Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_security_policies.h"
17 : :
18 : : #include "api/s2n.h"
19 : : #include "crypto/s2n_pq.h"
20 : : #include "tls/s2n_certificate_keys.h"
21 : : #include "tls/s2n_connection.h"
22 : : #include "tls/s2n_supported_group_preferences.h"
23 : : #include "utils/s2n_safety.h"
24 : :
25 : : /* Default as of 10/13 */
26 : : const struct s2n_security_policy security_policy_20251014 = {
27 : : .minimum_protocol_version = S2N_TLS12,
28 : : .cipher_preferences = &cipher_preferences_20251014,
29 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
30 : : .signature_preferences = &s2n_signature_preferences_20240501,
31 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
32 : : .rules = {
33 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
34 : : },
35 : : };
36 : :
37 : : /* FIPS default as of 10/13 */
38 : : const struct s2n_security_policy security_policy_20251015 = {
39 : : .minimum_protocol_version = S2N_TLS12,
40 : : .cipher_preferences = &cipher_preferences_20251015,
41 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
42 : : .signature_preferences = &s2n_signature_preferences_20240501,
43 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
44 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
45 : : .rules = {
46 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
47 : : [S2N_FIPS_140_3] = true,
48 : : },
49 : : };
50 : :
51 : : const struct s2n_security_policy security_policy_20240501 = {
52 : : .minimum_protocol_version = S2N_TLS12,
53 : : .cipher_preferences = &cipher_preferences_20240331,
54 : : .kem_preferences = &kem_preferences_null,
55 : : .signature_preferences = &s2n_signature_preferences_20240501,
56 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
57 : : .rules = {
58 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
59 : : },
60 : : };
61 : :
62 : : const struct s2n_security_policy security_policy_20240502 = {
63 : : .minimum_protocol_version = S2N_TLS12,
64 : : .cipher_preferences = &cipher_preferences_20240331,
65 : : .kem_preferences = &kem_preferences_null,
66 : : .signature_preferences = &s2n_signature_preferences_20240501,
67 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
68 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
69 : : .rules = {
70 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
71 : : [S2N_FIPS_140_3] = true,
72 : : },
73 : : };
74 : :
75 : : /* TLS1.3 default as of 05/24 */
76 : : const struct s2n_security_policy security_policy_20240503 = {
77 : : .minimum_protocol_version = S2N_TLS12,
78 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
79 : : .kem_preferences = &kem_preferences_null,
80 : : .signature_preferences = &s2n_signature_preferences_20240501,
81 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
82 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
83 : : .rules = {
84 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
85 : : },
86 : : };
87 : :
88 : : /* PQ default as of 07/24 */
89 : : const struct s2n_security_policy security_policy_20240730 = {
90 : : .minimum_protocol_version = S2N_TLS12,
91 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
92 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
93 : : .signature_preferences = &s2n_signature_preferences_20240501,
94 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
95 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
96 : : .rules = {
97 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
98 : : },
99 : : };
100 : :
101 : : const struct s2n_security_policy security_policy_20241001 = {
102 : : .minimum_protocol_version = S2N_TLS12,
103 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
104 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
105 : : .signature_preferences = &s2n_signature_preferences_20240501,
106 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
107 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
108 : : .rules = {
109 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
110 : : },
111 : : };
112 : :
113 : : /* 20241001, but with ML-DSA added */
114 : : const struct s2n_security_policy security_policy_20250512 = {
115 : : .minimum_protocol_version = S2N_TLS12,
116 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
117 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
118 : : .signature_preferences = &s2n_signature_preferences_20250512,
119 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
120 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
121 : : .rules = {
122 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
123 : : },
124 : : };
125 : :
126 : : const struct s2n_security_policy security_policy_20250721 = {
127 : : .minimum_protocol_version = S2N_TLS12,
128 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
129 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
130 : : .signature_preferences = &s2n_signature_preferences_20250512,
131 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
132 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
133 : : .rules = {
134 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
135 : : },
136 : : };
137 : :
138 : : const struct s2n_security_policy security_policy_20241001_pq_mixed = {
139 : : .minimum_protocol_version = S2N_TLS12,
140 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
141 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
142 : : .signature_preferences = &s2n_signature_preferences_20240501,
143 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
144 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
145 : : .rules = {
146 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
147 : : },
148 : : };
149 : :
150 : : const struct s2n_security_policy security_policy_20240603 = {
151 : : .minimum_protocol_version = S2N_TLS12,
152 : : .cipher_preferences = &cipher_preferences_20240603,
153 : : .kem_preferences = &kem_preferences_null,
154 : : .signature_preferences = &s2n_signature_preferences_20240501,
155 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
156 : : .ecc_preferences = &s2n_ecc_preferences_20240603,
157 : : };
158 : :
159 : : const struct s2n_security_policy security_policy_20170210 = {
160 : : .minimum_protocol_version = S2N_TLS10,
161 : : .cipher_preferences = &cipher_preferences_20170210,
162 : : .kem_preferences = &kem_preferences_null,
163 : : .signature_preferences = &s2n_signature_preferences_20140601,
164 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
165 : : };
166 : :
167 : : const struct s2n_security_policy security_policy_20240417 = {
168 : : .minimum_protocol_version = S2N_TLS10,
169 : : .cipher_preferences = &cipher_preferences_20210831,
170 : : .kem_preferences = &kem_preferences_null,
171 : : .signature_preferences = &s2n_signature_preferences_20200207,
172 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
173 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
174 : : };
175 : :
176 : : /*
177 : : * This security policy is derived from the following specification:
178 : : * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
179 : : *
180 : : * Supports TLS1.2
181 : : */
182 : : const struct s2n_security_policy security_policy_20240416 = {
183 : : .minimum_protocol_version = S2N_TLS12,
184 : : .cipher_preferences = &cipher_preferences_default_fips,
185 : : .kem_preferences = &kem_preferences_null,
186 : : .signature_preferences = &s2n_signature_preferences_default_fips,
187 : : .certificate_signature_preferences = &s2n_signature_preferences_default_fips,
188 : : .ecc_preferences = &s2n_ecc_preferences_default_fips,
189 : : .rules = {
190 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
191 : : [S2N_FIPS_140_3] = true,
192 : : },
193 : : };
194 : :
195 : : const struct s2n_security_policy security_policy_20230317 = {
196 : : .minimum_protocol_version = S2N_TLS12,
197 : : .cipher_preferences = &cipher_preferences_20230317,
198 : : .kem_preferences = &kem_preferences_null,
199 : : .signature_preferences = &s2n_signature_preferences_20230317,
200 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
201 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
202 : : .rules = {
203 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
204 : : [S2N_FIPS_140_3] = true,
205 : : },
206 : : };
207 : :
208 : : const struct s2n_security_policy security_policy_20240331 = {
209 : : .minimum_protocol_version = S2N_TLS12,
210 : : .cipher_preferences = &cipher_preferences_20240331,
211 : : .kem_preferences = &kem_preferences_null,
212 : : .signature_preferences = &s2n_signature_preferences_20230317,
213 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
214 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
215 : : .rules = {
216 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
217 : : [S2N_FIPS_140_3] = true,
218 : : },
219 : : };
220 : :
221 : : const struct s2n_security_policy security_policy_20190801 = {
222 : : .minimum_protocol_version = S2N_TLS10,
223 : : .cipher_preferences = &cipher_preferences_20190801,
224 : : .kem_preferences = &kem_preferences_null,
225 : : /* The discrepancy in the date exists because the signature preferences
226 : : * were named when cipher preferences and signature preferences were
227 : : * tracked separately, and we chose to keep the cipher preference
228 : : * name because customers use it.
229 : : */
230 : : .signature_preferences = &s2n_signature_preferences_20200207,
231 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
232 : : };
233 : :
234 : : const struct s2n_security_policy security_policy_20190802 = {
235 : : .minimum_protocol_version = S2N_TLS10,
236 : : .cipher_preferences = &cipher_preferences_20190801,
237 : : .kem_preferences = &kem_preferences_null,
238 : : /* The discrepancy in the date exists because the signature preferences
239 : : * were named when cipher preferences and signature preferences were
240 : : * tracked separately, and we chose to keep the cipher preference
241 : : * name because customers use it.
242 : : */
243 : : .signature_preferences = &s2n_signature_preferences_20200207,
244 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
245 : : };
246 : :
247 : : const struct s2n_security_policy security_policy_20170405 = {
248 : : .minimum_protocol_version = S2N_TLS10,
249 : : .cipher_preferences = &cipher_preferences_20170405,
250 : : .kem_preferences = &kem_preferences_null,
251 : : .signature_preferences = &s2n_signature_preferences_20140601,
252 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
253 : : };
254 : :
255 : : const struct s2n_security_policy security_policy_20170405_gcm = {
256 : : .minimum_protocol_version = S2N_TLS10,
257 : : .cipher_preferences = &cipher_preferences_20170405_gcm,
258 : : .kem_preferences = &kem_preferences_null,
259 : : .signature_preferences = &s2n_signature_preferences_20140601,
260 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
261 : : };
262 : :
263 : : const struct s2n_security_policy security_policy_elb_2015_04 = {
264 : : .minimum_protocol_version = S2N_TLS10,
265 : : .cipher_preferences = &elb_security_policy_2015_04,
266 : : .kem_preferences = &kem_preferences_null,
267 : : .signature_preferences = &s2n_signature_preferences_20140601,
268 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
269 : : };
270 : :
271 : : const struct s2n_security_policy security_policy_elb_2016_08 = {
272 : : .minimum_protocol_version = S2N_TLS10,
273 : : .cipher_preferences = &elb_security_policy_2016_08,
274 : : .kem_preferences = &kem_preferences_null,
275 : : .signature_preferences = &s2n_signature_preferences_20140601,
276 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
277 : : };
278 : :
279 : : const struct s2n_security_policy security_policy_elb_tls_1_1_2017_01 = {
280 : : .minimum_protocol_version = S2N_TLS11,
281 : : .cipher_preferences = &elb_security_policy_tls_1_1_2017_01,
282 : : .kem_preferences = &kem_preferences_null,
283 : : .signature_preferences = &s2n_signature_preferences_20140601,
284 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
285 : : };
286 : :
287 : : const struct s2n_security_policy security_policy_elb_tls_1_2_2017_01 = {
288 : : .minimum_protocol_version = S2N_TLS12,
289 : : .cipher_preferences = &elb_security_policy_tls_1_2_2017_01,
290 : : .kem_preferences = &kem_preferences_null,
291 : : .signature_preferences = &s2n_signature_preferences_20140601,
292 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
293 : : };
294 : :
295 : : const struct s2n_security_policy security_policy_elb_tls_1_2_ext_2018_06 = {
296 : : .minimum_protocol_version = S2N_TLS12,
297 : : .cipher_preferences = &elb_security_policy_tls_1_2_ext_2018_06,
298 : : .kem_preferences = &kem_preferences_null,
299 : : .signature_preferences = &s2n_signature_preferences_20140601,
300 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
301 : : };
302 : :
303 : : const struct s2n_security_policy security_policy_elb_fs_2018_06 = {
304 : : .minimum_protocol_version = S2N_TLS10,
305 : : .cipher_preferences = &elb_security_policy_fs_2018_06,
306 : : .kem_preferences = &kem_preferences_null,
307 : : .signature_preferences = &s2n_signature_preferences_20140601,
308 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
309 : : .rules = {
310 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
311 : : },
312 : : };
313 : :
314 : : const struct s2n_security_policy security_policy_elb_fs_1_2_2019_08 = {
315 : : .minimum_protocol_version = S2N_TLS12,
316 : : .cipher_preferences = &elb_security_policy_fs_1_2_2019_08,
317 : : .kem_preferences = &kem_preferences_null,
318 : : .signature_preferences = &s2n_signature_preferences_20140601,
319 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
320 : : .rules = {
321 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
322 : : },
323 : : };
324 : :
325 : : const struct s2n_security_policy security_policy_elb_fs_1_1_2019_08 = {
326 : : .minimum_protocol_version = S2N_TLS11,
327 : : .cipher_preferences = &elb_security_policy_fs_1_1_2019_08,
328 : : .kem_preferences = &kem_preferences_null,
329 : : .signature_preferences = &s2n_signature_preferences_20140601,
330 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
331 : : .rules = {
332 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
333 : : },
334 : : };
335 : :
336 : : const struct s2n_security_policy security_policy_elb_fs_1_2_Res_2019_08 = {
337 : : .minimum_protocol_version = S2N_TLS12,
338 : : .cipher_preferences = &elb_security_policy_fs_1_2_Res_2019_08,
339 : : .kem_preferences = &kem_preferences_null,
340 : : .signature_preferences = &s2n_signature_preferences_20140601,
341 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
342 : : .rules = {
343 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
344 : : },
345 : : };
346 : :
347 : : /* CloudFront upstream */
348 : : const struct s2n_security_policy security_policy_cloudfront_upstream = {
349 : : .minimum_protocol_version = S2N_SSLv3,
350 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream,
351 : : .kem_preferences = &kem_preferences_null,
352 : : .signature_preferences = &s2n_signature_preferences_20140601,
353 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
354 : : };
355 : :
356 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls10 = {
357 : : .minimum_protocol_version = S2N_TLS10,
358 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls10,
359 : : .kem_preferences = &kem_preferences_null,
360 : : .signature_preferences = &s2n_signature_preferences_20140601,
361 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
362 : : };
363 : :
364 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls11 = {
365 : : .minimum_protocol_version = S2N_TLS11,
366 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls11,
367 : : .kem_preferences = &kem_preferences_null,
368 : : .signature_preferences = &s2n_signature_preferences_20140601,
369 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
370 : : };
371 : :
372 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls12 = {
373 : : .minimum_protocol_version = S2N_TLS12,
374 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls12,
375 : : .kem_preferences = &kem_preferences_null,
376 : : .signature_preferences = &s2n_signature_preferences_20140601,
377 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
378 : : };
379 : :
380 : : /* CloudFront upstream 2025 -- same as original upstream above, but with:
381 : : * 1. TLSv1.3 enabled and
382 : : * 2. signature preferences updated to 2020-10-21, expanding support for RSA
383 : : * PSS while preserving support for legacy signature algorithms
384 : : */
385 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08 = {
386 : : .minimum_protocol_version = S2N_SSLv3,
387 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
388 : : .kem_preferences = &kem_preferences_null,
389 : : .signature_preferences = &s2n_signature_preferences_20250820,
390 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
391 : : };
392 : :
393 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls10 = {
394 : : .minimum_protocol_version = S2N_TLS10,
395 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
396 : : .kem_preferences = &kem_preferences_null,
397 : : .signature_preferences = &s2n_signature_preferences_20250820,
398 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
399 : : };
400 : :
401 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls11 = {
402 : : .minimum_protocol_version = S2N_TLS11,
403 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
404 : : .kem_preferences = &kem_preferences_null,
405 : : .signature_preferences = &s2n_signature_preferences_20250820,
406 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
407 : : };
408 : :
409 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls12 = {
410 : : .minimum_protocol_version = S2N_TLS12,
411 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
412 : : .kem_preferences = &kem_preferences_null,
413 : : .signature_preferences = &s2n_signature_preferences_20250820,
414 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
415 : : };
416 : :
417 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls13 = {
418 : : .minimum_protocol_version = S2N_TLS13,
419 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
420 : : .kem_preferences = &kem_preferences_null,
421 : : .signature_preferences = &s2n_signature_preferences_20250820,
422 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
423 : : };
424 : :
425 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_pq = {
426 : : .minimum_protocol_version = S2N_SSLv3,
427 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
428 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
429 : : .signature_preferences = &s2n_signature_preferences_20250821,
430 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
431 : : };
432 : :
433 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls10_pq = {
434 : : .minimum_protocol_version = S2N_TLS10,
435 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
436 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
437 : : .signature_preferences = &s2n_signature_preferences_20250821,
438 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
439 : : };
440 : :
441 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls11_pq = {
442 : : .minimum_protocol_version = S2N_TLS11,
443 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
444 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
445 : : .signature_preferences = &s2n_signature_preferences_20250821,
446 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
447 : : };
448 : :
449 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls12_pq = {
450 : : .minimum_protocol_version = S2N_TLS12,
451 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
452 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
453 : : .signature_preferences = &s2n_signature_preferences_20250821,
454 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
455 : : };
456 : :
457 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls13_pq = {
458 : : .minimum_protocol_version = S2N_TLS13,
459 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
460 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
461 : : .signature_preferences = &s2n_signature_preferences_20250821,
462 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
463 : : };
464 : :
465 : : /* CloudFront viewer facing */
466 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3 = {
467 : : .minimum_protocol_version = S2N_SSLv3,
468 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3,
469 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
470 : : .signature_preferences = &s2n_signature_preferences_20200207,
471 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
472 : : };
473 : :
474 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014 = {
475 : : .minimum_protocol_version = S2N_TLS10,
476 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014,
477 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
478 : : .signature_preferences = &s2n_signature_preferences_20200207,
479 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
480 : : };
481 : :
482 : : /* Same as security_policy_cloudfront_tls_1_0_2014, but with IETF standard KEM Groups */
483 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_pq_beta = {
484 : : .minimum_protocol_version = S2N_TLS10,
485 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014,
486 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
487 : : .signature_preferences = &s2n_signature_preferences_20200207,
488 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
489 : : };
490 : :
491 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_sha256 = {
492 : : .minimum_protocol_version = S2N_TLS10,
493 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014_sha256,
494 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
495 : : .signature_preferences = &s2n_signature_preferences_20200207,
496 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
497 : : };
498 : :
499 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016 = {
500 : : .minimum_protocol_version = S2N_TLS10,
501 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
502 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
503 : : .signature_preferences = &s2n_signature_preferences_20200207,
504 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
505 : : };
506 : :
507 : : /* Same as security_policy_cloudfront_tls_1_0_2016, but with TLS 1.2 as minimum */
508 : : const struct s2n_security_policy security_policy_20241106 = {
509 : : .minimum_protocol_version = S2N_TLS12,
510 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
511 : : .kem_preferences = &kem_preferences_null,
512 : : .signature_preferences = &s2n_signature_preferences_20200207,
513 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
514 : : };
515 : :
516 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016 = {
517 : : .minimum_protocol_version = S2N_TLS11,
518 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016,
519 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
520 : : .signature_preferences = &s2n_signature_preferences_20200207,
521 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
522 : : };
523 : :
524 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2017 = {
525 : : .minimum_protocol_version = S2N_TLS12,
526 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2017,
527 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
528 : : .signature_preferences = &s2n_signature_preferences_20200207,
529 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
530 : : };
531 : :
532 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_no_sha1 = {
533 : : .minimum_protocol_version = S2N_TLS12,
534 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018,
535 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
536 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
537 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
538 : : };
539 : :
540 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_beta = {
541 : : .minimum_protocol_version = S2N_TLS12,
542 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018_beta,
543 : : .kem_preferences = &kem_preferences_null,
544 : : .signature_preferences = &s2n_signature_preferences_20200207,
545 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
546 : : };
547 : :
548 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019_no_sha1 = {
549 : : .minimum_protocol_version = S2N_TLS12,
550 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
551 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
552 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
553 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
554 : : .rules = {
555 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
556 : : },
557 : : };
558 : :
559 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_no_sha1 = {
560 : : .minimum_protocol_version = S2N_TLS12,
561 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
562 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
563 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
564 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
565 : : .rules = {
566 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
567 : : },
568 : : };
569 : :
570 : : /* Same as security_policy_cloudfront_tls_1_2_2021_no_sha1, but with IETF standard KEM Groups */
571 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_no_sha1_pq_beta = {
572 : : .minimum_protocol_version = S2N_TLS12,
573 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
574 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
575 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
576 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
577 : : .rules = {
578 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
579 : : },
580 : : };
581 : :
582 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_chacha20_boosted = {
583 : : .minimum_protocol_version = S2N_TLS12,
584 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021_chacha20_boosted,
585 : : .kem_preferences = &kem_preferences_null,
586 : : .signature_preferences = &s2n_signature_preferences_20200207,
587 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
588 : : .rules = {
589 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
590 : : },
591 : : };
592 : :
593 : : /* FIPS 140-3 compliant version of security_policy_cloudfront_tls_1_2_2021 */
594 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2025 = {
595 : : .minimum_protocol_version = S2N_TLS12,
596 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2025,
597 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
598 : : .signature_preferences = &s2n_signature_preferences_20250813,
599 : : .ecc_preferences = &s2n_ecc_preferences_default_fips,
600 : : .rules = {
601 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
602 : : [S2N_FIPS_140_3] = true,
603 : : },
604 : : };
605 : :
606 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_3_2025 = {
607 : : .minimum_protocol_version = S2N_TLS13,
608 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_3_2025,
609 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
610 : : .signature_preferences = &s2n_signature_preferences_20250813,
611 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
612 : : .rules = {
613 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
614 : : },
615 : : };
616 : :
617 : : /* CloudFront non-pq viewer facing policies */
618 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3_no_pq = {
619 : : .minimum_protocol_version = S2N_SSLv3,
620 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3,
621 : : .kem_preferences = &kem_preferences_null,
622 : : .signature_preferences = &s2n_signature_preferences_20200207,
623 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
624 : : };
625 : :
626 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_no_pq = {
627 : : .minimum_protocol_version = S2N_TLS10,
628 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014,
629 : : .kem_preferences = &kem_preferences_null,
630 : : .signature_preferences = &s2n_signature_preferences_20200207,
631 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
632 : : };
633 : :
634 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_sha256_no_pq = {
635 : : .minimum_protocol_version = S2N_TLS10,
636 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014_sha256,
637 : : .kem_preferences = &kem_preferences_null,
638 : : .signature_preferences = &s2n_signature_preferences_20200207,
639 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
640 : : };
641 : :
642 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016_no_pq = {
643 : : .minimum_protocol_version = S2N_TLS10,
644 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
645 : : .kem_preferences = &kem_preferences_null,
646 : : .signature_preferences = &s2n_signature_preferences_20200207,
647 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
648 : : };
649 : :
650 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016_no_pq = {
651 : : .minimum_protocol_version = S2N_TLS11,
652 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016,
653 : : .kem_preferences = &kem_preferences_null,
654 : : .signature_preferences = &s2n_signature_preferences_20200207,
655 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
656 : : };
657 : :
658 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2017_no_pq = {
659 : : .minimum_protocol_version = S2N_TLS12,
660 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2017,
661 : : .kem_preferences = &kem_preferences_null,
662 : : .signature_preferences = &s2n_signature_preferences_20200207,
663 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
664 : : };
665 : :
666 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_no_sha1_no_pq = {
667 : : .minimum_protocol_version = S2N_TLS12,
668 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018,
669 : : .kem_preferences = &kem_preferences_null,
670 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
671 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
672 : : };
673 : :
674 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019_no_sha1_no_pq = {
675 : : .minimum_protocol_version = S2N_TLS12,
676 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
677 : : .kem_preferences = &kem_preferences_null,
678 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
679 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
680 : : .rules = {
681 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
682 : : },
683 : : };
684 : :
685 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_no_sha1_no_pq = {
686 : : .minimum_protocol_version = S2N_TLS12,
687 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
688 : : .kem_preferences = &kem_preferences_null,
689 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
690 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
691 : : .rules = {
692 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
693 : : },
694 : : };
695 : :
696 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2025_no_pq = {
697 : : .minimum_protocol_version = S2N_TLS12,
698 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2025,
699 : : .kem_preferences = &kem_preferences_null,
700 : : .signature_preferences = &s2n_signature_preferences_20250813,
701 : : .ecc_preferences = &s2n_ecc_preferences_default_fips,
702 : : .rules = {
703 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
704 : : [S2N_FIPS_140_3] = true,
705 : : },
706 : : };
707 : :
708 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_3_2025_no_pq = {
709 : : .minimum_protocol_version = S2N_TLS13,
710 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_3_2025,
711 : : .kem_preferences = &kem_preferences_null,
712 : : .signature_preferences = &s2n_signature_preferences_20250813,
713 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
714 : : .rules = {
715 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
716 : : },
717 : : };
718 : :
719 : : /* CloudFront viewer facing legacy policies */
720 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018 = {
721 : : .minimum_protocol_version = S2N_TLS12,
722 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018,
723 : : .kem_preferences = &kem_preferences_null,
724 : : .signature_preferences = &s2n_signature_preferences_20200207,
725 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
726 : : };
727 : :
728 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019 = {
729 : : .minimum_protocol_version = S2N_TLS12,
730 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
731 : : .kem_preferences = &kem_preferences_null,
732 : : .signature_preferences = &s2n_signature_preferences_20200207,
733 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
734 : : .rules = {
735 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
736 : : },
737 : : };
738 : :
739 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021 = {
740 : : .minimum_protocol_version = S2N_TLS12,
741 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
742 : : .kem_preferences = &kem_preferences_null,
743 : : .signature_preferences = &s2n_signature_preferences_20200207,
744 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
745 : : .rules = {
746 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
747 : : },
748 : : };
749 : :
750 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3_legacy = {
751 : : .minimum_protocol_version = S2N_SSLv3,
752 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3_legacy,
753 : : .kem_preferences = &kem_preferences_null,
754 : : .signature_preferences = &s2n_signature_preferences_20140601,
755 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
756 : : };
757 : :
758 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_legacy = {
759 : : .minimum_protocol_version = S2N_TLS10,
760 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014_legacy,
761 : : .kem_preferences = &kem_preferences_null,
762 : : .signature_preferences = &s2n_signature_preferences_20140601,
763 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
764 : : };
765 : :
766 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016_legacy = {
767 : : .minimum_protocol_version = S2N_TLS10,
768 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016_legacy,
769 : : .kem_preferences = &kem_preferences_null,
770 : : .signature_preferences = &s2n_signature_preferences_20140601,
771 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
772 : : };
773 : :
774 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016_legacy = {
775 : : .minimum_protocol_version = S2N_TLS11,
776 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016_legacy,
777 : : .kem_preferences = &kem_preferences_null,
778 : : .signature_preferences = &s2n_signature_preferences_20140601,
779 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
780 : : };
781 : :
782 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_legacy = {
783 : : .minimum_protocol_version = S2N_TLS12,
784 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018_legacy,
785 : : .kem_preferences = &kem_preferences_null,
786 : : .signature_preferences = &s2n_signature_preferences_20140601,
787 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
788 : : };
789 : :
790 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019_legacy = {
791 : : .minimum_protocol_version = S2N_TLS12,
792 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019_legacy,
793 : : .kem_preferences = &kem_preferences_null,
794 : : .signature_preferences = &s2n_signature_preferences_20140601,
795 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
796 : : .rules = {
797 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
798 : : },
799 : : };
800 : :
801 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3 = {
802 : : .minimum_protocol_version = S2N_SSLv3,
803 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
804 : : .kem_preferences = &kem_preferences_null,
805 : : .signature_preferences = &s2n_signature_preferences_20200207,
806 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
807 : : };
808 : :
809 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10 = {
810 : : .minimum_protocol_version = S2N_TLS10,
811 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
812 : : .kem_preferences = &kem_preferences_null,
813 : : .signature_preferences = &s2n_signature_preferences_20200207,
814 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
815 : : };
816 : :
817 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11 = {
818 : : .minimum_protocol_version = S2N_TLS11,
819 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
820 : : .kem_preferences = &kem_preferences_null,
821 : : .signature_preferences = &s2n_signature_preferences_20200207,
822 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
823 : : };
824 : :
825 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12 = {
826 : : .minimum_protocol_version = S2N_TLS12,
827 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
828 : : .kem_preferences = &kem_preferences_null,
829 : : .signature_preferences = &s2n_signature_preferences_20200207,
830 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
831 : : };
832 : :
833 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13 = {
834 : : .minimum_protocol_version = S2N_TLS13,
835 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
836 : : .kem_preferences = &kem_preferences_null,
837 : : .signature_preferences = &s2n_signature_preferences_20200207,
838 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
839 : : .rules = {
840 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
841 : : },
842 : : };
843 : :
844 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3_06_23 = {
845 : : .minimum_protocol_version = S2N_SSLv3,
846 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
847 : : .kem_preferences = &kem_preferences_null,
848 : : .signature_preferences = &s2n_signature_preferences_20200207,
849 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
850 : : };
851 : :
852 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_06_23 = {
853 : : .minimum_protocol_version = S2N_TLS10,
854 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
855 : : .kem_preferences = &kem_preferences_null,
856 : : .signature_preferences = &s2n_signature_preferences_20200207,
857 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
858 : : };
859 : :
860 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11_06_23 = {
861 : : .minimum_protocol_version = S2N_TLS11,
862 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
863 : : .kem_preferences = &kem_preferences_null,
864 : : .signature_preferences = &s2n_signature_preferences_20200207,
865 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
866 : : };
867 : :
868 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23 = {
869 : : .minimum_protocol_version = S2N_TLS12,
870 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
871 : : .kem_preferences = &kem_preferences_null,
872 : : .signature_preferences = &s2n_signature_preferences_20200207,
873 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
874 : : };
875 : :
876 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_30_06_25 = {
877 : : .minimum_protocol_version = S2N_TLS12,
878 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_2025,
879 : : .kem_preferences = &kem_preferences_null,
880 : : .signature_preferences = &s2n_signature_preferences_20240501,
881 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
882 : : .rules = {
883 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
884 : : [S2N_FIPS_140_3] = true,
885 : : },
886 : : };
887 : :
888 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_06_23 = {
889 : : .minimum_protocol_version = S2N_TLS13,
890 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
891 : : .kem_preferences = &kem_preferences_null,
892 : : .signature_preferences = &s2n_signature_preferences_20200207,
893 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
894 : : .rules = {
895 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
896 : : },
897 : : };
898 : :
899 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2018_10 = {
900 : : .minimum_protocol_version = S2N_TLS10,
901 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2018_10,
902 : : .kem_preferences = &kem_preferences_null,
903 : : .signature_preferences = &s2n_signature_preferences_20140601,
904 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
905 : : .rules = {
906 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
907 : : },
908 : : };
909 : :
910 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2021_08 = {
911 : : .minimum_protocol_version = S2N_TLS10,
912 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
913 : : .kem_preferences = &kem_preferences_null,
914 : : .signature_preferences = &s2n_signature_preferences_20200207,
915 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
916 : : .rules = {
917 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
918 : : },
919 : : };
920 : :
921 : : const struct s2n_security_policy security_policy_kms_tls_1_2_2023_06 = {
922 : : .minimum_protocol_version = S2N_TLS12,
923 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
924 : : .kem_preferences = &kem_preferences_null,
925 : : .signature_preferences = &s2n_signature_preferences_20200207,
926 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
927 : : .rules = {
928 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
929 : : },
930 : : };
931 : :
932 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2019_06 = {
933 : : .minimum_protocol_version = S2N_TLS10,
934 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2019_06,
935 : : .kem_preferences = &kem_preferences_null,
936 : : .signature_preferences = &s2n_signature_preferences_20140601,
937 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
938 : : .rules = {
939 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
940 : : },
941 : : };
942 : :
943 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_02 = {
944 : : .minimum_protocol_version = S2N_TLS10,
945 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_02,
946 : : .kem_preferences = &kem_preferences_null,
947 : : .signature_preferences = &s2n_signature_preferences_20140601,
948 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
949 : : .rules = {
950 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
951 : : },
952 : : };
953 : :
954 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_07 = {
955 : : .minimum_protocol_version = S2N_TLS10,
956 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_07,
957 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
958 : : .signature_preferences = &s2n_signature_preferences_20140601,
959 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
960 : : .rules = {
961 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
962 : : },
963 : : };
964 : :
965 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2020_12 = {
966 : : .minimum_protocol_version = S2N_TLS10,
967 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2020_12,
968 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
969 : : .signature_preferences = &s2n_signature_preferences_20200207,
970 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
971 : : .rules = {
972 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
973 : : },
974 : : };
975 : :
976 : : const struct s2n_security_policy security_policy_pq_tls_1_1_2021_05_17 = {
977 : : .minimum_protocol_version = S2N_TLS11,
978 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_17,
979 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
980 : : .signature_preferences = &s2n_signature_preferences_20140601,
981 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
982 : : };
983 : :
984 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_18 = {
985 : : .minimum_protocol_version = S2N_TLS10,
986 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_18,
987 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
988 : : .signature_preferences = &s2n_signature_preferences_20140601,
989 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
990 : : };
991 : :
992 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_19 = {
993 : : .minimum_protocol_version = S2N_TLS10,
994 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_19,
995 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
996 : : .signature_preferences = &s2n_signature_preferences_20140601,
997 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
998 : : };
999 : :
1000 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_20 = {
1001 : : .minimum_protocol_version = S2N_TLS10,
1002 : : /* Yes, this is the same cipher_preferences as kms_pq_tls_1_0_2020_07. The difference between these policies is
1003 : : * the ecc_preferences, with this one adding support for x25519. */
1004 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_07,
1005 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1006 : : .signature_preferences = &s2n_signature_preferences_20140601,
1007 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1008 : : .rules = {
1009 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1010 : : },
1011 : : };
1012 : :
1013 : : const struct s2n_security_policy security_policy_pq_tls_1_1_2021_05_21 = {
1014 : : .minimum_protocol_version = S2N_TLS11,
1015 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
1016 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1017 : : .signature_preferences = &s2n_signature_preferences_20200207,
1018 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1019 : : };
1020 : :
1021 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_22 = {
1022 : : .minimum_protocol_version = S2N_TLS10,
1023 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
1024 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1025 : : .signature_preferences = &s2n_signature_preferences_20200207,
1026 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1027 : : };
1028 : :
1029 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_23 = {
1030 : : .minimum_protocol_version = S2N_TLS10,
1031 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_23,
1032 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1033 : : .signature_preferences = &s2n_signature_preferences_20200207,
1034 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1035 : : };
1036 : :
1037 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_24 = {
1038 : : .minimum_protocol_version = S2N_TLS10,
1039 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
1040 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1041 : : .signature_preferences = &s2n_signature_preferences_20200207,
1042 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1043 : : .rules = {
1044 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1045 : : },
1046 : : };
1047 : :
1048 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_25 = {
1049 : : .minimum_protocol_version = S2N_TLS10,
1050 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_25,
1051 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1052 : : .signature_preferences = &s2n_signature_preferences_20140601,
1053 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1054 : : };
1055 : :
1056 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_26 = {
1057 : : .minimum_protocol_version = S2N_TLS10,
1058 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
1059 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1060 : : .signature_preferences = &s2n_signature_preferences_20200207,
1061 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1062 : : };
1063 : :
1064 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2023_01_24 = {
1065 : : .minimum_protocol_version = S2N_TLS10,
1066 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
1067 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2023_01,
1068 : : .signature_preferences = &s2n_signature_preferences_20200207,
1069 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1070 : : .rules = {
1071 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1072 : : },
1073 : : };
1074 : :
1075 : : /* Same as security_policy_pq_tls_1_1_2021_05_21, but with TLS 1.2 as minimum */
1076 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_07 = {
1077 : : .minimum_protocol_version = S2N_TLS12,
1078 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
1079 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1080 : : .signature_preferences = &s2n_signature_preferences_20200207,
1081 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1082 : : };
1083 : :
1084 : : /* Same as security_policy_pq_tls_1_0_2021_05_22, but with TLS 1.2 as minimum */
1085 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_08 = {
1086 : : .minimum_protocol_version = S2N_TLS12,
1087 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
1088 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1089 : : .signature_preferences = &s2n_signature_preferences_20200207,
1090 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1091 : : };
1092 : :
1093 : : /* Same as security_policy_pq_tls_1_0_2021_05_24, but with TLS 1.2 as minimum */
1094 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_09 = {
1095 : : .minimum_protocol_version = S2N_TLS12,
1096 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
1097 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1098 : : .signature_preferences = &s2n_signature_preferences_20200207,
1099 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1100 : : .rules = {
1101 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1102 : : },
1103 : : };
1104 : :
1105 : : /* Same as security_policy_pq_tls_1_0_2021_05_26, but with TLS 1.2 as minimum */
1106 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_10 = {
1107 : : .minimum_protocol_version = S2N_TLS12,
1108 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
1109 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1110 : : .signature_preferences = &s2n_signature_preferences_20200207,
1111 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1112 : : };
1113 : :
1114 : : const struct s2n_security_policy security_policy_pq_tls_1_3_2023_06_01 = {
1115 : : .minimum_protocol_version = S2N_TLS12,
1116 : : .cipher_preferences = &cipher_preferences_pq_tls_1_3_2023_06_01,
1117 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
1118 : : .signature_preferences = &s2n_signature_preferences_20200207,
1119 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1120 : : };
1121 : :
1122 : : /* Same as security_policy_pq_tls_1_2_2023_04_07, but with updated KEM prefs */
1123 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_07 = {
1124 : : .minimum_protocol_version = S2N_TLS12,
1125 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
1126 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
1127 : : .signature_preferences = &s2n_signature_preferences_20200207,
1128 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1129 : : };
1130 : :
1131 : : /* Same as security_policy_pq_tls_1_2_2023_04_08, but with updated KEM prefs */
1132 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_08 = {
1133 : : .minimum_protocol_version = S2N_TLS12,
1134 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
1135 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
1136 : : .signature_preferences = &s2n_signature_preferences_20200207,
1137 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1138 : : };
1139 : :
1140 : : /* Same as security_policy_pq_tls_1_2_2023_04_09, but with updated KEM prefs */
1141 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_09 = {
1142 : : .minimum_protocol_version = S2N_TLS12,
1143 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
1144 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
1145 : : .signature_preferences = &s2n_signature_preferences_20200207,
1146 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1147 : : .rules = {
1148 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1149 : : },
1150 : : };
1151 : :
1152 : : /* Same as security_policy_pq_tls_1_2_2023_04_10, but with updated KEM prefs */
1153 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10 = {
1154 : : .minimum_protocol_version = S2N_TLS12,
1155 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
1156 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
1157 : : .signature_preferences = &s2n_signature_preferences_20200207,
1158 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1159 : : };
1160 : :
1161 : : /* General purpose "mostly" FIPS + PQ policy (with the exception of supporting RSA Key Exchange for backwards compatibility). */
1162 : : const struct s2n_security_policy security_policy_pq_20231213 = {
1163 : : .minimum_protocol_version = S2N_TLS12,
1164 : : .cipher_preferences = &cipher_preferences_20231213,
1165 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
1166 : : .signature_preferences = &s2n_signature_preferences_20230317,
1167 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1168 : : };
1169 : :
1170 : : /* General purpose FIPS + PQ policy that meets all current FIPS requirements. */
1171 : : const struct s2n_security_policy security_policy_pq_20231214 = {
1172 : : .minimum_protocol_version = S2N_TLS12,
1173 : : .cipher_preferences = &cipher_preferences_20231214,
1174 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
1175 : : .signature_preferences = &s2n_signature_preferences_20230317,
1176 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1177 : : .rules = {
1178 : : [S2N_FIPS_140_3] = true,
1179 : : },
1180 : : };
1181 : :
1182 : : /* FIPS + PQ Policy that uses KMS's FIPS cipher preference list and meets all current FIPS requirements. */
1183 : : const struct s2n_security_policy security_policy_pq_20231215 = {
1184 : : .minimum_protocol_version = S2N_TLS12,
1185 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
1186 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
1187 : : .signature_preferences = &s2n_signature_preferences_20230317,
1188 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1189 : : .rules = {
1190 : : [S2N_FIPS_140_3] = true,
1191 : : },
1192 : : };
1193 : :
1194 : : /* Same as security_policy_aws_crt_sdk_tls_10_06_23 but with (IETF-standardized) ML-KEM Support */
1195 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_07_25_pq = {
1196 : : .minimum_protocol_version = S2N_TLS10,
1197 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
1198 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
1199 : : .signature_preferences = &s2n_signature_preferences_20200207,
1200 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1201 : : };
1202 : :
1203 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with (IETF-standardized) ML-KEM Support */
1204 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_07_25_pq = {
1205 : : .minimum_protocol_version = S2N_TLS12,
1206 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
1207 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
1208 : : .signature_preferences = &s2n_signature_preferences_20200207,
1209 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1210 : : };
1211 : :
1212 : : /* Same as security_policy_aws_crt_sdk_tls_13_06_23 but with (IETF-standardized) ML-KEM Support */
1213 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_07_25_pq = {
1214 : : .minimum_protocol_version = S2N_TLS13,
1215 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
1216 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
1217 : : .signature_preferences = &s2n_signature_preferences_20200207,
1218 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1219 : : };
1220 : :
1221 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with ML-KEM Support */
1222 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23_pq = {
1223 : : .minimum_protocol_version = S2N_TLS12,
1224 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
1225 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1226 : : .signature_preferences = &s2n_signature_preferences_20200207,
1227 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1228 : : };
1229 : :
1230 : : /* Same as security_policy_pq_tls_1_2_2023_10_07, but with TLS 1.2 Kyber removed, and added ML-KEM support */
1231 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_07 = {
1232 : : .minimum_protocol_version = S2N_TLS12,
1233 : : .cipher_preferences = &elb_security_policy_tls13_1_2_Ext2_2021_06,
1234 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1235 : : .signature_preferences = &s2n_signature_preferences_20200207,
1236 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1237 : : };
1238 : :
1239 : : /* Same as security_policy_pq_tls_1_2_2023_10_08, but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
1240 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08 = {
1241 : : .minimum_protocol_version = S2N_TLS12,
1242 : : .cipher_preferences = &cipher_preferences_20241008,
1243 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1244 : : .signature_preferences = &s2n_signature_preferences_20200207,
1245 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1246 : : };
1247 : :
1248 : : /* Same as security_policy_pq_tls_1_2_2023_10_10, but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
1249 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08_gcm = {
1250 : : .minimum_protocol_version = S2N_TLS12,
1251 : : .cipher_preferences = &cipher_preferences_20241008_gcm,
1252 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1253 : : .signature_preferences = &s2n_signature_preferences_20200207,
1254 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1255 : : };
1256 : :
1257 : : /* Same as security_policy_pq_tls_1_2_2023_10_09 but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
1258 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_09 = {
1259 : : .minimum_protocol_version = S2N_TLS12,
1260 : : .cipher_preferences = &cipher_preferences_20241009,
1261 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1262 : : .signature_preferences = &s2n_signature_preferences_20200207,
1263 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1264 : : .rules = {
1265 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1266 : : },
1267 : : };
1268 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = {
1269 : : .minimum_protocol_version = S2N_TLS12,
1270 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2018_10,
1271 : : .kem_preferences = &kem_preferences_null,
1272 : : .signature_preferences = &s2n_signature_preferences_20140601,
1273 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1274 : : .rules = {
1275 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1276 : : },
1277 : : };
1278 : :
1279 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2021_08 = {
1280 : : .minimum_protocol_version = S2N_TLS12,
1281 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
1282 : : .kem_preferences = &kem_preferences_null,
1283 : : .signature_preferences = &s2n_signature_preferences_20200207,
1284 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1285 : : .rules = {
1286 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1287 : : },
1288 : : };
1289 : :
1290 : : /* Same as security_policy_pq_20231215, but with only ML-KEM Support */
1291 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2024_10 = {
1292 : : .minimum_protocol_version = S2N_TLS12,
1293 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
1294 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
1295 : : .signature_preferences = &s2n_signature_preferences_20230317,
1296 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1297 : : .rules = {
1298 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1299 : : [S2N_FIPS_140_3] = true,
1300 : : },
1301 : : };
1302 : :
1303 : : const struct s2n_security_policy security_policy_20140601 = {
1304 : : .minimum_protocol_version = S2N_SSLv3,
1305 : : .cipher_preferences = &cipher_preferences_20140601,
1306 : : .kem_preferences = &kem_preferences_null,
1307 : : .signature_preferences = &s2n_signature_preferences_20140601,
1308 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1309 : : };
1310 : :
1311 : : const struct s2n_security_policy security_policy_20141001 = {
1312 : : .minimum_protocol_version = S2N_TLS10,
1313 : : .cipher_preferences = &cipher_preferences_20141001,
1314 : : .kem_preferences = &kem_preferences_null,
1315 : : .signature_preferences = &s2n_signature_preferences_20140601,
1316 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1317 : : };
1318 : :
1319 : : const struct s2n_security_policy security_policy_20150202 = {
1320 : : .minimum_protocol_version = S2N_TLS10,
1321 : : .cipher_preferences = &cipher_preferences_20150202,
1322 : : .kem_preferences = &kem_preferences_null,
1323 : : .signature_preferences = &s2n_signature_preferences_20140601,
1324 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1325 : : };
1326 : :
1327 : : const struct s2n_security_policy security_policy_20150214 = {
1328 : : .minimum_protocol_version = S2N_TLS10,
1329 : : .cipher_preferences = &cipher_preferences_20150214,
1330 : : .kem_preferences = &kem_preferences_null,
1331 : : .signature_preferences = &s2n_signature_preferences_20140601,
1332 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1333 : : };
1334 : :
1335 : : const struct s2n_security_policy security_policy_20160411 = {
1336 : : .minimum_protocol_version = S2N_TLS10,
1337 : : .cipher_preferences = &cipher_preferences_20160411,
1338 : : .kem_preferences = &kem_preferences_null,
1339 : : .signature_preferences = &s2n_signature_preferences_20140601,
1340 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1341 : : };
1342 : :
1343 : : const struct s2n_security_policy security_policy_20150306 = {
1344 : : .minimum_protocol_version = S2N_TLS10,
1345 : : .cipher_preferences = &cipher_preferences_20150306,
1346 : : .kem_preferences = &kem_preferences_null,
1347 : : .signature_preferences = &s2n_signature_preferences_20140601,
1348 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1349 : : };
1350 : :
1351 : : const struct s2n_security_policy security_policy_20160804 = {
1352 : : .minimum_protocol_version = S2N_TLS10,
1353 : : .cipher_preferences = &cipher_preferences_20160804,
1354 : : .kem_preferences = &kem_preferences_null,
1355 : : .signature_preferences = &s2n_signature_preferences_20140601,
1356 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1357 : : };
1358 : :
1359 : : const struct s2n_security_policy security_policy_20160824 = {
1360 : : .minimum_protocol_version = S2N_TLS10,
1361 : : .cipher_preferences = &cipher_preferences_20160824,
1362 : : .kem_preferences = &kem_preferences_null,
1363 : : .signature_preferences = &s2n_signature_preferences_20140601,
1364 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1365 : : };
1366 : :
1367 : : const struct s2n_security_policy security_policy_20190122 = {
1368 : : .minimum_protocol_version = S2N_TLS10,
1369 : : .cipher_preferences = &cipher_preferences_20190122,
1370 : : .kem_preferences = &kem_preferences_null,
1371 : : .signature_preferences = &s2n_signature_preferences_20140601,
1372 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1373 : : };
1374 : :
1375 : : const struct s2n_security_policy security_policy_20190121 = {
1376 : : .minimum_protocol_version = S2N_TLS10,
1377 : : .cipher_preferences = &cipher_preferences_20190121,
1378 : : .kem_preferences = &kem_preferences_null,
1379 : : .signature_preferences = &s2n_signature_preferences_20140601,
1380 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1381 : : };
1382 : :
1383 : : const struct s2n_security_policy security_policy_20190120 = {
1384 : : .minimum_protocol_version = S2N_TLS10,
1385 : : .cipher_preferences = &cipher_preferences_20190120,
1386 : : .kem_preferences = &kem_preferences_null,
1387 : : .signature_preferences = &s2n_signature_preferences_20140601,
1388 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1389 : : };
1390 : :
1391 : : const struct s2n_security_policy security_policy_20190214 = {
1392 : : .minimum_protocol_version = S2N_TLS10,
1393 : : .cipher_preferences = &cipher_preferences_20190214,
1394 : : .kem_preferences = &kem_preferences_null,
1395 : : .signature_preferences = &s2n_signature_preferences_20140601,
1396 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1397 : : };
1398 : :
1399 : : const struct s2n_security_policy security_policy_20190214_gcm = {
1400 : : .minimum_protocol_version = S2N_TLS10,
1401 : : .cipher_preferences = &cipher_preferences_20190214_gcm,
1402 : : .kem_preferences = &kem_preferences_null,
1403 : : .signature_preferences = &s2n_signature_preferences_20140601,
1404 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1405 : : };
1406 : :
1407 : : const struct s2n_security_policy security_policy_20210825 = {
1408 : : .minimum_protocol_version = S2N_TLS10,
1409 : : .cipher_preferences = &cipher_preferences_20210825,
1410 : : .kem_preferences = &kem_preferences_null,
1411 : : .signature_preferences = &s2n_signature_preferences_20200207,
1412 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1413 : : };
1414 : :
1415 : : const struct s2n_security_policy security_policy_20210825_gcm = {
1416 : : .minimum_protocol_version = S2N_TLS10,
1417 : : .cipher_preferences = &cipher_preferences_20210825_gcm,
1418 : : .kem_preferences = &kem_preferences_null,
1419 : : .signature_preferences = &s2n_signature_preferences_20200207,
1420 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1421 : : };
1422 : :
1423 : : const struct s2n_security_policy security_policy_20170328 = {
1424 : : .minimum_protocol_version = S2N_TLS10,
1425 : : .cipher_preferences = &cipher_preferences_20170328,
1426 : : .kem_preferences = &kem_preferences_null,
1427 : : .signature_preferences = &s2n_signature_preferences_20140601,
1428 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1429 : : };
1430 : :
1431 : : const struct s2n_security_policy security_policy_20170328_gcm = {
1432 : : .minimum_protocol_version = S2N_TLS10,
1433 : : .cipher_preferences = &cipher_preferences_20170328_gcm,
1434 : : .kem_preferences = &kem_preferences_null,
1435 : : .signature_preferences = &s2n_signature_preferences_20140601,
1436 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1437 : : };
1438 : :
1439 : : const struct s2n_security_policy security_policy_20170718 = {
1440 : : .minimum_protocol_version = S2N_TLS10,
1441 : : .cipher_preferences = &cipher_preferences_20170718,
1442 : : .kem_preferences = &kem_preferences_null,
1443 : : .signature_preferences = &s2n_signature_preferences_20140601,
1444 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1445 : : };
1446 : :
1447 : : const struct s2n_security_policy security_policy_20170718_gcm = {
1448 : : .minimum_protocol_version = S2N_TLS10,
1449 : : .cipher_preferences = &cipher_preferences_20170718_gcm,
1450 : : .kem_preferences = &kem_preferences_null,
1451 : : .signature_preferences = &s2n_signature_preferences_20140601,
1452 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1453 : : };
1454 : :
1455 : : const struct s2n_security_policy security_policy_20201021 = {
1456 : : .minimum_protocol_version = S2N_TLS10,
1457 : : .cipher_preferences = &cipher_preferences_20190122,
1458 : : .kem_preferences = &kem_preferences_null,
1459 : : .signature_preferences = &s2n_signature_preferences_20201021,
1460 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1461 : : };
1462 : :
1463 : : const struct s2n_security_policy security_policy_20210816 = {
1464 : : .minimum_protocol_version = S2N_TLS12,
1465 : : .cipher_preferences = &cipher_preferences_20210816,
1466 : : .kem_preferences = &kem_preferences_null,
1467 : : .signature_preferences = &s2n_signature_preferences_20210816,
1468 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1469 : : .rules = {
1470 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1471 : : [S2N_FIPS_140_3] = true,
1472 : : },
1473 : : };
1474 : :
1475 : : const struct s2n_security_policy security_policy_20210816_gcm = {
1476 : : .minimum_protocol_version = S2N_TLS12,
1477 : : .cipher_preferences = &cipher_preferences_20210816_gcm,
1478 : : .kem_preferences = &kem_preferences_null,
1479 : : .signature_preferences = &s2n_signature_preferences_20210816,
1480 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1481 : : .rules = {
1482 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1483 : : [S2N_FIPS_140_3] = true,
1484 : : },
1485 : : };
1486 : :
1487 : : /*
1488 : : * This security policy is derived from the following specification:
1489 : : * https://datatracker.ietf.org/doc/html/rfc9151
1490 : : */
1491 : : const struct s2n_security_policy security_policy_20250429 = {
1492 : : .minimum_protocol_version = S2N_TLS12,
1493 : : .cipher_preferences = &cipher_preferences_20250429,
1494 : : .kem_preferences = &kem_preferences_null,
1495 : : .signature_preferences = &s2n_signature_preferences_20250429,
1496 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250429,
1497 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20250429,
1498 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1499 : : .certificate_preferences_apply_locally = true,
1500 : : };
1501 : :
1502 : : /*
1503 : : * This security policy is derived from the following specification:
1504 : : * https://datatracker.ietf.org/doc/html/rfc9151
1505 : : *
1506 : : * The following exceptions to this specification are made:
1507 : : * - RSA cipher suites are not supported to allow for perfect forward secrecy.
1508 : : * - DHE cipher suites are not supported to remove the possibility of improper Diffie-Hellman
1509 : : * parameter configuration.
1510 : : */
1511 : : const struct s2n_security_policy security_policy_20251013 = {
1512 : : .minimum_protocol_version = S2N_TLS12,
1513 : : .cipher_preferences = &cipher_preferences_20251013,
1514 : : .kem_preferences = &kem_preferences_null,
1515 : : .signature_preferences = &s2n_signature_preferences_20250429,
1516 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250429,
1517 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20250429,
1518 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1519 : : .certificate_preferences_apply_locally = true,
1520 : : .rules = {
1521 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1522 : : [S2N_FIPS_140_3] = true,
1523 : : },
1524 : : };
1525 : :
1526 : : /*
1527 : : * This security policy is a mix of default_tls13 (20240503) and rfc9151, with
1528 : : * a primary requirement that AES-256 is the ciphersuite chosen. Other
1529 : : * requirements are generally picked to raise minimum thresholds (e.g.,
1530 : : * requiring TLS 1.3) where possible without losing compatibility with modern
1531 : : * default_tls13 clients or servers.
1532 : : */
1533 : : const struct s2n_security_policy security_policy_20250211 = {
1534 : : .minimum_protocol_version = S2N_TLS13,
1535 : : .cipher_preferences = &cipher_preferences_20250211,
1536 : : .kem_preferences = &kem_preferences_null,
1537 : : .signature_preferences = &s2n_signature_preferences_20250429,
1538 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1539 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1540 : : .rules = {
1541 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1542 : : },
1543 : : };
1544 : :
1545 : : /*
1546 : : * This is essentially identical to 20250211, but fixes a bug which required
1547 : : * P-384 keys on certificates, which invalidated the compatibility promise for
1548 : : * that policy.
1549 : : */
1550 : : const struct s2n_security_policy security_policy_20250414 = {
1551 : : .minimum_protocol_version = S2N_TLS13,
1552 : : .cipher_preferences = &cipher_preferences_20250211,
1553 : : .kem_preferences = &kem_preferences_null,
1554 : : .signature_preferences = &s2n_signature_preferences_20240501,
1555 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1556 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1557 : : .rules = {
1558 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1559 : : [S2N_FIPS_140_3] = true,
1560 : : },
1561 : : };
1562 : :
1563 : : const struct s2n_security_policy security_policy_20251113 = {
1564 : : .minimum_protocol_version = S2N_TLS12,
1565 : : .cipher_preferences = &cipher_preferences_20251113,
1566 : : .kem_preferences = &kem_preferences_null,
1567 : : .signature_preferences = &s2n_signature_preferences_20251113,
1568 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1569 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1570 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1571 : : };
1572 : :
1573 : : const struct s2n_security_policy security_policy_20251114 = {
1574 : : .minimum_protocol_version = S2N_TLS12,
1575 : : .cipher_preferences = &cipher_preferences_20251114,
1576 : : .kem_preferences = &kem_preferences_null,
1577 : : .signature_preferences = &s2n_signature_preferences_20251113,
1578 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1579 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1580 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1581 : : };
1582 : :
1583 : : const struct s2n_security_policy security_policy_20251115 = {
1584 : : .minimum_protocol_version = S2N_TLS12,
1585 : : .cipher_preferences = &cipher_preferences_20251115,
1586 : : .kem_preferences = &kem_preferences_null,
1587 : : .signature_preferences = &s2n_signature_preferences_20251113,
1588 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1589 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1590 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1591 : : };
1592 : :
1593 : : const struct s2n_security_policy security_policy_20251116 = {
1594 : : .minimum_protocol_version = S2N_TLS10,
1595 : : .cipher_preferences = &cipher_preferences_20251116,
1596 : : .kem_preferences = &kem_preferences_null,
1597 : : .signature_preferences = &s2n_signature_preferences_20251113,
1598 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1599 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1600 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1601 : : };
1602 : :
1603 : : const struct s2n_security_policy security_policy_20251117 = {
1604 : : .minimum_protocol_version = S2N_TLS12,
1605 : : .cipher_preferences = &cipher_preferences_20251117,
1606 : : .kem_preferences = &kem_preferences_null,
1607 : : .signature_preferences = &s2n_signature_preferences_20251113,
1608 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1609 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1610 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1611 : : };
1612 : :
1613 : : const struct s2n_security_policy security_policy_test_all = {
1614 : : .minimum_protocol_version = S2N_SSLv3,
1615 : : .cipher_preferences = &cipher_preferences_test_all,
1616 : : .kem_preferences = &kem_preferences_all,
1617 : : .signature_preferences = &s2n_signature_preferences_all,
1618 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1619 : : };
1620 : :
1621 : : const struct s2n_security_policy security_policy_test_all_tls12 = {
1622 : : .minimum_protocol_version = S2N_SSLv3,
1623 : : .cipher_preferences = &cipher_preferences_test_all_tls12,
1624 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1625 : : .signature_preferences = &s2n_signature_preferences_20201021,
1626 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1627 : : };
1628 : :
1629 : : const struct s2n_security_policy security_policy_test_all_fips = {
1630 : : .minimum_protocol_version = S2N_TLS12,
1631 : : .cipher_preferences = &cipher_preferences_test_all_fips,
1632 : : .kem_preferences = &kem_preferences_null,
1633 : : .signature_preferences = &s2n_signature_preferences_test_all_fips,
1634 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1635 : : .rules = {
1636 : : [S2N_FIPS_140_3] = true,
1637 : : },
1638 : : };
1639 : :
1640 : : const struct s2n_security_policy security_policy_test_all_ecdsa = {
1641 : : .minimum_protocol_version = S2N_TLS10,
1642 : : .cipher_preferences = &cipher_preferences_test_all_ecdsa,
1643 : : .kem_preferences = &kem_preferences_null,
1644 : : .signature_preferences = &s2n_signature_preferences_20201021,
1645 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1646 : : .rules = {
1647 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1648 : : },
1649 : : };
1650 : :
1651 : : const struct s2n_security_policy security_policy_test_all_rsa_kex = {
1652 : : .minimum_protocol_version = S2N_TLS10,
1653 : : .cipher_preferences = &cipher_preferences_test_all_rsa_kex,
1654 : : .kem_preferences = &kem_preferences_null,
1655 : : .signature_preferences = &s2n_signature_preferences_20140601,
1656 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1657 : : };
1658 : :
1659 : : const struct s2n_security_policy security_policy_test_all_tls13 = {
1660 : : .minimum_protocol_version = S2N_SSLv3,
1661 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1662 : : .kem_preferences = &kem_preferences_null,
1663 : : .signature_preferences = &s2n_signature_preferences_all,
1664 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1665 : : .rules = {
1666 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1667 : : },
1668 : : };
1669 : :
1670 : : const struct s2n_security_policy security_policy_test_pq_only = {
1671 : : .minimum_protocol_version = S2N_TLS13,
1672 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
1673 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
1674 : : .signature_preferences = &s2n_signature_preferences_20240501,
1675 : : .certificate_signature_preferences = &s2n_signature_preferences_20240501,
1676 : : .ecc_preferences = &s2n_ecc_preferences_null,
1677 : : };
1678 : :
1679 : : const struct s2n_security_policy security_policy_20200207 = {
1680 : : .minimum_protocol_version = S2N_SSLv3,
1681 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1682 : : .kem_preferences = &kem_preferences_null,
1683 : : .signature_preferences = &s2n_signature_preferences_20201021,
1684 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1685 : : .rules = {
1686 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1687 : : },
1688 : : };
1689 : :
1690 : : const struct s2n_security_policy security_policy_test_ecdsa_priority = {
1691 : : .minimum_protocol_version = S2N_SSLv3,
1692 : : .cipher_preferences = &cipher_preferences_test_ecdsa_priority,
1693 : : .kem_preferences = &kem_preferences_null,
1694 : : .signature_preferences = &s2n_signature_preferences_20201021,
1695 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1696 : : };
1697 : :
1698 : : const struct s2n_security_policy security_policy_null = {
1699 : : .minimum_protocol_version = S2N_TLS10,
1700 : : .cipher_preferences = &cipher_preferences_null,
1701 : : .kem_preferences = &kem_preferences_null,
1702 : : .signature_preferences = &s2n_signature_preferences_null,
1703 : : .ecc_preferences = &s2n_ecc_preferences_null,
1704 : : };
1705 : :
1706 : : struct s2n_security_policy_selection security_policy_selection[] = {
1707 : : /* If changing named policies, please update the usage guide's docs on the corresponding policy.
1708 : : * You likely also want to update the compatibility unit tests in (tests/unit/s2n_security_rules_test.c).
1709 : : */
1710 : : { .version = "default", .security_policy = &security_policy_20251014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1711 : : { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1712 : : { .version = "default_fips", .security_policy = &security_policy_20251015, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1713 : : { .version = "default_pq", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1714 : : { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1715 : : { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1716 : : { .version = "20240502", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1717 : : { .version = "20240503", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1718 : : { .version = "20230317", .security_policy = &security_policy_20230317, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1719 : : { .version = "20240331", .security_policy = &security_policy_20240331, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1720 : : { .version = "20240417", .security_policy = &security_policy_20240417, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1721 : : { .version = "20240416", .security_policy = &security_policy_20240416, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1722 : : { .version = "20240730", .security_policy = &security_policy_20240730, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1723 : : { .version = "20241001", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1724 : : { .version = "20250512", .security_policy = &security_policy_20250512, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1725 : : { .version = "20250721", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1726 : : { .version = "20251014", .security_policy = &security_policy_20251014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1727 : : { .version = "20251015", .security_policy = &security_policy_20251015, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1728 : : { .version = "20241001_pq_mixed", .security_policy = &security_policy_20241001_pq_mixed, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1729 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-04", .security_policy = &security_policy_elb_2015_04, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1730 : : /* Not a mistake. TLS-1-0-2015-05 and 2016-08 are equivalent */
1731 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-05", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1732 : : { .version = "ELBSecurityPolicy-2016-08", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1733 : : { .version = "ELBSecurityPolicy-TLS-1-1-2017-01", .security_policy = &security_policy_elb_tls_1_1_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1734 : : { .version = "ELBSecurityPolicy-TLS-1-2-2017-01", .security_policy = &security_policy_elb_tls_1_2_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1735 : : { .version = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", .security_policy = &security_policy_elb_tls_1_2_ext_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1736 : : { .version = "ELBSecurityPolicy-FS-2018-06", .security_policy = &security_policy_elb_fs_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1737 : : { .version = "ELBSecurityPolicy-FS-1-2-2019-08", .security_policy = &security_policy_elb_fs_1_2_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1738 : : { .version = "ELBSecurityPolicy-FS-1-1-2019-08", .security_policy = &security_policy_elb_fs_1_1_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1739 : : { .version = "ELBSecurityPolicy-FS-1-2-Res-2019-08", .security_policy = &security_policy_elb_fs_1_2_Res_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1740 : : { .version = "CloudFront-Upstream", .security_policy = &security_policy_cloudfront_upstream, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1741 : : { .version = "CloudFront-Upstream-TLS-1-0", .security_policy = &security_policy_cloudfront_upstream_tls10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1742 : : { .version = "CloudFront-Upstream-TLS-1-1", .security_policy = &security_policy_cloudfront_upstream_tls11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1743 : : { .version = "CloudFront-Upstream-TLS-1-2", .security_policy = &security_policy_cloudfront_upstream_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1744 : : { .version = "CloudFront-Upstream-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1745 : : { .version = "CloudFront-Upstream-TLS-1-0-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1746 : : { .version = "CloudFront-Upstream-TLS-1-1-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1747 : : { .version = "CloudFront-Upstream-TLS-1-2-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1748 : : { .version = "CloudFront-Upstream-TLS-1-3-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1749 : : { .version = "CloudFront-Upstream-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1750 : : { .version = "CloudFront-Upstream-TLS-1-0-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls10_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1751 : : { .version = "CloudFront-Upstream-TLS-1-1-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls11_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1752 : : { .version = "CloudFront-Upstream-TLS-1-2-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls12_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1753 : : { .version = "CloudFront-Upstream-TLS-1-3-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls13_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1754 : : /* CloudFront Viewer Facing */
1755 : : { .version = "CloudFront-SSL-v-3", .security_policy = &security_policy_cloudfront_ssl_v_3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1756 : : { .version = "CloudFront-TLS-1-0-2014", .security_policy = &security_policy_cloudfront_tls_1_0_2014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1757 : : { .version = "CloudFront-TLS-1-0-2014-sha256", .security_policy = &security_policy_cloudfront_tls_1_0_2014_sha256, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1758 : : { .version = "CloudFront-TLS-1-0-2016", .security_policy = &security_policy_cloudfront_tls_1_0_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1759 : : { .version = "CloudFront-TLS-1-1-2016", .security_policy = &security_policy_cloudfront_tls_1_1_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1760 : : { .version = "CloudFront-TLS-1-2-2017", .security_policy = &security_policy_cloudfront_tls_1_2_2017, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1761 : : { .version = "CloudFront-TLS-1-2-2018-no-sha1", .security_policy = &security_policy_cloudfront_tls_1_2_2018_no_sha1, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1762 : : { .version = "CloudFront-TLS-1-2-2019-no-sha1", .security_policy = &security_policy_cloudfront_tls_1_2_2019_no_sha1, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1763 : : { .version = "CloudFront-TLS-1-2-2021-no-sha1", .security_policy = &security_policy_cloudfront_tls_1_2_2021_no_sha1, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1764 : : { .version = "CloudFront-TLS-1-2-2025", .security_policy = &security_policy_cloudfront_tls_1_2_2025, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1765 : : { .version = "CloudFront-TLS-1-3-2025", .security_policy = &security_policy_cloudfront_tls_1_3_2025, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1766 : : /* CloudFront Non-PQ Viewer Facing */
1767 : : { .version = "CloudFront-SSL-v-3-no-pq", .security_policy = &security_policy_cloudfront_ssl_v_3_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1768 : : { .version = "CloudFront-TLS-1-0-2014-no-pq", .security_policy = &security_policy_cloudfront_tls_1_0_2014_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1769 : : { .version = "CloudFront-TLS-1-0-2014-sha256-no-pq", .security_policy = &security_policy_cloudfront_tls_1_0_2014_sha256_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1770 : : { .version = "CloudFront-TLS-1-0-2016-no-pq", .security_policy = &security_policy_cloudfront_tls_1_0_2016_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1771 : : { .version = "CloudFront-TLS-1-1-2016-no-pq", .security_policy = &security_policy_cloudfront_tls_1_1_2016_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1772 : : { .version = "CloudFront-TLS-1-2-2017-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2017_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1773 : : { .version = "CloudFront-TLS-1-2-2018-no-sha1-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2018_no_sha1_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1774 : : { .version = "CloudFront-TLS-1-2-2019-no-sha1-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2019_no_sha1_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1775 : : { .version = "CloudFront-TLS-1-2-2021-no-sha1-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2021_no_sha1_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1776 : : { .version = "CloudFront-TLS-1-2-2025-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2025_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1777 : : { .version = "CloudFront-TLS-1-3-2025-no-pq", .security_policy = &security_policy_cloudfront_tls_1_3_2025_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1778 : : /* CloudFront Unofficial Viewer Facing */
1779 : : { .version = "CloudFront-TLS-1-0-2014-PQ-Beta", .security_policy = &security_policy_cloudfront_tls_1_0_2014_pq_beta, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1780 : : { .version = "CloudFront-TLS-1-2-2021-no-sha1-PQ-Beta", .security_policy = &security_policy_cloudfront_tls_1_2_2021_no_sha1_pq_beta, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1781 : : { .version = "CloudFront-TLS-1-2-2018-Beta", .security_policy = &security_policy_cloudfront_tls_1_2_2018_beta, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1782 : : { .version = "CloudFront-TLS-1-2-2021-Chacha20-Boosted", .security_policy = &security_policy_cloudfront_tls_1_2_2021_chacha20_boosted, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1783 : : /* CloudFront Legacy policies */
1784 : : { .version = "CloudFront-SSL-v-3-Legacy", .security_policy = &security_policy_cloudfront_ssl_v_3_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1785 : : { .version = "CloudFront-TLS-1-0-2014-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2014_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1786 : : { .version = "CloudFront-TLS-1-0-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1787 : : { .version = "CloudFront-TLS-1-1-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_1_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1788 : : { .version = "CloudFront-TLS-1-2-2018-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2018_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1789 : : { .version = "CloudFront-TLS-1-2-2019-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2019_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1790 : : { .version = "CloudFront-TLS-1-2-2018", .security_policy = &security_policy_cloudfront_tls_1_2_2018, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1791 : : { .version = "CloudFront-TLS-1-2-2019", .security_policy = &security_policy_cloudfront_tls_1_2_2019, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1792 : : { .version = "CloudFront-TLS-1-2-2021", .security_policy = &security_policy_cloudfront_tls_1_2_2021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1793 : : /* CRT allows users to choose the minimal TLS protocol they want to negotiate with. This translates to 5 different security policies in s2n */
1794 : : { .version = "AWS-CRT-SDK-SSLv3.0", .security_policy = &security_policy_aws_crt_sdk_ssl_v3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1795 : : { .version = "AWS-CRT-SDK-TLSv1.0", .security_policy = &security_policy_aws_crt_sdk_tls_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1796 : : { .version = "AWS-CRT-SDK-TLSv1.1", .security_policy = &security_policy_aws_crt_sdk_tls_11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1797 : : { .version = "AWS-CRT-SDK-TLSv1.2", .security_policy = &security_policy_aws_crt_sdk_tls_12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1798 : : { .version = "AWS-CRT-SDK-TLSv1.3", .security_policy = &security_policy_aws_crt_sdk_tls_13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1799 : : { .version = "AWS-CRT-SDK-SSLv3.0-2023", .security_policy = &security_policy_aws_crt_sdk_ssl_v3_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1800 : : { .version = "AWS-CRT-SDK-TLSv1.0-2023", .security_policy = &security_policy_aws_crt_sdk_tls_10_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1801 : : { .version = "AWS-CRT-SDK-TLSv1.0-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_10_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1802 : : { .version = "AWS-CRT-SDK-TLSv1.1-2023", .security_policy = &security_policy_aws_crt_sdk_tls_11_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1803 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1804 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1805 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025", .security_policy = &security_policy_aws_crt_sdk_tls_30_06_25, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1806 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1807 : : { .version = "AWS-CRT-SDK-TLSv1.3-2023", .security_policy = &security_policy_aws_crt_sdk_tls_13_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1808 : : { .version = "AWS-CRT-SDK-TLSv1.3-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_13_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1809 : : /* KMS TLS Policies*/
1810 : : { .version = "KMS-TLS-1-0-2018-10", .security_policy = &security_policy_kms_tls_1_0_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1811 : : { .version = "KMS-TLS-1-0-2021-08", .security_policy = &security_policy_kms_tls_1_0_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1812 : : { .version = "KMS-TLS-1-2-2023-06", .security_policy = &security_policy_kms_tls_1_2_2023_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1813 : : { .version = "KMS-FIPS-TLS-1-2-2018-10", .security_policy = &security_policy_kms_fips_tls_1_2_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1814 : : { .version = "KMS-FIPS-TLS-1-2-2021-08", .security_policy = &security_policy_kms_fips_tls_1_2_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1815 : : { .version = "KMS-FIPS-TLS-1-2-2024-10", .security_policy = &security_policy_kms_fips_tls_1_2_2024_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1816 : : { .version = "PQ-TLS-1-0-2023-01-24", .security_policy = &security_policy_pq_tls_1_0_2023_01_24, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1817 : : { .version = "PQ-TLS-1-2-2023-04-07", .security_policy = &security_policy_pq_tls_1_2_2023_04_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1818 : : { .version = "PQ-TLS-1-2-2023-04-08", .security_policy = &security_policy_pq_tls_1_2_2023_04_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1819 : : { .version = "PQ-TLS-1-2-2023-04-09", .security_policy = &security_policy_pq_tls_1_2_2023_04_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1820 : : { .version = "PQ-TLS-1-2-2023-04-10", .security_policy = &security_policy_pq_tls_1_2_2023_04_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1821 : : { .version = "PQ-TLS-1-3-2023-06-01", .security_policy = &security_policy_pq_tls_1_3_2023_06_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1822 : : { .version = "PQ-TLS-1-2-2023-10-07", .security_policy = &security_policy_pq_tls_1_2_2023_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1823 : : { .version = "PQ-TLS-1-2-2023-10-08", .security_policy = &security_policy_pq_tls_1_2_2023_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1824 : : { .version = "PQ-TLS-1-2-2023-10-09", .security_policy = &security_policy_pq_tls_1_2_2023_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1825 : : { .version = "PQ-TLS-1-2-2023-10-10", .security_policy = &security_policy_pq_tls_1_2_2023_10_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1826 : : { .version = "PQ-TLS-1-2-2023-12-13", .security_policy = &security_policy_pq_20231213, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1827 : : { .version = "PQ-TLS-1-2-2023-12-14", .security_policy = &security_policy_pq_20231214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1828 : : { .version = "PQ-TLS-1-2-2023-12-15", .security_policy = &security_policy_pq_20231215, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1829 : : { .version = "PQ-TLS-1-2-2024-10-07", .security_policy = &security_policy_pq_tls_1_2_2024_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1830 : : { .version = "PQ-TLS-1-2-2024-10-08", .security_policy = &security_policy_pq_tls_1_2_2024_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1831 : : { .version = "PQ-TLS-1-2-2024-10-08_gcm", .security_policy = &security_policy_pq_tls_1_2_2024_10_08_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1832 : : { .version = "PQ-TLS-1-2-2024-10-09", .security_policy = &security_policy_pq_tls_1_2_2024_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1833 : : { .version = "20140601", .security_policy = &security_policy_20140601, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1834 : : { .version = "20141001", .security_policy = &security_policy_20141001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1835 : : { .version = "20150202", .security_policy = &security_policy_20150202, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1836 : : { .version = "20150214", .security_policy = &security_policy_20150214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1837 : : { .version = "20150306", .security_policy = &security_policy_20150306, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1838 : : { .version = "20160411", .security_policy = &security_policy_20160411, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1839 : : { .version = "20160804", .security_policy = &security_policy_20160804, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1840 : : { .version = "20160824", .security_policy = &security_policy_20160824, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1841 : : { .version = "20170210", .security_policy = &security_policy_20170210, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1842 : : { .version = "20170328", .security_policy = &security_policy_20170328, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1843 : : { .version = "20170328_gcm", .security_policy = &security_policy_20170328_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1844 : : { .version = "20190214", .security_policy = &security_policy_20190214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1845 : : { .version = "20190214_gcm", .security_policy = &security_policy_20190214_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1846 : : { .version = "20210825", .security_policy = &security_policy_20210825, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1847 : : { .version = "20210825_gcm", .security_policy = &security_policy_20210825_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1848 : : { .version = "20170405", .security_policy = &security_policy_20170405, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1849 : : { .version = "20170405_gcm", .security_policy = &security_policy_20170405_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1850 : : { .version = "20170718", .security_policy = &security_policy_20170718, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1851 : : { .version = "20170718_gcm", .security_policy = &security_policy_20170718_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1852 : : { .version = "20190120", .security_policy = &security_policy_20190120, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1853 : : { .version = "20190121", .security_policy = &security_policy_20190121, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1854 : : { .version = "20190122", .security_policy = &security_policy_20190122, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1855 : : { .version = "20190801", .security_policy = &security_policy_20190801, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1856 : : { .version = "20190802", .security_policy = &security_policy_20190802, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1857 : : { .version = "20200207", .security_policy = &security_policy_20200207, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1858 : : { .version = "20201021", .security_policy = &security_policy_20201021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1859 : : { .version = "20210816", .security_policy = &security_policy_20210816, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1860 : : { .version = "20210816_GCM", .security_policy = &security_policy_20210816_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1861 : : { .version = "20240603", .security_policy = &security_policy_20240603, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1862 : : { .version = "20250211", .security_policy = &security_policy_20250211, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1863 : : { .version = "20250414", .security_policy = &security_policy_20250414, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1864 : : { .version = "20250429", .security_policy = &security_policy_20250429, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1865 : : { .version = "20251013", .security_policy = &security_policy_20251013, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1866 : : { .version = "20251113", .security_policy = &security_policy_20251113, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1867 : : { .version = "20251114", .security_policy = &security_policy_20251114, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1868 : : { .version = "20251115", .security_policy = &security_policy_20251115, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1869 : : { .version = "20251116", .security_policy = &security_policy_20251116, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1870 : : /* the same as 20251114, but without any SHA1 HMAC ciphers */
1871 : : { .version = "20251117", .security_policy = &security_policy_20251117, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1872 : : /* If changing this, please update the usage guide's docs on the corresponding policy. */
1873 : : { .version = "rfc9151", .security_policy = &security_policy_20251013, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1874 : : { .version = "test_all", .security_policy = &security_policy_test_all, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1875 : : { .version = "test_all_fips", .security_policy = &security_policy_test_all_fips, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1876 : : { .version = "test_all_ecdsa", .security_policy = &security_policy_test_all_ecdsa, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1877 : : { .version = "test_all_rsa_kex", .security_policy = &security_policy_test_all_rsa_kex, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1878 : : { .version = "test_ecdsa_priority", .security_policy = &security_policy_test_ecdsa_priority, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1879 : : { .version = "test_all_tls12", .security_policy = &security_policy_test_all_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1880 : : { .version = "test_all_tls13", .security_policy = &security_policy_test_all_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1881 : : { .version = "test_pq_only", .security_policy = &security_policy_test_pq_only, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1882 : : { .version = "null", .security_policy = &security_policy_null, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1883 : : { .version = NULL, .security_policy = NULL, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }
1884 : : };
1885 : :
1886 : : const char *deprecated_security_policies[] = {
1887 : : "KMS-PQ-TLS-1-0-2019-06",
1888 : : "KMS-PQ-TLS-1-0-2020-02",
1889 : : "KMS-PQ-TLS-1-0-2020-07",
1890 : : "PQ-TLS-1-0-2020-12",
1891 : : "PQ-TLS-1-1-2021-05-17",
1892 : : "PQ-TLS-1-0-2021-05-18",
1893 : : "PQ-TLS-1-0-2021-05-19",
1894 : : "PQ-TLS-1-0-2021-05-20",
1895 : : "PQ-TLS-1-1-2021-05-21",
1896 : : "PQ-TLS-1-0-2021-05-22",
1897 : : "PQ-TLS-1-0-2021-05-23",
1898 : : "PQ-TLS-1-0-2021-05-24",
1899 : : "PQ-TLS-1-0-2021-05-25",
1900 : : "PQ-TLS-1-0-2021-05-26",
1901 : : "PQ-SIKE-TEST-TLS-1-0-2019-11",
1902 : : "PQ-SIKE-TEST-TLS-1-0-2020-02",
1903 : : };
1904 : : const size_t deprecated_security_policies_len = s2n_array_len(deprecated_security_policies);
1905 : :
1906 : : int s2n_find_security_policy_from_version(const char *version, const struct s2n_security_policy **security_policy)
1907 : 7011 : {
1908 [ + + ][ + - ]: 7011 : POSIX_ENSURE_REF(version);
1909 [ - + ][ # # ]: 7009 : POSIX_ENSURE_REF(security_policy);
1910 : :
1911 [ + + ]: 87510 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1912 [ + + ]: 87489 : if (!strcasecmp(version, security_policy_selection[i].version)) {
1913 : 6988 : *security_policy = security_policy_selection[i].security_policy;
1914 : 6988 : return 0;
1915 : 6988 : }
1916 : 87489 : }
1917 : :
1918 [ + + ]: 218 : for (size_t i = 0; i < deprecated_security_policies_len; i++) {
1919 [ + + ]: 215 : if (!strcasecmp(version, deprecated_security_policies[i])) {
1920 [ + - ]: 18 : POSIX_BAIL(S2N_ERR_DEPRECATED_SECURITY_POLICY);
1921 : 18 : }
1922 : 215 : }
1923 : :
1924 [ + - ]: 3 : POSIX_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
1925 : 3 : }
1926 : :
1927 : : static int s2n_config_validate_security_policy(struct s2n_config *config, const struct s2n_security_policy *security_policy)
1928 : 7431 : {
1929 [ # # ][ - + ]: 7431 : POSIX_ENSURE_REF(config);
1930 [ # # ][ - + ]: 7431 : POSIX_ENSURE_REF(security_policy);
1931 [ # # ][ - + ]: 7431 : POSIX_ENSURE_REF(security_policy->cipher_preferences);
1932 [ # # ][ - + ]: 7431 : POSIX_ENSURE_REF(security_policy->kem_preferences);
1933 [ # # ][ - + ]: 7431 : POSIX_ENSURE_REF(security_policy->signature_preferences);
1934 [ # # ][ - + ]: 7431 : POSIX_ENSURE_REF(security_policy->ecc_preferences);
1935 : :
1936 : : /* If the security policy's minimum version is higher than what libcrypto supports, return an error. */
1937 [ - + ][ # # ]: 7431 : POSIX_ENSURE((security_policy->minimum_protocol_version <= s2n_get_highest_fully_supported_tls_version()), S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED);
1938 : :
1939 [ + + ]: 7431 : if (security_policy == &security_policy_null) {
1940 : 4 : return S2N_SUCCESS;
1941 : 4 : }
1942 : :
1943 : : /* Ensure that all strongly preferred groups are supported by our libcrypto. */
1944 [ - + ][ # # ]: 7427 : for (size_t i = 0; security_policy->strongly_preferred_groups != NULL && i < security_policy->strongly_preferred_groups->count; i++) {
1945 : 0 : const struct s2n_kem_group *strongly_preferred_kem_group = NULL;
1946 : 0 : bool found_kem_group_from_iana = false;
1947 [ # # ]: 0 : POSIX_GUARD(s2n_find_kem_group_from_iana_id(security_policy->strongly_preferred_groups->iana_ids[i], &strongly_preferred_kem_group, &found_kem_group_from_iana));
1948 : :
1949 [ # # ]: 0 : if (found_kem_group_from_iana) {
1950 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_kem_group_is_available(strongly_preferred_kem_group), S2N_ERR_INVALID_SECURITY_POLICY);
1951 : 0 : }
1952 : 0 : }
1953 : :
1954 : : /* Ensure that an ECC or PQ key exchange can occur. */
1955 : 7427 : uint32_t ecc_available = security_policy->ecc_preferences->count;
1956 : 7427 : uint32_t kem_groups_available = 0;
1957 [ - + ]: 7427 : POSIX_GUARD_RESULT(s2n_kem_preferences_groups_available(security_policy->kem_preferences, &kem_groups_available));
1958 [ + + ][ + - ]: 7427 : POSIX_ENSURE(ecc_available + kem_groups_available > 0, S2N_ERR_INVALID_SECURITY_POLICY);
1959 : :
1960 : : /* If the config contains certificates violating the security policy cert preferences, return an error. */
1961 [ + + ]: 7426 : POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy));
1962 : 7424 : return S2N_SUCCESS;
1963 : 7426 : }
1964 : :
1965 : : int s2n_config_set_security_policy(struct s2n_config *config, const struct s2n_security_policy *security_policy)
1966 : 5514 : {
1967 [ # # ][ - + ]: 5514 : POSIX_ENSURE_REF(config);
1968 [ + + ]: 5514 : POSIX_GUARD(s2n_config_validate_security_policy(config, security_policy));
1969 : 5512 : config->security_policy = security_policy;
1970 : 5512 : return 0;
1971 : 5514 : }
1972 : :
1973 : : int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *version)
1974 : 5516 : {
1975 : 5516 : const struct s2n_security_policy *security_policy = NULL;
1976 [ + + ]: 5516 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1977 [ + + ]: 5514 : POSIX_GUARD(s2n_config_set_security_policy(config, security_policy));
1978 : 5512 : return S2N_SUCCESS;
1979 : 5514 : }
1980 : :
1981 : : int s2n_connection_set_security_policy(struct s2n_connection *conn, const struct s2n_security_policy *security_policy)
1982 : 1917 : {
1983 [ - + ][ # # ]: 1917 : POSIX_ENSURE_REF(conn);
1984 [ + + ]: 1917 : POSIX_GUARD(s2n_config_validate_security_policy(conn->config, security_policy));
1985 : 1916 : conn->security_policy_override = security_policy;
1986 : 1916 : return 0;
1987 : 1917 : }
1988 : :
1989 : : int s2n_connection_set_cipher_preferences(struct s2n_connection *conn, const char *version)
1990 : 1247 : {
1991 : 1247 : const struct s2n_security_policy *security_policy = NULL;
1992 [ + + ]: 1247 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1993 [ + + ]: 1245 : POSIX_GUARD(s2n_connection_set_security_policy(conn, security_policy));
1994 : 1244 : return S2N_SUCCESS;
1995 : 1245 : }
1996 : :
1997 : : int s2n_security_policies_init()
1998 : 554 : {
1999 [ + + ]: 91410 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
2000 : 90856 : const struct s2n_security_policy *security_policy = security_policy_selection[i].security_policy;
2001 [ - + ][ # # ]: 90856 : POSIX_ENSURE_REF(security_policy);
2002 : 90856 : const struct s2n_cipher_preferences *cipher_preference = security_policy->cipher_preferences;
2003 [ - + ][ # # ]: 90856 : POSIX_ENSURE_REF(cipher_preference);
2004 : 90856 : const struct s2n_kem_preferences *kem_preference = security_policy->kem_preferences;
2005 [ # # ][ - + ]: 90856 : POSIX_ENSURE_REF(kem_preference);
2006 : 90856 : const struct s2n_ecc_preferences *ecc_preference = security_policy->ecc_preferences;
2007 [ - + ][ # # ]: 90856 : POSIX_ENSURE_REF(ecc_preference);
2008 [ - + ]: 90856 : POSIX_GUARD(s2n_check_ecc_preferences_curves_list(ecc_preference));
2009 : :
2010 : 90856 : const struct s2n_signature_preferences *certificate_signature_preference = security_policy->certificate_signature_preferences;
2011 [ + + ]: 90856 : if (certificate_signature_preference != NULL) {
2012 [ - + ]: 14958 : POSIX_GUARD_RESULT(s2n_validate_certificate_signature_preferences(certificate_signature_preference));
2013 : 14958 : }
2014 : :
2015 [ + + ]: 90856 : if (security_policy != &security_policy_null) {
2016 : : /* All policies must have at least one ecc curve or PQ kem group configured. */
2017 : 90302 : bool ecc_kx_supported = ecc_preference->count > 0;
2018 : 90302 : bool pq_kx_supported = kem_preference->tls13_kem_group_count > 0;
2019 [ # # ][ + - ]: 90302 : POSIX_ENSURE(ecc_kx_supported || pq_kx_supported, S2N_ERR_INVALID_SECURITY_POLICY);
[ + + ]
2020 : :
2021 : : /* A PQ key exchange is only supported in TLS 1.3, so PQ-only policies must require TLS 1.3.*/
2022 [ + + ]: 90302 : if (!ecc_kx_supported) {
2023 [ - + ][ # # ]: 554 : POSIX_ENSURE(security_policy->minimum_protocol_version >= S2N_TLS13, S2N_ERR_INVALID_SECURITY_POLICY);
2024 : 554 : }
2025 : 90302 : }
2026 : :
2027 [ + + ]: 1449264 : for (int j = 0; j < cipher_preference->count; j++) {
2028 : 1358408 : struct s2n_cipher_suite *cipher = cipher_preference->suites[j];
2029 [ # # ][ - + ]: 1358408 : POSIX_ENSURE_REF(cipher);
2030 : :
2031 : 1358408 : const uint8_t *iana = cipher->iana_value;
2032 : :
2033 [ + + ]: 1358408 : if (cipher->minimum_required_tls_version >= S2N_TLS13) {
2034 : 167862 : security_policy_selection[i].supports_tls13 = 1;
2035 : 167862 : }
2036 : :
2037 : : /* Sanity check that valid tls13 has minimum tls version set correctly */
2038 [ - + ][ # # ]: 1358408 : S2N_ERROR_IF(s2n_is_valid_tls13_cipher(iana) ^ (cipher->minimum_required_tls_version >= S2N_TLS13),
2039 : 1358408 : S2N_ERR_INVALID_SECURITY_POLICY);
2040 : :
2041 [ + + ]: 1358408 : if (s2n_cipher_suite_requires_ecc_extension(cipher)) {
2042 : 941800 : security_policy_selection[i].ecc_extension_required = 1;
2043 : 941800 : }
2044 : :
2045 [ - + ][ # # ]: 1358408 : if (s2n_cipher_suite_requires_pq_extension(cipher) && kem_preference->kem_count > 0) {
2046 : 0 : security_policy_selection[i].pq_kem_extension_required = 1;
2047 : 0 : }
2048 : 1358408 : }
2049 : :
2050 [ - + ]: 90856 : POSIX_GUARD(s2n_validate_kem_preferences(kem_preference, security_policy_selection[i].pq_kem_extension_required));
2051 : :
2052 : : /* Validate that security rules are correctly applied.
2053 : : * This should be checked by a unit test, but outside of unit tests we
2054 : : * check again here to cover the case where the unit tests are not run.
2055 : : */
2056 [ - + ]: 90856 : if (!s2n_in_unit_test()) {
2057 : 0 : struct s2n_security_rule_result result = { 0 };
2058 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_security_policy_validate_security_rules(security_policy, &result));
2059 [ # # ][ # # ]: 0 : POSIX_ENSURE(!result.found_error, S2N_ERR_INVALID_SECURITY_POLICY);
2060 : 0 : }
2061 : 90856 : }
2062 : 554 : return 0;
2063 : 554 : }
2064 : :
2065 : : bool s2n_ecc_is_extension_required(const struct s2n_security_policy *security_policy)
2066 : 15564 : {
2067 [ + + ]: 15564 : if (security_policy == NULL) {
2068 : 1 : return false;
2069 : 1 : }
2070 : :
2071 [ + + ]: 1185451 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
2072 [ + + ]: 1180014 : if (security_policy_selection[i].security_policy == security_policy) {
2073 : 10126 : return 1 == security_policy_selection[i].ecc_extension_required;
2074 : 10126 : }
2075 : 1180014 : }
2076 : :
2077 : : /* If cipher preference is not in the official list, compute the result */
2078 : 5437 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
2079 [ - + ]: 5437 : if (cipher_preferences == NULL) {
2080 : 0 : return false;
2081 : 0 : }
2082 [ + + ]: 138665 : for (size_t i = 0; i < cipher_preferences->count; i++) {
2083 [ + + ]: 136201 : if (s2n_cipher_suite_requires_ecc_extension(cipher_preferences->suites[i])) {
2084 : 2973 : return true;
2085 : 2973 : }
2086 : 136201 : }
2087 : :
2088 : 2464 : return false;
2089 : 5437 : }
2090 : :
2091 : : bool s2n_pq_kem_is_extension_required(const struct s2n_security_policy *security_policy)
2092 : 7788 : {
2093 [ + + ]: 7788 : if (security_policy == NULL) {
2094 : 1 : return false;
2095 : 1 : }
2096 : :
2097 [ + + ]: 593234 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
2098 [ + + ]: 590515 : if (security_policy_selection[i].security_policy == security_policy) {
2099 : 5068 : return 1 == security_policy_selection[i].pq_kem_extension_required;
2100 : 5068 : }
2101 : 590515 : }
2102 : :
2103 : : /* Preferences with no KEMs for the TLS 1.2 PQ KEM extension do not require that extension. */
2104 [ + - ][ + + ]: 2719 : if (security_policy->kem_preferences && security_policy->kem_preferences->kem_count == 0) {
2105 : 2718 : return false;
2106 : 2718 : }
2107 : :
2108 : : /* If cipher preference is not in the official list, compute the result */
2109 : 1 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
2110 [ - + ]: 1 : if (cipher_preferences == NULL) {
2111 : 0 : return false;
2112 : 0 : }
2113 [ + + ]: 2 : for (size_t i = 0; i < cipher_preferences->count; i++) {
2114 [ - + ]: 1 : if (s2n_cipher_suite_requires_pq_extension(cipher_preferences->suites[i])) {
2115 : 0 : return true;
2116 : 0 : }
2117 : 1 : }
2118 : 1 : return false;
2119 : 1 : }
2120 : :
2121 : : /* Checks whether cipher preference supports TLS 1.3 based on whether it is configured
2122 : : * with TLS 1.3 ciphers. Returns true or false.
2123 : : */
2124 : : bool s2n_security_policy_supports_tls13(const struct s2n_security_policy *security_policy)
2125 : 15758 : {
2126 [ + + ]: 15758 : if (security_policy == NULL) {
2127 : 1 : return false;
2128 : 1 : }
2129 : :
2130 [ + + ]: 1031041 : for (size_t i = 0; security_policy_selection[i].version != NULL; i++) {
2131 [ + + ]: 1026138 : if (security_policy_selection[i].security_policy == security_policy) {
2132 : 10854 : return security_policy_selection[i].supports_tls13 == 1;
2133 : 10854 : }
2134 : 1026138 : }
2135 : :
2136 : : /* if cipher preference is not in the official list, compute the result */
2137 : 4903 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
2138 [ - + ]: 4903 : if (cipher_preferences == NULL) {
2139 : 0 : return false;
2140 : 0 : }
2141 : :
2142 [ + + ]: 106821 : for (size_t i = 0; i < cipher_preferences->count; i++) {
2143 [ + + ]: 103476 : if (cipher_preferences->suites[i]->minimum_required_tls_version >= S2N_TLS13) {
2144 : 1558 : return true;
2145 : 1558 : }
2146 : 103476 : }
2147 : :
2148 : 3345 : return false;
2149 : 4903 : }
2150 : :
2151 : : int s2n_connection_is_valid_for_cipher_preferences(struct s2n_connection *conn, const char *version)
2152 : 7 : {
2153 [ # # ][ - + ]: 7 : POSIX_ENSURE_REF(conn);
2154 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(version);
2155 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(conn->secure);
2156 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
2157 : :
2158 : 7 : const struct s2n_security_policy *security_policy = NULL;
2159 [ + + ]: 7 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
2160 [ - + ][ # # ]: 6 : POSIX_ENSURE_REF(security_policy);
2161 : :
2162 : : /* make sure we dont use a tls version lower than that configured by the version */
2163 [ + + ]: 6 : if (s2n_connection_get_actual_protocol_version(conn) < security_policy->minimum_protocol_version) {
2164 : 2 : return 0;
2165 : 2 : }
2166 : :
2167 : 4 : struct s2n_cipher_suite *cipher = conn->secure->cipher_suite;
2168 [ - + ][ # # ]: 4 : POSIX_ENSURE_REF(cipher);
2169 [ + + ]: 9 : for (int i = 0; i < security_policy->cipher_preferences->count; ++i) {
2170 [ + + ]: 8 : if (s2n_constant_time_equals(security_policy->cipher_preferences->suites[i]->iana_value, cipher->iana_value, S2N_TLS_CIPHER_SUITE_LEN)) {
2171 : 3 : return 1;
2172 : 3 : }
2173 : 8 : }
2174 : :
2175 : 1 : return 0;
2176 : 4 : }
2177 : :
2178 : : int s2n_validate_kem_preferences(const struct s2n_kem_preferences *kem_preferences, bool pq_kem_extension_required)
2179 : 90864 : {
2180 [ + - ][ + + ]: 90864 : POSIX_ENSURE_REF(kem_preferences);
2181 : :
2182 : : /* Basic sanity checks to assert that the count is 0 if and only if the associated list is NULL */
2183 [ + + ][ + - ]: 90863 : POSIX_ENSURE(S2N_IFF(kem_preferences->tls13_kem_group_count == 0, kem_preferences->tls13_kem_groups == NULL),
2184 : 90861 : S2N_ERR_INVALID_SECURITY_POLICY);
2185 [ + + ][ + - ]: 90861 : POSIX_ENSURE(S2N_IFF(kem_preferences->kem_count == 0, kem_preferences->kems == NULL),
2186 : 90859 : S2N_ERR_INVALID_SECURITY_POLICY);
2187 [ - + ][ # # ]: 90859 : POSIX_ENSURE(kem_preferences->tls13_kem_group_count <= S2N_KEM_GROUPS_COUNT, S2N_ERR_ARRAY_INDEX_OOB);
2188 : :
2189 : : /* The PQ KEM extension is applicable only to TLS 1.2 */
2190 [ + + ]: 90859 : if (pq_kem_extension_required) {
2191 [ + - ][ + - ]: 1 : POSIX_ENSURE(kem_preferences->kem_count > 0, S2N_ERR_INVALID_SECURITY_POLICY);
2192 [ # # ][ # # ]: 0 : POSIX_ENSURE(kem_preferences->kems != NULL, S2N_ERR_INVALID_SECURITY_POLICY);
2193 : 90858 : } else {
2194 [ - + ][ # # ]: 90858 : POSIX_ENSURE(kem_preferences->kem_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
2195 [ # # ][ - + ]: 90858 : POSIX_ENSURE(kem_preferences->kems == NULL, S2N_ERR_INVALID_SECURITY_POLICY);
2196 : 90858 : }
2197 : :
2198 : 90858 : return S2N_SUCCESS;
2199 : 90859 : }
2200 : :
2201 : : S2N_RESULT s2n_validate_certificate_signature_preferences(const struct s2n_signature_preferences *certificate_signature_preferences)
2202 : 14961 : {
2203 [ - + ][ # # ]: 14961 : RESULT_ENSURE_REF(certificate_signature_preferences);
2204 : :
2205 : 14961 : size_t rsa_pss_scheme_count = 0;
2206 : :
2207 [ + + ]: 196682 : for (size_t i = 0; i < certificate_signature_preferences->count; i++) {
2208 [ + + ]: 181721 : if (certificate_signature_preferences->signature_schemes[i]->libcrypto_nid == NID_rsassaPss) {
2209 : 76460 : rsa_pss_scheme_count++;
2210 : 76460 : }
2211 : 181721 : }
2212 : :
2213 : : /*
2214 : : * https://github.com/aws/s2n-tls/issues/3435
2215 : : *
2216 : : * The Openssl function used to parse signatures off certificates does not differentiate between any rsa pss
2217 : : * signature schemes. Therefore a security policy with a certificate signatures preference list must include
2218 : : * all rsa_pss signature schemes. */
2219 [ + - ][ + + ]: 14961 : RESULT_ENSURE(rsa_pss_scheme_count == NUM_RSA_PSS_SCHEMES || rsa_pss_scheme_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
[ + + ]
2220 : 14960 : return S2N_RESULT_OK;
2221 : 14961 : }
2222 : :
2223 : : S2N_RESULT s2n_security_policy_get_version(const struct s2n_security_policy *security_policy, const char **version)
2224 : 90 : {
2225 [ # # ][ - + ]: 90 : RESULT_ENSURE_REF(version);
2226 : 90 : *version = NULL;
2227 [ + + ]: 7768 : for (size_t i = 0; security_policy_selection[i].version != NULL; i++) {
2228 [ + + ]: 7753 : if (security_policy_selection[i].security_policy == security_policy) {
2229 : 75 : *version = security_policy_selection[i].version;
2230 : 75 : return S2N_RESULT_OK;
2231 : 75 : }
2232 : 7753 : }
2233 [ + - ]: 15 : RESULT_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
2234 : 15 : }
2235 : :
2236 : : S2N_RESULT s2n_security_policy_validate_cert_signature(const struct s2n_security_policy *security_policy,
2237 : : const struct s2n_cert_info *info, s2n_error error)
2238 : 717 : {
2239 [ - + ][ # # ]: 717 : RESULT_ENSURE_REF(info);
2240 [ - + ][ # # ]: 717 : RESULT_ENSURE_REF(security_policy);
2241 : 717 : const struct s2n_signature_preferences *sig_preferences = security_policy->certificate_signature_preferences;
2242 : :
2243 [ + + ]: 717 : if (sig_preferences != NULL) {
2244 [ + + ]: 1455 : for (size_t i = 0; i < sig_preferences->count; i++) {
2245 [ + + ]: 1444 : if (sig_preferences->signature_schemes[i]->libcrypto_nid == info->signature_nid) {
2246 : 269 : return S2N_RESULT_OK;
2247 : 269 : }
2248 : 1444 : }
2249 : :
2250 [ + - ]: 11 : RESULT_BAIL(error);
2251 : 11 : }
2252 : 437 : return S2N_RESULT_OK;
2253 : 717 : }
2254 : :
2255 : : S2N_RESULT s2n_security_policy_validate_cert_key(const struct s2n_security_policy *security_policy,
2256 : : const struct s2n_cert_info *info, s2n_error error)
2257 : 1302 : {
2258 [ # # ][ - + ]: 1302 : RESULT_ENSURE_REF(info);
2259 [ # # ][ - + ]: 1302 : RESULT_ENSURE_REF(security_policy);
2260 : 1302 : const struct s2n_certificate_key_preferences *key_preferences = security_policy->certificate_key_preferences;
2261 : :
2262 [ + + ]: 1302 : if (key_preferences != NULL) {
2263 [ + + ]: 120 : for (size_t i = 0; i < key_preferences->count; i++) {
2264 [ + + ]: 111 : if (key_preferences->certificate_keys[i]->public_key_libcrypto_nid == info->public_key_nid
2265 [ + + ]: 111 : && key_preferences->certificate_keys[i]->bits == info->public_key_bits) {
2266 : 83 : return S2N_RESULT_OK;
2267 : 83 : }
2268 : 111 : }
2269 [ + - ]: 9 : RESULT_BAIL(error);
2270 : 9 : }
2271 : 1210 : return S2N_RESULT_OK;
2272 : 1302 : }
2273 : :
2274 : : S2N_RESULT s2n_security_policy_validate_certificate_chain(
2275 : : const struct s2n_security_policy *security_policy,
2276 : : const struct s2n_cert_chain_and_key *cert_key_pair)
2277 : 1437 : {
2278 [ - + ][ # # ]: 1437 : RESULT_ENSURE_REF(security_policy);
2279 [ - + ][ # # ]: 1437 : RESULT_ENSURE_REF(cert_key_pair);
2280 [ - + ][ # # ]: 1437 : RESULT_ENSURE_REF(cert_key_pair->cert_chain);
2281 : :
2282 [ + + ]: 1437 : if (!security_policy->certificate_preferences_apply_locally) {
2283 : 1402 : return S2N_RESULT_OK;
2284 : 1402 : }
2285 : :
2286 : 35 : struct s2n_cert *current = cert_key_pair->cert_chain->head;
2287 [ + + ]: 104 : while (current != NULL) {
2288 [ + + ]: 84 : RESULT_GUARD(s2n_security_policy_validate_cert_key(security_policy, ¤t->info,
2289 : 78 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
2290 [ + + ]: 78 : RESULT_GUARD(s2n_security_policy_validate_cert_signature(security_policy, ¤t->info,
2291 : 69 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
2292 : 69 : current = current->next;
2293 : 69 : }
2294 : 20 : return S2N_RESULT_OK;
2295 : 35 : }
|
