_security_policy security_policy_20250429 = {
1298 : : .minimum_protocol_version = S2N_TLS12,
1299 : : .cipher_preferences = &cipher_preferences_20250429,
1300 : : .kem_preferences = &kem_preferences_null,
1301 : : .signature_preferences = &s2n_signature_preferences_20250429,
1302 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250429,
1303 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20250429,
1304 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1305 : : .certificate_preferences_apply_locally = true,
1306 : : };
1307 : :
1308 : : /*
1309 : : * This security policy is derived from the following specification:
1310 : : * https://datatracker.ietf.org/doc/html/rfc9151
1311 : : *
1312 : : * The following exceptions to this specification are made:
1313 : : * - RSA cipher suites are not supported to allow for perfect forward secrecy.
1314 : : * - DHE cipher suites are not supported to remove the possibility of improper Diffie-Hellman
1315 : : * parameter configuration.
1316 : : */
1317 : : const struct s2n_security_policy security_policy_20251013 = {
1318 : : .minimum_protocol_version = S2N_TLS12,
1319 : : .cipher_preferences = &cipher_preferences_20251013,
1320 : : .kem_preferences = &kem_preferences_null,
1321 : : .signature_preferences = &s2n_signature_preferences_20250429,
1322 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250429,
1323 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20250429,
1324 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1325 : : .certificate_preferences_apply_locally = true,
1326 : : .rules = {
1327 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1328 : : [S2N_FIPS_140_3] = true,
1329 : : },
1330 : : };
1331 : :
1332 : : /*
1333 : : * This security policy is a mix of default_tls13 (20240503) and rfc9151, with
1334 : : * a primary requirement that AES-256 is the ciphersuite chosen. Other
1335 : : * requirements are generally picked to raise minimum thresholds (e.g.,
1336 : : * requiring TLS 1.3) where possible without losing compatibility with modern
1337 : : * default_tls13 clients or servers.
1338 : : */
1339 : : const struct s2n_security_policy security_policy_20250211 = {
1340 : : .minimum_protocol_version = S2N_TLS13,
1341 : : .cipher_preferences = &cipher_preferences_20250211,
1342 : : .kem_preferences = &kem_preferences_null,
1343 : : .signature_preferences = &s2n_signature_preferences_20250429,
1344 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1345 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1346 : : .rules = {
1347 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1348 : : },
1349 : : };
1350 : :
1351 : : /*
1352 : : * This is essentially identical to 20250211, but fixes a bug which required
1353 : : * P-384 keys on certificates, which invalidated the compatibility promise for
1354 : : * that policy.
1355 : : */
1356 : : const struct s2n_security_policy security_policy_20250414 = {
1357 : : .minimum_protocol_version = S2N_TLS13,
1358 : : .cipher_preferences = &cipher_preferences_20250211,
1359 : : .kem_preferences = &kem_preferences_null,
1360 : : .signature_preferences = &s2n_signature_preferences_20240501,
1361 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1362 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1363 : : .rules = {
1364 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1365 : : [S2N_FIPS_140_3] = true,
1366 : : },
1367 : : };
1368 : :
1369 : : const struct s2n_security_policy security_policy_test_all = {
1370 : : .minimum_protocol_version = S2N_SSLv3,
1371 : : .cipher_preferences = &cipher_preferences_test_all,
1372 : : .kem_preferences = &kem_preferences_all,
1373 : : .signature_preferences = &s2n_signature_preferences_all,
1374 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1375 : : };
1376 : :
1377 : : const struct s2n_security_policy security_policy_test_all_tls12 = {
1378 : : .minimum_protocol_version = S2N_SSLv3,
1379 : : .cipher_preferences = &cipher_preferences_test_all_tls12,
1380 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1381 : : .signature_preferences = &s2n_signature_preferences_20201021,
1382 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1383 : : };
1384 : :
1385 : : const struct s2n_security_policy security_policy_test_all_fips = {
1386 : : .minimum_protocol_version = S2N_TLS12,
1387 : : .cipher_preferences = &cipher_preferences_test_all_fips,
1388 : : .kem_preferences = &kem_preferences_null,
1389 : : .signature_preferences = &s2n_signature_preferences_test_all_fips,
1390 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1391 : : .rules = {
1392 : : [S2N_FIPS_140_3] = true,
1393 : : },
1394 : : };
1395 : :
1396 : : const struct s2n_security_policy security_policy_test_all_ecdsa = {
1397 : : .minimum_protocol_version = S2N_TLS10,
1398 : : .cipher_preferences = &cipher_preferences_test_all_ecdsa,
1399 : : .kem_preferences = &kem_preferences_null,
1400 : : .signature_preferences = &s2n_signature_preferences_20201021,
1401 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1402 : : .rules = {
1403 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1404 : : },
1405 : : };
1406 : :
1407 : : const struct s2n_security_policy security_policy_test_all_rsa_kex = {
1408 : : .minimum_protocol_version = S2N_TLS10,
1409 : : .cipher_preferences = &cipher_preferences_test_all_rsa_kex,
1410 : : .kem_preferences = &kem_preferences_null,
1411 : : .signature_preferences = &s2n_signature_preferences_20140601,
1412 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1413 : : };
1414 : :
1415 : : const struct s2n_security_policy security_policy_test_all_tls13 = {
1416 : : .minimum_protocol_version = S2N_SSLv3,
1417 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1418 : : .kem_preferences = &kem_preferences_null,
1419 : : .signature_preferences = &s2n_signature_preferences_all,
1420 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1421 : : .rules = {
1422 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1423 : : },
1424 : : };
1425 : :
1426 : : const struct s2n_security_policy security_policy_test_pq_only = {
1427 : : .minimum_protocol_version = S2N_TLS13,
1428 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
1429 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
1430 : : .signature_preferences = &s2n_signature_preferences_20240501,
1431 : : .certificate_signature_preferences = &s2n_signature_preferences_20240501,
1432 : : .ecc_preferences = &s2n_ecc_preferences_null,
1433 : : };
1434 : :
1435 : : const struct s2n_security_policy security_policy_20200207 = {
1436 : : .minimum_protocol_version = S2N_SSLv3,
1437 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1438 : : .kem_preferences = &kem_preferences_null,
1439 : : .signature_preferences = &s2n_signature_preferences_20201021,
1440 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1441 : : .rules = {
1442 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1443 : : },
1444 : : };
1445 : :
1446 : : const struct s2n_security_policy security_policy_test_ecdsa_priority = {
1447 : : .minimum_protocol_version = S2N_SSLv3,
1448 : : .cipher_preferences = &cipher_preferences_test_ecdsa_priority,
1449 : : .kem_preferences = &kem_preferences_null,
1450 : : .signature_preferences = &s2n_signature_preferences_20201021,
1451 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1452 : : };
1453 : :
1454 : : const struct s2n_security_policy security_policy_null = {
1455 : : .minimum_protocol_version = S2N_TLS10,
1456 : : .cipher_preferences = &cipher_preferences_null,
1457 : : .kem_preferences = &kem_preferences_null,
1458 : : .signature_preferences = &s2n_signature_preferences_null,
1459 : : .ecc_preferences = &s2n_ecc_preferences_null,
1460 : : };
1461 : :
1462 : : struct s2n_security_policy_selection security_policy_selection[] = {
1463 : : /* If changing named policies, please update the usage guide's docs on the corresponding policy.
1464 : : * You likely also want to update the compatibility unit tests in (tests/unit/s2n_security_rules_test.c).
1465 : : */
1466 : : { .version = "default", .security_policy = &security_policy_20251014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1467 : : { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1468 : : { .version = "default_fips", .security_policy = &security_policy_20251015, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1469 : : { .version = "default_pq", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1470 : : { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1471 : : { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1472 : : { .version = "20240502", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1473 : : { .version = "20240503", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1474 : : { .version = "20230317", .security_policy = &security_policy_20230317, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1475 : : { .version = "20240331", .security_policy = &security_policy_20240331, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1476 : : { .version = "20240417", .security_policy = &security_policy_20240417, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1477 : : { .version = "20240416", .security_policy = &security_policy_20240416, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1478 : : { .version = "20240730", .security_policy = &security_policy_20240730, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1479 : : { .version = "20241001", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1480 : : { .version = "20250512", .security_policy = &security_policy_20250512, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1481 : : { .version = "20250721", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1482 : : { .version = "20251014", .security_policy = &security_policy_20251014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1483 : : { .version = "20251015", .security_policy = &security_policy_20251015, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1484 : : { .version = "20241001_pq_mixed", .security_policy = &security_policy_20241001_pq_mixed, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1485 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-04", .security_policy = &security_policy_elb_2015_04, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1486 : : /* Not a mistake. TLS-1-0-2015-05 and 2016-08 are equivalent */
1487 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-05", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1488 : : { .version = "ELBSecurityPolicy-2016-08", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1489 : : { .version = "ELBSecurityPolicy-TLS-1-1-2017-01", .security_policy = &security_policy_elb_tls_1_1_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1490 : : { .version = "ELBSecurityPolicy-TLS-1-2-2017-01", .security_policy = &security_policy_elb_tls_1_2_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1491 : : { .version = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", .security_policy = &security_policy_elb_tls_1_2_ext_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1492 : : { .version = "ELBSecurityPolicy-FS-2018-06", .security_policy = &security_policy_elb_fs_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1493 : : { .version = "ELBSecurityPolicy-FS-1-2-2019-08", .security_policy = &security_policy_elb_fs_1_2_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1494 : : { .version = "ELBSecurityPolicy-FS-1-1-2019-08", .security_policy = &security_policy_elb_fs_1_1_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1495 : : { .version = "ELBSecurityPolicy-FS-1-2-Res-2019-08", .security_policy = &security_policy_elb_fs_1_2_Res_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1496 : : { .version = "CloudFront-Upstream", .security_policy = &security_policy_cloudfront_upstream, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1497 : : { .version = "CloudFront-Upstream-TLS-1-0", .security_policy = &security_policy_cloudfront_upstream_tls10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1498 : : { .version = "CloudFront-Upstream-TLS-1-1", .security_policy = &security_policy_cloudfront_upstream_tls11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1499 : : { .version = "CloudFront-Upstream-TLS-1-2", .security_policy = &security_policy_cloudfront_upstream_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1500 : : { .version = "CloudFront-Upstream-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1501 : : { .version = "CloudFront-Upstream-TLS-1-0-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1502 : : { .version = "CloudFront-Upstream-TLS-1-1-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1503 : : { .version = "CloudFront-Upstream-TLS-1-2-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1504 : : { .version = "CloudFront-Upstream-TLS-1-3-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1505 : : { .version = "CloudFront-Upstream-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1506 : : { .version = "CloudFront-Upstream-TLS-1-0-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls10_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1507 : : { .version = "CloudFront-Upstream-TLS-1-1-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls11_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1508 : : { .version = "CloudFront-Upstream-TLS-1-2-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls12_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1509 : : { .version = "CloudFront-Upstream-TLS-1-3-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls13_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1510 : : /* CloudFront Viewer Facing */
1511 : : { .version = "CloudFront-SSL-v-3", .security_policy = &security_policy_cloudfront_ssl_v_3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1512 : : { .version = "CloudFront-TLS-1-0-2014", .security_policy = &security_policy_cloudfront_tls_1_0_2014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1513 : : { .version = "CloudFront-TLS-1-0-2016", .security_policy = &security_policy_cloudfront_tls_1_0_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1514 : : { .version = "CloudFront-TLS-1-1-2016", .security_policy = &security_policy_cloudfront_tls_1_1_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1515 : : { .version = "CloudFront-TLS-1-2-2017", .security_policy = &security_policy_cloudfront_tls_1_2_2017, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1516 : : { .version = "CloudFront-TLS-1-2-2018", .security_policy = &security_policy_cloudfront_tls_1_2_2018, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1517 : : { .version = "CloudFront-TLS-1-2-2019", .security_policy = &security_policy_cloudfront_tls_1_2_2019, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1518 : : { .version = "CloudFront-TLS-1-2-2021", .security_policy = &security_policy_cloudfront_tls_1_2_2021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1519 : : { .version = "CloudFront-TLS-1-2-2021-Chacha20-Boosted", .security_policy = &security_policy_cloudfront_tls_1_2_2021_chacha20_boosted, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1520 : : /* CloudFront Legacy (TLS 1.2) policies */
1521 : : { .version = "CloudFront-SSL-v-3-Legacy", .security_policy = &security_policy_cloudfront_ssl_v_3_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1522 : : { .version = "CloudFront-TLS-1-0-2014-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2014_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1523 : : { .version = "CloudFront-TLS-1-0-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1524 : : { .version = "CloudFront-TLS-1-1-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_1_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1525 : : { .version = "CloudFront-TLS-1-2-2018-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2018_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1526 : : { .version = "CloudFront-TLS-1-2-2019-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2019_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1527 : : /* CRT allows users to choose the minimal TLS protocol they want to negotiate with. This translates to 5 different security policies in s2n */
1528 : : { .version = "AWS-CRT-SDK-SSLv3.0", .security_policy = &security_policy_aws_crt_sdk_ssl_v3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1529 : : { .version = "AWS-CRT-SDK-TLSv1.0", .security_policy = &security_policy_aws_crt_sdk_tls_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1530 : : { .version = "AWS-CRT-SDK-TLSv1.1", .security_policy = &security_policy_aws_crt_sdk_tls_11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1531 : : { .version = "AWS-CRT-SDK-TLSv1.2", .security_policy = &security_policy_aws_crt_sdk_tls_12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1532 : : { .version = "AWS-CRT-SDK-TLSv1.3", .security_policy = &security_policy_aws_crt_sdk_tls_13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1533 : : { .version = "AWS-CRT-SDK-SSLv3.0-2023", .security_policy = &security_policy_aws_crt_sdk_ssl_v3_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1534 : : { .version = "AWS-CRT-SDK-TLSv1.0-2023", .security_policy = &security_policy_aws_crt_sdk_tls_10_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1535 : : { .version = "AWS-CRT-SDK-TLSv1.0-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_10_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1536 : : { .version = "AWS-CRT-SDK-TLSv1.1-2023", .security_policy = &security_policy_aws_crt_sdk_tls_11_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1537 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1538 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1539 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025", .security_policy = &security_policy_aws_crt_sdk_tls_30_06_25, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1540 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1541 : : { .version = "AWS-CRT-SDK-TLSv1.3-2023", .security_policy = &security_policy_aws_crt_sdk_tls_13_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1542 : : { .version = "AWS-CRT-SDK-TLSv1.3-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_13_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1543 : : /* KMS TLS Policies*/
1544 : : { .version = "KMS-TLS-1-0-2018-10", .security_policy = &security_policy_kms_tls_1_0_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1545 : : { .version = "KMS-TLS-1-0-2021-08", .security_policy = &security_policy_kms_tls_1_0_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1546 : : { .version = "KMS-TLS-1-2-2023-06", .security_policy = &security_policy_kms_tls_1_2_2023_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1547 : : { .version = "KMS-FIPS-TLS-1-2-2018-10", .security_policy = &security_policy_kms_fips_tls_1_2_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1548 : : { .version = "KMS-FIPS-TLS-1-2-2021-08", .security_policy = &security_policy_kms_fips_tls_1_2_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1549 : : { .version = "KMS-FIPS-TLS-1-2-2024-10", .security_policy = &security_policy_kms_fips_tls_1_2_2024_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1550 : : { .version = "PQ-TLS-1-0-2023-01-24", .security_policy = &security_policy_pq_tls_1_0_2023_01_24, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1551 : : { .version = "PQ-TLS-1-2-2023-04-07", .security_policy = &security_policy_pq_tls_1_2_2023_04_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1552 : : { .version = "PQ-TLS-1-2-2023-04-08", .security_policy = &security_policy_pq_tls_1_2_2023_04_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1553 : : { .version = "PQ-TLS-1-2-2023-04-09", .security_policy = &security_policy_pq_tls_1_2_2023_04_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1554 : : { .version = "PQ-TLS-1-2-2023-04-10", .security_policy = &security_policy_pq_tls_1_2_2023_04_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1555 : : { .version = "PQ-TLS-1-3-2023-06-01", .security_policy = &security_policy_pq_tls_1_3_2023_06_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1556 : : { .version = "PQ-TLS-1-2-2023-10-07", .security_policy = &security_policy_pq_tls_1_2_2023_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1557 : : { .version = "PQ-TLS-1-2-2023-10-08", .security_policy = &security_policy_pq_tls_1_2_2023_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1558 : : { .version = "PQ-TLS-1-2-2023-10-09", .security_policy = &security_policy_pq_tls_1_2_2023_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1559 : : { .version = "PQ-TLS-1-2-2023-10-10", .security_policy = &security_policy_pq_tls_1_2_2023_10_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1560 : : { .version = "PQ-TLS-1-2-2023-12-13", .security_policy = &security_policy_pq_20231213, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1561 : : { .version = "PQ-TLS-1-2-2023-12-14", .security_policy = &security_policy_pq_20231214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1562 : : { .version = "PQ-TLS-1-2-2023-12-15", .security_policy = &security_policy_pq_20231215, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1563 : : { .version = "PQ-TLS-1-2-2024-10-07", .security_policy = &security_policy_pq_tls_1_2_2024_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1564 : : { .version = "PQ-TLS-1-2-2024-10-08", .security_policy = &security_policy_pq_tls_1_2_2024_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1565 : : { .version = "PQ-TLS-1-2-2024-10-08_gcm", .security_policy = &security_policy_pq_tls_1_2_2024_10_08_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1566 : : { .version = "PQ-TLS-1-2-2024-10-09", .security_policy = &security_policy_pq_tls_1_2_2024_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1567 : : { .version = "20140601", .security_policy = &security_policy_20140601, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1568 : : { .version = "20141001", .security_policy = &security_policy_20141001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1569 : : { .version = "20150202", .security_policy = &security_policy_20150202, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1570 : : { .version = "20150214", .security_policy = &security_policy_20150214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1571 : : { .version = "20150306", .security_policy = &security_policy_20150306, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1572 : : { .version = "20160411", .security_policy = &security_policy_20160411, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1573 : : { .version = "20160804", .security_policy = &security_policy_20160804, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1574 : : { .version = "20160824", .security_policy = &security_policy_20160824, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1575 : : { .version = "20170210", .security_policy = &security_policy_20170210, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1576 : : { .version = "20170328", .security_policy = &security_policy_20170328, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1577 : : { .version = "20170328_gcm", .security_policy = &security_policy_20170328_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1578 : : { .version = "20190214", .security_policy = &security_policy_20190214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1579 : : { .version = "20190214_gcm", .security_policy = &security_policy_20190214_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1580 : : { .version = "20210825", .security_policy = &security_policy_20210825, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1581 : : { .version = "20210825_gcm", .security_policy = &security_policy_20210825_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1582 : : { .version = "20170405", .security_policy = &security_policy_20170405, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1583 : : { .version = "20170405_gcm", .security_policy = &security_policy_20170405_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1584 : : { .version = "20170718", .security_policy = &security_policy_20170718, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1585 : : { .version = "20170718_gcm", .security_policy = &security_policy_20170718_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1586 : : { .version = "20190120", .security_policy = &security_policy_20190120, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1587 : : { .version = "20190121", .security_policy = &security_policy_20190121, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1588 : : { .version = "20190122", .security_policy = &security_policy_20190122, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1589 : : { .version = "20190801", .security_policy = &security_policy_20190801, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1590 : : { .version = "20190802", .security_policy = &security_policy_20190802, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1591 : : { .version = "20200207", .security_policy = &security_policy_20200207, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1592 : : { .version = "20201021", .security_policy = &security_policy_20201021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1593 : : { .version = "20210816", .security_policy = &security_policy_20210816, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1594 : : { .version = "20210816_GCM", .security_policy = &security_policy_20210816_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1595 : : { .version = "20240603", .security_policy = &security_policy_20240603, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1596 : : { .version = "20250211", .security_policy = &security_policy_20250211, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1597 : : { .version = "20250414", .security_policy = &security_policy_20250414, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1598 : : { .version = "20250429", .security_policy = &security_policy_20250429, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1599 : : { .version = "20251013", .security_policy = &security_policy_20251013, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1600 : : /* If changing this, please update the usage guide's docs on the corresponding policy. */
1601 : : { .version = "rfc9151", .security_policy = &security_policy_20251013, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1602 : : { .version = "test_all", .security_policy = &security_policy_test_all, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1603 : : { .version = "test_all_fips", .security_policy = &security_policy_test_all_fips, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1604 : : { .version = "test_all_ecdsa", .security_policy = &security_policy_test_all_ecdsa, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1605 : : { .version = "test_all_rsa_kex", .security_policy = &security_policy_test_all_rsa_kex, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1606 : : { .version = "test_ecdsa_priority", .security_policy = &security_policy_test_ecdsa_priority, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1607 : : { .version = "test_all_tls12", .security_policy = &security_policy_test_all_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1608 : : { .version = "test_all_tls13", .security_policy = &security_policy_test_all_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1609 : : { .version = "test_pq_only", .security_policy = &security_policy_test_pq_only, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1610 : : { .version = "null", .security_policy = &security_policy_null, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1611 : : { .version = NULL, .security_policy = NULL, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }
1612 : : };
1613 : :
1614 : : const char *deprecated_security_policies[] = {
1615 : : "KMS-PQ-TLS-1-0-2019-06",
1616 : : "KMS-PQ-TLS-1-0-2020-02",
1617 : : "KMS-PQ-TLS-1-0-2020-07",
1618 : : "PQ-TLS-1-0-2020-12",
1619 : : "PQ-TLS-1-1-2021-05-17",
1620 : : "PQ-TLS-1-0-2021-05-18",
1621 : : "PQ-TLS-1-0-2021-05-19",
1622 : : "PQ-TLS-1-0-2021-05-20",
1623 : : "PQ-TLS-1-1-2021-05-21",
1624 : : "PQ-TLS-1-0-2021-05-22",
1625 : : "PQ-TLS-1-0-2021-05-23",
1626 : : "PQ-TLS-1-0-2021-05-24",
1627 : : "PQ-TLS-1-0-2021-05-25",
1628 : : "PQ-TLS-1-0-2021-05-26",
1629 : : "PQ-SIKE-TEST-TLS-1-0-2019-11",
1630 : : "PQ-SIKE-TEST-TLS-1-0-2020-02",
1631 : : };
1632 : : const size_t deprecated_security_policies_len = s2n_array_len(deprecated_security_policies);
1633 : :
1634 : : int s2n_find_security_policy_from_version(const char *version, const struct s2n_security_policy **security_policy)
1635 : 6750 : {
1636 [ + + ][ + - ]: 6750 : POSIX_ENSURE_REF(version);
1637 [ - + ][ # # ]: 6748 : POSIX_ENSURE_REF(security_policy);
1638 : :
1639 [ + + ]: 72558 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1640 [ + + ]: 72537 : if (!strcasecmp(version, security_policy_selection[i].version)) {
1641 : 6727 : *security_policy = security_policy_selection[i].security_policy;
1642 : 6727 : return 0;
1643 : 6727 : }
1644 : 72537 : }
1645 : :
1646 [ + + ]: 218 : for (size_t i = 0; i < deprecated_security_policies_len; i++) {
1647 [ + + ]: 215 : if (!strcasecmp(version, deprecated_security_policies[i])) {
1648 [ + - ]: 18 : POSIX_BAIL(S2N_ERR_DEPRECATED_SECURITY_POLICY);
1649 : 18 : }
1650 : 215 : }
1651 : :
1652 [ + - ]: 3 : POSIX_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
1653 : 3 : }
1654 : :
1655 : : static int s2n_config_validate_security_policy(struct s2n_config *config, const struct s2n_security_policy *security_policy)
1656 : 7218 : {
1657 [ # # ][ - + ]: 7218 : POSIX_ENSURE_REF(config);
1658 [ - + ][ # # ]: 7218 : POSIX_ENSURE_REF(security_policy);
1659 [ - + ][ # # ]: 7218 : POSIX_ENSURE_REF(security_policy->cipher_preferences);
1660 [ - + ][ # # ]: 7218 : POSIX_ENSURE_REF(security_policy->kem_preferences);
1661 [ - + ][ # # ]: 7218 : POSIX_ENSURE_REF(security_policy->signature_preferences);
1662 [ # # ][ - + ]: 7218 : POSIX_ENSURE_REF(security_policy->ecc_preferences);
1663 : :
1664 : : /* If the security policy's minimum version is higher than what libcrypto supports, return an error. */
1665 [ - + ][ # # ]: 7218 : POSIX_ENSURE((security_policy->minimum_protocol_version <= s2n_get_highest_fully_supported_tls_version()), S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED);
1666 : :
1667 [ + + ]: 7218 : if (security_policy == &security_policy_null) {
1668 : 4 : return S2N_SUCCESS;
1669 : 4 : }
1670 : :
1671 : : /* Ensure that an ECC or PQ key exchange can occur. */
1672 : 7214 : uint32_t ecc_available = security_policy->ecc_preferences->count;
1673 : 7214 : uint32_t kem_groups_available = 0;
1674 [ - + ]: 7214 : POSIX_GUARD_RESULT(s2n_kem_preferences_groups_available(security_policy->kem_preferences, &kem_groups_available));
1675 [ + - ][ + + ]: 7214 : POSIX_ENSURE(ecc_available + kem_groups_available > 0, S2N_ERR_INVALID_SECURITY_POLICY);
1676 : :
1677 : : /* If the config contains certificates violating the security policy cert preferences, return an error. */
1678 [ + + ]: 7213 : POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy));
1679 : 7211 : return S2N_SUCCESS;
1680 : 7213 : }
1681 : :
1682 : : int s2n_config_set_security_policy(struct s2n_config *config, const struct s2n_security_policy *security_policy)
1683 : 5305 : {
1684 [ # # ][ - + ]: 5305 : POSIX_ENSURE_REF(config);
1685 [ + + ]: 5305 : POSIX_GUARD(s2n_config_validate_security_policy(config, security_policy));
1686 : 5303 : config->security_policy = security_policy;
1687 : 5303 : return 0;
1688 : 5305 : }
1689 : :
1690 : : int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *version)
1691 : 5307 : {
1692 : 5307 : const struct s2n_security_policy *security_policy = NULL;
1693 [ + + ]: 5307 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1694 [ + + ]: 5305 : POSIX_GUARD(s2n_config_set_security_policy(config, security_policy));
1695 : 5303 : return S2N_SUCCESS;
1696 : 5305 : }
1697 : :
1698 : : int s2n_connection_set_security_policy(struct s2n_connection *conn, const struct s2n_security_policy *security_policy)
1699 : 1913 : {
1700 [ - + ][ # # ]: 1913 : POSIX_ENSURE_REF(conn);
1701 [ + + ]: 1913 : POSIX_GUARD(s2n_config_validate_security_policy(conn->config, security_policy));
1702 : 1912 : conn->security_policy_override = security_policy;
1703 : 1912 : return 0;
1704 : 1913 : }
1705 : :
1706 : : int s2n_connection_set_cipher_preferences(struct s2n_connection *conn, const char *version)
1707 : 1247 : {
1708 : 1247 : const struct s2n_security_policy *security_policy = NULL;
1709 [ + + ]: 1247 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1710 [ + + ]: 1245 : POSIX_GUARD(s2n_connection_set_security_policy(conn, security_policy));
1711 : 1244 : return S2N_SUCCESS;
1712 : 1245 : }
1713 : :
1714 : : int s2n_security_policies_init()
1715 : 549 : {
1716 [ + + ]: 76860 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1717 : 76311 : const struct s2n_security_policy *security_policy = security_policy_selection[i].security_policy;
1718 [ - + ][ # # ]: 76311 : POSIX_ENSURE_REF(security_policy);
1719 : 76311 : const struct s2n_cipher_preferences *cipher_preference = security_policy->cipher_preferences;
1720 [ - + ][ # # ]: 76311 : POSIX_ENSURE_REF(cipher_preference);
1721 : 76311 : const struct s2n_kem_preferences *kem_preference = security_policy->kem_preferences;
1722 [ - + ][ # # ]: 76311 : POSIX_ENSURE_REF(kem_preference);
1723 : 76311 : const struct s2n_ecc_preferences *ecc_preference = security_policy->ecc_preferences;
1724 [ - + ][ # # ]: 76311 : POSIX_ENSURE_REF(ecc_preference);
1725 [ - + ]: 76311 : POSIX_GUARD(s2n_check_ecc_preferences_curves_list(ecc_preference));
1726 : :
1727 : 76311 : const struct s2n_signature_preferences *certificate_signature_preference = security_policy->certificate_signature_preferences;
1728 [ + + ]: 76311 : if (certificate_signature_preference != NULL) {
1729 [ - + ]: 12078 : POSIX_GUARD_RESULT(s2n_validate_certificate_signature_preferences(certificate_signature_preference));
1730 : 12078 : }
1731 : :
1732 [ + + ]: 76311 : if (security_policy != &security_policy_null) {
1733 : : /* All policies must have at least one ecc curve or PQ kem group configured. */
1734 : 75762 : bool ecc_kx_supported = ecc_preference->count > 0;
1735 : 75762 : bool pq_kx_supported = kem_preference->tls13_kem_group_count > 0;
1736 [ # # ][ + + ]: 75762 : POSIX_ENSURE(ecc_kx_supported || pq_kx_supported, S2N_ERR_INVALID_SECURITY_POLICY);
[ + - ]
1737 : :
1738 : : /* A PQ key exchange is only supported in TLS 1.3, so PQ-only policies must require TLS 1.3.*/
1739 [ + + ]: 75762 : if (!ecc_kx_supported) {
1740 [ # # ][ - + ]: 549 : POSIX_ENSURE(security_policy->minimum_protocol_version >= S2N_TLS13, S2N_ERR_INVALID_SECURITY_POLICY);
1741 : 549 : }
1742 : 75762 : }
1743 : :
1744 [ + + ]: 1222074 : for (int j = 0; j < cipher_preference->count; j++) {
1745 : 1145763 : struct s2n_cipher_suite *cipher = cipher_preference->suites[j];
1746 [ - + ][ # # ]: 1145763 : POSIX_ENSURE_REF(cipher);
1747 : :
1748 : 1145763 : const uint8_t *iana = cipher->iana_value;
1749 : :
1750 [ + + ]: 1145763 : if (cipher->minimum_required_tls_version >= S2N_TLS13) {
1751 : 129015 : security_policy_selection[i].supports_tls13 = 1;
1752 : 129015 : }
1753 : :
1754 : : /* Sanity check that valid tls13 has minimum tls version set correctly */
1755 [ - + ][ # # ]: 1145763 : S2N_ERROR_IF(s2n_is_valid_tls13_cipher(iana) ^ (cipher->minimum_required_tls_version >= S2N_TLS13),
1756 : 1145763 : S2N_ERR_INVALID_SECURITY_POLICY);
1757 : :
1758 [ + + ]: 1145763 : if (s2n_cipher_suite_requires_ecc_extension(cipher)) {
1759 : 772992 : security_policy_selection[i].ecc_extension_required = 1;
1760 : 772992 : }
1761 : :
1762 [ - + ][ # # ]: 1145763 : if (s2n_cipher_suite_requires_pq_extension(cipher) && kem_preference->kem_count > 0) {
1763 : 0 : security_policy_selection[i].pq_kem_extension_required = 1;
1764 : 0 : }
1765 : 1145763 : }
1766 : :
1767 [ - + ]: 76311 : POSIX_GUARD(s2n_validate_kem_preferences(kem_preference, security_policy_selection[i].pq_kem_extension_required));
1768 : :
1769 : : /* Validate that security rules are correctly applied.
1770 : : * This should be checked by a unit test, but outside of unit tests we
1771 : : * check again here to cover the case where the unit tests are not run.
1772 : : */
1773 [ - + ]: 76311 : if (!s2n_in_unit_test()) {
1774 : 0 : struct s2n_security_rule_result result = { 0 };
1775 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_security_policy_validate_security_rules(security_policy, &result));
1776 [ # # ][ # # ]: 0 : POSIX_ENSURE(!result.found_error, S2N_ERR_INVALID_SECURITY_POLICY);
1777 : 0 : }
1778 : 76311 : }
1779 : 549 : return 0;
1780 : 549 : }
1781 : :
1782 : : bool s2n_ecc_is_extension_required(const struct s2n_security_policy *security_policy)
1783 : 15342 : {
1784 [ + + ]: 15342 : if (security_policy == NULL) {
1785 : 1 : return false;
1786 : 1 : }
1787 : :
1788 [ + + ]: 1004899 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1789 [ + + ]: 999462 : if (security_policy_selection[i].security_policy == security_policy) {
1790 : 9904 : return 1 == security_policy_selection[i].ecc_extension_required;
1791 : 9904 : }
1792 : 999462 : }
1793 : :
1794 : : /* If cipher preference is not in the official list, compute the result */
1795 : 5437 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1796 [ - + ]: 5437 : if (cipher_preferences == NULL) {
1797 : 0 : return false;
1798 : 0 : }
1799 [ + + ]: 138665 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1800 [ + + ]: 136201 : if (s2n_cipher_suite_requires_ecc_extension(cipher_preferences->suites[i])) {
1801 : 2973 : return true;
1802 : 2973 : }
1803 : 136201 : }
1804 : :
1805 : 2464 : return false;
1806 : 5437 : }
1807 : :
1808 : : bool s2n_pq_kem_is_extension_required(const struct s2n_security_policy *security_policy)
1809 : 7675 : {
1810 [ + + ]: 7675 : if (security_policy == NULL) {
1811 : 1 : return false;
1812 : 1 : }
1813 : :
1814 [ + + ]: 502773 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1815 [ + + ]: 500054 : if (security_policy_selection[i].security_policy == security_policy) {
1816 : 4955 : return 1 == security_policy_selection[i].pq_kem_extension_required;
1817 : 4955 : }
1818 : 500054 : }
1819 : :
1820 : : /* Preferences with no KEMs for the TLS 1.2 PQ KEM extension do not require that extension. */
1821 [ + - ][ + + ]: 2719 : if (security_policy->kem_preferences && security_policy->kem_preferences->kem_count == 0) {
1822 : 2718 : return false;
1823 : 2718 : }
1824 : :
1825 : : /* If cipher preference is not in the official list, compute the result */
1826 : 1 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1827 [ - + ]: 1 : if (cipher_preferences == NULL) {
1828 : 0 : return false;
1829 : 0 : }
1830 [ + + ]: 2 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1831 [ - + ]: 1 : if (s2n_cipher_suite_requires_pq_extension(cipher_preferences->suites[i])) {
1832 : 0 : return true;
1833 : 0 : }
1834 : 1 : }
1835 : 1 : return false;
1836 : 1 : }
1837 : :
1838 : : /* Checks whether cipher preference supports TLS 1.3 based on whether it is configured
1839 : : * with TLS 1.3 ciphers. Returns true or false.
1840 : : */
1841 : : bool s2n_security_policy_supports_tls13(const struct s2n_security_policy *security_policy)
1842 : 15512 : {
1843 [ + + ]: 15512 : if (security_policy == NULL) {
1844 : 1 : return false;
1845 : 1 : }
1846 : :
1847 [ + + ]: 871913 : for (uint8_t i = 0; security_policy_selection[i].version != NULL; i++) {
1848 [ + + ]: 867010 : if (security_policy_selection[i].security_policy == security_policy) {
1849 : 10608 : return security_policy_selection[i].supports_tls13 == 1;
1850 : 10608 : }
1851 : 867010 : }
1852 : :
1853 : : /* if cipher preference is not in the official list, compute the result */
1854 : 4903 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1855 [ - + ]: 4903 : if (cipher_preferences == NULL) {
1856 : 0 : return false;
1857 : 0 : }
1858 : :
1859 [ + + ]: 106821 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1860 [ + + ]: 103476 : if (cipher_preferences->suites[i]->minimum_required_tls_version >= S2N_TLS13) {
1861 : 1558 : return true;
1862 : 1558 : }
1863 : 103476 : }
1864 : :
1865 : 3345 : return false;
1866 : 4903 : }
1867 : :
1868 : : int s2n_connection_is_valid_for_cipher_preferences(struct s2n_connection *conn, const char *version)
1869 : 7 : {
1870 [ # # ][ - + ]: 7 : POSIX_ENSURE_REF(conn);
1871 [ # # ][ - + ]: 7 : POSIX_ENSURE_REF(version);
1872 [ # # ][ - + ]: 7 : POSIX_ENSURE_REF(conn->secure);
1873 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
1874 : :
1875 : 7 : const struct s2n_security_policy *security_policy = NULL;
1876 [ + + ]: 7 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1877 [ - + ][ # # ]: 6 : POSIX_ENSURE_REF(security_policy);
1878 : :
1879 : : /* make sure we dont use a tls version lower than that configured by the version */
1880 [ + + ]: 6 : if (s2n_connection_get_actual_protocol_version(conn) < security_policy->minimum_protocol_version) {
1881 : 2 : return 0;
1882 : 2 : }
1883 : :
1884 : 4 : struct s2n_cipher_suite *cipher = conn->secure->cipher_suite;
1885 [ - + ][ # # ]: 4 : POSIX_ENSURE_REF(cipher);
1886 [ + + ]: 9 : for (int i = 0; i < security_policy->cipher_preferences->count; ++i) {
1887 [ + + ]: 8 : if (s2n_constant_time_equals(security_policy->cipher_preferences->suites[i]->iana_value, cipher->iana_value, S2N_TLS_CIPHER_SUITE_LEN)) {
1888 : 3 : return 1;
1889 : 3 : }
1890 : 8 : }
1891 : :
1892 : 1 : return 0;
1893 : 4 : }
1894 : :
1895 : : int s2n_validate_kem_preferences(const struct s2n_kem_preferences *kem_preferences, bool pq_kem_extension_required)
1896 : 76319 : {
1897 [ + - ][ + + ]: 76319 : POSIX_ENSURE_REF(kem_preferences);
1898 : :
1899 : : /* Basic sanity checks to assert that the count is 0 if and only if the associated list is NULL */
1900 [ + + ][ + - ]: 76318 : POSIX_ENSURE(S2N_IFF(kem_preferences->tls13_kem_group_count == 0, kem_preferences->tls13_kem_groups == NULL),
1901 : 76316 : S2N_ERR_INVALID_SECURITY_POLICY);
1902 [ + - ][ + + ]: 76316 : POSIX_ENSURE(S2N_IFF(kem_preferences->kem_count == 0, kem_preferences->kems == NULL),
1903 : 76314 : S2N_ERR_INVALID_SECURITY_POLICY);
1904 [ - + ][ # # ]: 76314 : POSIX_ENSURE(kem_preferences->tls13_kem_group_count <= S2N_KEM_GROUPS_COUNT, S2N_ERR_ARRAY_INDEX_OOB);
1905 : :
1906 : : /* The PQ KEM extension is applicable only to TLS 1.2 */
1907 [ + + ]: 76314 : if (pq_kem_extension_required) {
1908 [ + - ][ + - ]: 1 : POSIX_ENSURE(kem_preferences->kem_count > 0, S2N_ERR_INVALID_SECURITY_POLICY);
1909 [ # # ][ # # ]: 0 : POSIX_ENSURE(kem_preferences->kems != NULL, S2N_ERR_INVALID_SECURITY_POLICY);
1910 : 76313 : } else {
1911 [ - + ][ # # ]: 76313 : POSIX_ENSURE(kem_preferences->kem_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
1912 [ # # ][ - + ]: 76313 : POSIX_ENSURE(kem_preferences->kems == NULL, S2N_ERR_INVALID_SECURITY_POLICY);
1913 : 76313 : }
1914 : :
1915 : 76313 : return S2N_SUCCESS;
1916 : 76314 : }
1917 : :
1918 : : S2N_RESULT s2n_validate_certificate_signature_preferences(const struct s2n_signature_preferences *certificate_signature_preferences)
1919 : 12081 : {
1920 [ - + ][ # # ]: 12081 : RESULT_ENSURE_REF(certificate_signature_preferences);
1921 : :
1922 : 12081 : size_t rsa_pss_scheme_count = 0;
1923 : :
1924 [ + + ]: 159222 : for (size_t i = 0; i < certificate_signature_preferences->count; i++) {
1925 [ + + ]: 147141 : if (certificate_signature_preferences->signature_schemes[i]->libcrypto_nid == NID_rsassaPss) {
1926 : 59300 : rsa_pss_scheme_count++;
1927 : 59300 : }
1928 : 147141 : }
1929 : :
1930 : : /*
1931 : : * https://github.com/aws/s2n-tls/issues/3435
1932 : : *
1933 : : * The Openssl function used to parse signatures off certificates does not differentiate between any rsa pss
1934 : : * signature schemes. Therefore a security policy with a certificate signatures preference list must include
1935 : : * all rsa_pss signature schemes. */
1936 [ + - ][ + + ]: 12081 : RESULT_ENSURE(rsa_pss_scheme_count == NUM_RSA_PSS_SCHEMES || rsa_pss_scheme_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
[ + + ]
1937 : 12080 : return S2N_RESULT_OK;
1938 : 12081 : }
1939 : :
1940 : : S2N_RESULT s2n_security_policy_get_version(const struct s2n_security_policy *security_policy, const char **version)
1941 : 79 : {
1942 [ - + ][ # # ]: 79 : RESULT_ENSURE_REF(version);
1943 : 79 : *version = NULL;
1944 [ + + ]: 5977 : for (uint8_t i = 0; security_policy_selection[i].version != NULL; i++) {
1945 [ + + ]: 5962 : if (security_policy_selection[i].security_policy == security_policy) {
1946 : 64 : *version = security_policy_selection[i].version;
1947 : 64 : return S2N_RESULT_OK;
1948 : 64 : }
1949 : 5962 : }
1950 [ + - ]: 15 : RESULT_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
1951 : 15 : }
1952 : :
1953 : : S2N_RESULT s2n_security_policy_validate_cert_signature(const struct s2n_security_policy *security_policy,
1954 : : const struct s2n_cert_info *info, s2n_error error)
1955 : 469 : {
1956 [ - + ][ # # ]: 469 : RESULT_ENSURE_REF(info);
1957 [ # # ][ - + ]: 469 : RESULT_ENSURE_REF(security_policy);
1958 : 469 : const struct s2n_signature_preferences *sig_preferences = security_policy->certificate_signature_preferences;
1959 : :
1960 [ + + ]: 469 : if (sig_preferences != NULL) {
1961 [ + + ]: 1455 : for (size_t i = 0; i < sig_preferences->count; i++) {
1962 [ + + ]: 1444 : if (sig_preferences->signature_schemes[i]->libcrypto_nid == info->signature_nid) {
1963 : 269 : return S2N_RESULT_OK;
1964 : 269 : }
1965 : 1444 : }
1966 : :
1967 [ + - ]: 11 : RESULT_BAIL(error);
1968 : 11 : }
1969 : 189 : return S2N_RESULT_OK;
1970 : 469 : }
1971 : :
1972 : : S2N_RESULT s2n_security_policy_validate_cert_key(const struct s2n_security_policy *security_policy,
1973 : : const struct s2n_cert_info *info, s2n_error error)
1974 : 885 : {
1975 [ # # ][ - + ]: 885 : RESULT_ENSURE_REF(info);
1976 [ # # ][ - + ]: 885 : RESULT_ENSURE_REF(security_policy);
1977 : 885 : const struct s2n_certificate_key_preferences *key_preferences = security_policy->certificate_key_preferences;
1978 : :
1979 [ + + ]: 885 : if (key_preferences != NULL) {
1980 [ + + ]: 120 : for (size_t i = 0; i < key_preferences->count; i++) {
1981 [ + + ]: 111 : if (key_preferences->certificate_keys[i]->public_key_libcrypto_nid == info->public_key_nid
1982 [ + + ]: 111 : && key_preferences->certificate_keys[i]->bits == info->public_key_bits) {
1983 : 83 : return S2N_RESULT_OK;
1984 : 83 : }
1985 : 111 : }
1986 [ + - ]: 9 : RESULT_BAIL(error);
1987 : 9 : }
1988 : 793 : return S2N_RESULT_OK;
1989 : 885 : }
1990 : :
1991 : : S2N_RESULT s2n_security_policy_validate_certificate_chain(
1992 : : const struct s2n_security_policy *security_policy,
1993 : : const struct s2n_cert_chain_and_key *cert_key_pair)
1994 : 1283 : {
1995 [ - + ][ # # ]: 1283 : RESULT_ENSURE_REF(security_policy);
1996 [ - + ][ # # ]: 1283 : RESULT_ENSURE_REF(cert_key_pair);
1997 [ - + ][ # # ]: 1283 : RESULT_ENSURE_REF(cert_key_pair->cert_chain);
1998 : :
1999 [ + + ]: 1283 : if (!security_policy->certificate_preferences_apply_locally) {
2000 : 1248 : return S2N_RESULT_OK;
2001 : 1248 : }
2002 : :
2003 : 35 : struct s2n_cert *current = cert_key_pair->cert_chain->head;
2004 [ + + ]: 104 : while (current != NULL) {
2005 [ + + ]: 84 : RESULT_GUARD(s2n_security_policy_validate_cert_key(security_policy, ¤t->info,
2006 : 78 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
2007 [ + + ]: 78 : RESULT_GUARD(s2n_security_policy_validate_cert_signature(security_policy, ¤t->info,
2008 : 69 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
2009 : 69 : current = current->next;
2010 : 69 : }
2011 : 20 : return S2N_RESULT_OK;
2012 : 35 : }
|
