Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_security_policies.h"
17 : :
18 : : #include "api/s2n.h"
19 : : #include "tls/s2n_certificate_keys.h"
20 : : #include "tls/s2n_connection.h"
21 : : #include "utils/s2n_safety.h"
22 : :
23 : : /* TLS1.2 default as of 05/24 */
24 : : const struct s2n_security_policy security_policy_20240501 = {
25 : : .minimum_protocol_version = S2N_TLS12,
26 : : .cipher_preferences = &cipher_preferences_20240331,
27 : : .kem_preferences = &kem_preferences_null,
28 : : .signature_preferences = &s2n_signature_preferences_20240501,
29 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
30 : : .rules = {
31 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
32 : : },
33 : : };
34 : :
35 : : /* FIPS default as of 05/24 */
36 : : const struct s2n_security_policy security_policy_20240502 = {
37 : : .minimum_protocol_version = S2N_TLS12,
38 : : .cipher_preferences = &cipher_preferences_20240331,
39 : : .kem_preferences = &kem_preferences_null,
40 : : .signature_preferences = &s2n_signature_preferences_20240501,
41 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
42 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
43 : : .rules = {
44 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
45 : : [S2N_FIPS_140_3] = true,
46 : : },
47 : : };
48 : :
49 : : /* TLS1.3 default as of 05/24 */
50 : : const struct s2n_security_policy security_policy_20240503 = {
51 : : .minimum_protocol_version = S2N_TLS12,
52 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
53 : : .kem_preferences = &kem_preferences_null,
54 : : .signature_preferences = &s2n_signature_preferences_20240501,
55 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
56 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
57 : : .rules = {
58 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
59 : : },
60 : : };
61 : :
62 : : /* PQ default as of 07/24 */
63 : : const struct s2n_security_policy security_policy_20240730 = {
64 : : .minimum_protocol_version = S2N_TLS12,
65 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
66 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
67 : : .signature_preferences = &s2n_signature_preferences_20240501,
68 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
69 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
70 : : .rules = {
71 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
72 : : },
73 : : };
74 : :
75 : : const struct s2n_security_policy security_policy_20241001 = {
76 : : .minimum_protocol_version = S2N_TLS12,
77 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
78 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
79 : : .signature_preferences = &s2n_signature_preferences_20240501,
80 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
81 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
82 : : .rules = {
83 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
84 : : },
85 : : };
86 : :
87 : : /* 20241001, but with ML-DSA added */
88 : : const struct s2n_security_policy security_policy_20250512 = {
89 : : .minimum_protocol_version = S2N_TLS12,
90 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
91 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
92 : : .signature_preferences = &s2n_signature_preferences_20250512,
93 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
94 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
95 : : .rules = {
96 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
97 : : },
98 : : };
99 : :
100 : : const struct s2n_security_policy security_policy_20250721 = {
101 : : .minimum_protocol_version = S2N_TLS12,
102 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
103 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
104 : : .signature_preferences = &s2n_signature_preferences_20250512,
105 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
106 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
107 : : .rules = {
108 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
109 : : },
110 : : };
111 : :
112 : : const struct s2n_security_policy security_policy_20241001_pq_mixed = {
113 : : .minimum_protocol_version = S2N_TLS12,
114 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
115 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
116 : : .signature_preferences = &s2n_signature_preferences_20240501,
117 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
118 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
119 : : .rules = {
120 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
121 : : },
122 : : };
123 : :
124 : : const struct s2n_security_policy security_policy_20240603 = {
125 : : .minimum_protocol_version = S2N_TLS12,
126 : : .cipher_preferences = &cipher_preferences_20240603,
127 : : .kem_preferences = &kem_preferences_null,
128 : : .signature_preferences = &s2n_signature_preferences_20240501,
129 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
130 : : .ecc_preferences = &s2n_ecc_preferences_20240603,
131 : : };
132 : :
133 : : const struct s2n_security_policy security_policy_20170210 = {
134 : : .minimum_protocol_version = S2N_TLS10,
135 : : .cipher_preferences = &cipher_preferences_20170210,
136 : : .kem_preferences = &kem_preferences_null,
137 : : .signature_preferences = &s2n_signature_preferences_20140601,
138 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
139 : : };
140 : :
141 : : const struct s2n_security_policy security_policy_20240417 = {
142 : : .minimum_protocol_version = S2N_TLS10,
143 : : .cipher_preferences = &cipher_preferences_20210831,
144 : : .kem_preferences = &kem_preferences_null,
145 : : .signature_preferences = &s2n_signature_preferences_20200207,
146 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
147 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
148 : : };
149 : :
150 : : /*
151 : : * This security policy is derived from the following specification:
152 : : * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
153 : : *
154 : : * Supports TLS1.2
155 : : */
156 : : const struct s2n_security_policy security_policy_20240416 = {
157 : : .minimum_protocol_version = S2N_TLS12,
158 : : .cipher_preferences = &cipher_preferences_default_fips,
159 : : .kem_preferences = &kem_preferences_null,
160 : : .signature_preferences = &s2n_signature_preferences_default_fips,
161 : : .certificate_signature_preferences = &s2n_signature_preferences_default_fips,
162 : : .ecc_preferences = &s2n_ecc_preferences_default_fips,
163 : : .rules = {
164 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
165 : : [S2N_FIPS_140_3] = true,
166 : : },
167 : : };
168 : :
169 : : const struct s2n_security_policy security_policy_20230317 = {
170 : : .minimum_protocol_version = S2N_TLS12,
171 : : .cipher_preferences = &cipher_preferences_20230317,
172 : : .kem_preferences = &kem_preferences_null,
173 : : .signature_preferences = &s2n_signature_preferences_20230317,
174 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
175 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
176 : : .rules = {
177 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
178 : : [S2N_FIPS_140_3] = true,
179 : : },
180 : : };
181 : :
182 : : const struct s2n_security_policy security_policy_20240331 = {
183 : : .minimum_protocol_version = S2N_TLS12,
184 : : .cipher_preferences = &cipher_preferences_20240331,
185 : : .kem_preferences = &kem_preferences_null,
186 : : .signature_preferences = &s2n_signature_preferences_20230317,
187 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
188 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
189 : : .rules = {
190 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
191 : : [S2N_FIPS_140_3] = true,
192 : : },
193 : : };
194 : :
195 : : const struct s2n_security_policy security_policy_20190801 = {
196 : : .minimum_protocol_version = S2N_TLS10,
197 : : .cipher_preferences = &cipher_preferences_20190801,
198 : : .kem_preferences = &kem_preferences_null,
199 : : /* The discrepancy in the date exists because the signature preferences
200 : : * were named when cipher preferences and signature preferences were
201 : : * tracked separately, and we chose to keep the cipher preference
202 : : * name because customers use it.
203 : : */
204 : : .signature_preferences = &s2n_signature_preferences_20200207,
205 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
206 : : };
207 : :
208 : : const struct s2n_security_policy security_policy_20190802 = {
209 : : .minimum_protocol_version = S2N_TLS10,
210 : : .cipher_preferences = &cipher_preferences_20190801,
211 : : .kem_preferences = &kem_preferences_null,
212 : : /* The discrepancy in the date exists because the signature preferences
213 : : * were named when cipher preferences and signature preferences were
214 : : * tracked separately, and we chose to keep the cipher preference
215 : : * name because customers use it.
216 : : */
217 : : .signature_preferences = &s2n_signature_preferences_20200207,
218 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
219 : : };
220 : :
221 : : const struct s2n_security_policy security_policy_20170405 = {
222 : : .minimum_protocol_version = S2N_TLS10,
223 : : .cipher_preferences = &cipher_preferences_20170405,
224 : : .kem_preferences = &kem_preferences_null,
225 : : .signature_preferences = &s2n_signature_preferences_20140601,
226 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
227 : : };
228 : :
229 : : const struct s2n_security_policy security_policy_20170405_gcm = {
230 : : .minimum_protocol_version = S2N_TLS10,
231 : : .cipher_preferences = &cipher_preferences_20170405_gcm,
232 : : .kem_preferences = &kem_preferences_null,
233 : : .signature_preferences = &s2n_signature_preferences_20140601,
234 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
235 : : };
236 : :
237 : : const struct s2n_security_policy security_policy_elb_2015_04 = {
238 : : .minimum_protocol_version = S2N_TLS10,
239 : : .cipher_preferences = &elb_security_policy_2015_04,
240 : : .kem_preferences = &kem_preferences_null,
241 : : .signature_preferences = &s2n_signature_preferences_20140601,
242 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
243 : : };
244 : :
245 : : const struct s2n_security_policy security_policy_elb_2016_08 = {
246 : : .minimum_protocol_version = S2N_TLS10,
247 : : .cipher_preferences = &elb_security_policy_2016_08,
248 : : .kem_preferences = &kem_preferences_null,
249 : : .signature_preferences = &s2n_signature_preferences_20140601,
250 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
251 : : };
252 : :
253 : : const struct s2n_security_policy security_policy_elb_tls_1_1_2017_01 = {
254 : : .minimum_protocol_version = S2N_TLS11,
255 : : .cipher_preferences = &elb_security_policy_tls_1_1_2017_01,
256 : : .kem_preferences = &kem_preferences_null,
257 : : .signature_preferences = &s2n_signature_preferences_20140601,
258 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
259 : : };
260 : :
261 : : const struct s2n_security_policy security_policy_elb_tls_1_2_2017_01 = {
262 : : .minimum_protocol_version = S2N_TLS12,
263 : : .cipher_preferences = &elb_security_policy_tls_1_2_2017_01,
264 : : .kem_preferences = &kem_preferences_null,
265 : : .signature_preferences = &s2n_signature_preferences_20140601,
266 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
267 : : };
268 : :
269 : : const struct s2n_security_policy security_policy_elb_tls_1_2_ext_2018_06 = {
270 : : .minimum_protocol_version = S2N_TLS12,
271 : : .cipher_preferences = &elb_security_policy_tls_1_2_ext_2018_06,
272 : : .kem_preferences = &kem_preferences_null,
273 : : .signature_preferences = &s2n_signature_preferences_20140601,
274 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
275 : : };
276 : :
277 : : const struct s2n_security_policy security_policy_elb_fs_2018_06 = {
278 : : .minimum_protocol_version = S2N_TLS10,
279 : : .cipher_preferences = &elb_security_policy_fs_2018_06,
280 : : .kem_preferences = &kem_preferences_null,
281 : : .signature_preferences = &s2n_signature_preferences_20140601,
282 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
283 : : .rules = {
284 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
285 : : },
286 : : };
287 : :
288 : : const struct s2n_security_policy security_policy_elb_fs_1_2_2019_08 = {
289 : : .minimum_protocol_version = S2N_TLS12,
290 : : .cipher_preferences = &elb_security_policy_fs_1_2_2019_08,
291 : : .kem_preferences = &kem_preferences_null,
292 : : .signature_preferences = &s2n_signature_preferences_20140601,
293 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
294 : : .rules = {
295 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
296 : : },
297 : : };
298 : :
299 : : const struct s2n_security_policy security_policy_elb_fs_1_1_2019_08 = {
300 : : .minimum_protocol_version = S2N_TLS11,
301 : : .cipher_preferences = &elb_security_policy_fs_1_1_2019_08,
302 : : .kem_preferences = &kem_preferences_null,
303 : : .signature_preferences = &s2n_signature_preferences_20140601,
304 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
305 : : .rules = {
306 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
307 : : },
308 : : };
309 : :
310 : : const struct s2n_security_policy security_policy_elb_fs_1_2_Res_2019_08 = {
311 : : .minimum_protocol_version = S2N_TLS12,
312 : : .cipher_preferences = &elb_security_policy_fs_1_2_Res_2019_08,
313 : : .kem_preferences = &kem_preferences_null,
314 : : .signature_preferences = &s2n_signature_preferences_20140601,
315 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
316 : : .rules = {
317 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
318 : : },
319 : : };
320 : :
321 : : /* CloudFront upstream */
322 : : const struct s2n_security_policy security_policy_cloudfront_upstream = {
323 : : .minimum_protocol_version = S2N_SSLv3,
324 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream,
325 : : .kem_preferences = &kem_preferences_null,
326 : : .signature_preferences = &s2n_signature_preferences_20140601,
327 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
328 : : };
329 : :
330 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls10 = {
331 : : .minimum_protocol_version = S2N_TLS10,
332 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls10,
333 : : .kem_preferences = &kem_preferences_null,
334 : : .signature_preferences = &s2n_signature_preferences_20140601,
335 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
336 : : };
337 : :
338 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls11 = {
339 : : .minimum_protocol_version = S2N_TLS11,
340 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls11,
341 : : .kem_preferences = &kem_preferences_null,
342 : : .signature_preferences = &s2n_signature_preferences_20140601,
343 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
344 : : };
345 : :
346 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls12 = {
347 : : .minimum_protocol_version = S2N_TLS12,
348 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls12,
349 : : .kem_preferences = &kem_preferences_null,
350 : : .signature_preferences = &s2n_signature_preferences_20140601,
351 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
352 : : };
353 : :
354 : : /* CloudFront upstream 2025 -- same as original upstream above, but with:
355 : : * 1. TLSv1.3 enabled and
356 : : * 2. signature preferences updated to 2020-10-21, expanding support for RSA
357 : : * PSS while preserving support for legacy signature algorithms
358 : : */
359 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08 = {
360 : : .minimum_protocol_version = S2N_SSLv3,
361 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
362 : : .kem_preferences = &kem_preferences_null,
363 : : .signature_preferences = &s2n_signature_preferences_20250820,
364 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
365 : : };
366 : :
367 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls10 = {
368 : : .minimum_protocol_version = S2N_TLS10,
369 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
370 : : .kem_preferences = &kem_preferences_null,
371 : : .signature_preferences = &s2n_signature_preferences_20250820,
372 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
373 : : };
374 : :
375 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls11 = {
376 : : .minimum_protocol_version = S2N_TLS11,
377 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
378 : : .kem_preferences = &kem_preferences_null,
379 : : .signature_preferences = &s2n_signature_preferences_20250820,
380 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
381 : : };
382 : :
383 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls12 = {
384 : : .minimum_protocol_version = S2N_TLS12,
385 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
386 : : .kem_preferences = &kem_preferences_null,
387 : : .signature_preferences = &s2n_signature_preferences_20250820,
388 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
389 : : };
390 : :
391 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls13 = {
392 : : .minimum_protocol_version = S2N_TLS13,
393 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
394 : : .kem_preferences = &kem_preferences_null,
395 : : .signature_preferences = &s2n_signature_preferences_20250820,
396 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
397 : : };
398 : :
399 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_pq = {
400 : : .minimum_protocol_version = S2N_SSLv3,
401 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
402 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
403 : : .signature_preferences = &s2n_signature_preferences_20250821,
404 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
405 : : };
406 : :
407 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls10_pq = {
408 : : .minimum_protocol_version = S2N_TLS10,
409 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
410 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
411 : : .signature_preferences = &s2n_signature_preferences_20250821,
412 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
413 : : };
414 : :
415 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls11_pq = {
416 : : .minimum_protocol_version = S2N_TLS11,
417 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
418 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
419 : : .signature_preferences = &s2n_signature_preferences_20250821,
420 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
421 : : };
422 : :
423 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls12_pq = {
424 : : .minimum_protocol_version = S2N_TLS12,
425 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
426 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
427 : : .signature_preferences = &s2n_signature_preferences_20250821,
428 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
429 : : };
430 : :
431 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls13_pq = {
432 : : .minimum_protocol_version = S2N_TLS13,
433 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
434 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
435 : : .signature_preferences = &s2n_signature_preferences_20250821,
436 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
437 : : };
438 : :
439 : : /* CloudFront viewer facing */
440 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3 = {
441 : : .minimum_protocol_version = S2N_SSLv3,
442 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3,
443 : : .kem_preferences = &kem_preferences_null,
444 : : .signature_preferences = &s2n_signature_preferences_20200207,
445 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
446 : : };
447 : :
448 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014 = {
449 : : .minimum_protocol_version = S2N_TLS10,
450 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014,
451 : : .kem_preferences = &kem_preferences_null,
452 : : .signature_preferences = &s2n_signature_preferences_20200207,
453 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
454 : : };
455 : :
456 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016 = {
457 : : .minimum_protocol_version = S2N_TLS10,
458 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
459 : : .kem_preferences = &kem_preferences_null,
460 : : .signature_preferences = &s2n_signature_preferences_20200207,
461 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
462 : : };
463 : :
464 : : /* Same as security_policy_cloudfront_tls_1_0_2016, but with TLS 1.2 as minimum */
465 : : const struct s2n_security_policy security_policy_20241106 = {
466 : : .minimum_protocol_version = S2N_TLS12,
467 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
468 : : .kem_preferences = &kem_preferences_null,
469 : : .signature_preferences = &s2n_signature_preferences_20200207,
470 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
471 : : };
472 : :
473 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016 = {
474 : : .minimum_protocol_version = S2N_TLS11,
475 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016,
476 : : .kem_preferences = &kem_preferences_null,
477 : : .signature_preferences = &s2n_signature_preferences_20200207,
478 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
479 : : };
480 : :
481 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2017 = {
482 : : .minimum_protocol_version = S2N_TLS12,
483 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2017,
484 : : .kem_preferences = &kem_preferences_null,
485 : : .signature_preferences = &s2n_signature_preferences_20200207,
486 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
487 : : };
488 : :
489 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018 = {
490 : : .minimum_protocol_version = S2N_TLS12,
491 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018,
492 : : .kem_preferences = &kem_preferences_null,
493 : : .signature_preferences = &s2n_signature_preferences_20200207,
494 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
495 : : };
496 : :
497 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019 = {
498 : : .minimum_protocol_version = S2N_TLS12,
499 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
500 : : .kem_preferences = &kem_preferences_null,
501 : : .signature_preferences = &s2n_signature_preferences_20200207,
502 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
503 : : .rules = {
504 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
505 : : },
506 : : };
507 : :
508 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021 = {
509 : : .minimum_protocol_version = S2N_TLS12,
510 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
511 : : .kem_preferences = &kem_preferences_null,
512 : : .signature_preferences = &s2n_signature_preferences_20200207,
513 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
514 : : .rules = {
515 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
516 : : },
517 : : };
518 : :
519 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_chacha20_boosted = {
520 : : .minimum_protocol_version = S2N_TLS12,
521 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021_chacha20_boosted,
522 : : .kem_preferences = &kem_preferences_null,
523 : : .signature_preferences = &s2n_signature_preferences_20200207,
524 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
525 : : .rules = {
526 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
527 : : },
528 : : };
529 : :
530 : : /* CloudFront viewer facing legacy TLS 1.2 policies */
531 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3_legacy = {
532 : : .minimum_protocol_version = S2N_SSLv3,
533 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3_legacy,
534 : : .kem_preferences = &kem_preferences_null,
535 : : .signature_preferences = &s2n_signature_preferences_20140601,
536 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
537 : : };
538 : :
539 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_legacy = {
540 : : .minimum_protocol_version = S2N_TLS10,
541 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014_legacy,
542 : : .kem_preferences = &kem_preferences_null,
543 : : .signature_preferences = &s2n_signature_preferences_20140601,
544 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
545 : : };
546 : :
547 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016_legacy = {
548 : : .minimum_protocol_version = S2N_TLS10,
549 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016_legacy,
550 : : .kem_preferences = &kem_preferences_null,
551 : : .signature_preferences = &s2n_signature_preferences_20140601,
552 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
553 : : };
554 : :
555 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016_legacy = {
556 : : .minimum_protocol_version = S2N_TLS11,
557 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016_legacy,
558 : : .kem_preferences = &kem_preferences_null,
559 : : .signature_preferences = &s2n_signature_preferences_20140601,
560 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
561 : : };
562 : :
563 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_legacy = {
564 : : .minimum_protocol_version = S2N_TLS12,
565 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018_legacy,
566 : : .kem_preferences = &kem_preferences_null,
567 : : .signature_preferences = &s2n_signature_preferences_20140601,
568 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
569 : : };
570 : :
571 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019_legacy = {
572 : : .minimum_protocol_version = S2N_TLS12,
573 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019_legacy,
574 : : .kem_preferences = &kem_preferences_null,
575 : : .signature_preferences = &s2n_signature_preferences_20140601,
576 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
577 : : .rules = {
578 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
579 : : },
580 : : };
581 : :
582 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3 = {
583 : : .minimum_protocol_version = S2N_SSLv3,
584 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
585 : : .kem_preferences = &kem_preferences_null,
586 : : .signature_preferences = &s2n_signature_preferences_20200207,
587 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
588 : : };
589 : :
590 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10 = {
591 : : .minimum_protocol_version = S2N_TLS10,
592 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
593 : : .kem_preferences = &kem_preferences_null,
594 : : .signature_preferences = &s2n_signature_preferences_20200207,
595 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
596 : : };
597 : :
598 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11 = {
599 : : .minimum_protocol_version = S2N_TLS11,
600 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
601 : : .kem_preferences = &kem_preferences_null,
602 : : .signature_preferences = &s2n_signature_preferences_20200207,
603 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
604 : : };
605 : :
606 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12 = {
607 : : .minimum_protocol_version = S2N_TLS12,
608 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
609 : : .kem_preferences = &kem_preferences_null,
610 : : .signature_preferences = &s2n_signature_preferences_20200207,
611 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
612 : : };
613 : :
614 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13 = {
615 : : .minimum_protocol_version = S2N_TLS13,
616 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
617 : : .kem_preferences = &kem_preferences_null,
618 : : .signature_preferences = &s2n_signature_preferences_20200207,
619 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
620 : : .rules = {
621 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
622 : : },
623 : : };
624 : :
625 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3_06_23 = {
626 : : .minimum_protocol_version = S2N_SSLv3,
627 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
628 : : .kem_preferences = &kem_preferences_null,
629 : : .signature_preferences = &s2n_signature_preferences_20200207,
630 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
631 : : };
632 : :
633 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_06_23 = {
634 : : .minimum_protocol_version = S2N_TLS10,
635 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
636 : : .kem_preferences = &kem_preferences_null,
637 : : .signature_preferences = &s2n_signature_preferences_20200207,
638 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
639 : : };
640 : :
641 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11_06_23 = {
642 : : .minimum_protocol_version = S2N_TLS11,
643 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
644 : : .kem_preferences = &kem_preferences_null,
645 : : .signature_preferences = &s2n_signature_preferences_20200207,
646 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
647 : : };
648 : :
649 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23 = {
650 : : .minimum_protocol_version = S2N_TLS12,
651 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
652 : : .kem_preferences = &kem_preferences_null,
653 : : .signature_preferences = &s2n_signature_preferences_20200207,
654 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
655 : : };
656 : :
657 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_30_06_25 = {
658 : : .minimum_protocol_version = S2N_TLS12,
659 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_2025,
660 : : .kem_preferences = &kem_preferences_null,
661 : : .signature_preferences = &s2n_signature_preferences_20240501,
662 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
663 : : .rules = {
664 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
665 : : [S2N_FIPS_140_3] = true,
666 : : },
667 : : };
668 : :
669 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_06_23 = {
670 : : .minimum_protocol_version = S2N_TLS13,
671 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
672 : : .kem_preferences = &kem_preferences_null,
673 : : .signature_preferences = &s2n_signature_preferences_20200207,
674 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
675 : : .rules = {
676 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
677 : : },
678 : : };
679 : :
680 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2018_10 = {
681 : : .minimum_protocol_version = S2N_TLS10,
682 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2018_10,
683 : : .kem_preferences = &kem_preferences_null,
684 : : .signature_preferences = &s2n_signature_preferences_20140601,
685 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
686 : : .rules = {
687 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
688 : : },
689 : : };
690 : :
691 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2021_08 = {
692 : : .minimum_protocol_version = S2N_TLS10,
693 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
694 : : .kem_preferences = &kem_preferences_null,
695 : : .signature_preferences = &s2n_signature_preferences_20200207,
696 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
697 : : .rules = {
698 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
699 : : },
700 : : };
701 : :
702 : : const struct s2n_security_policy security_policy_kms_tls_1_2_2023_06 = {
703 : : .minimum_protocol_version = S2N_TLS12,
704 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
705 : : .kem_preferences = &kem_preferences_null,
706 : : .signature_preferences = &s2n_signature_preferences_20200207,
707 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
708 : : .rules = {
709 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
710 : : },
711 : : };
712 : :
713 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2019_06 = {
714 : : .minimum_protocol_version = S2N_TLS10,
715 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2019_06,
716 : : .kem_preferences = &kem_preferences_null,
717 : : .signature_preferences = &s2n_signature_preferences_20140601,
718 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
719 : : .rules = {
720 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
721 : : },
722 : : };
723 : :
724 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_02 = {
725 : : .minimum_protocol_version = S2N_TLS10,
726 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_02,
727 : : .kem_preferences = &kem_preferences_null,
728 : : .signature_preferences = &s2n_signature_preferences_20140601,
729 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
730 : : .rules = {
731 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
732 : : },
733 : : };
734 : :
735 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_07 = {
736 : : .minimum_protocol_version = S2N_TLS10,
737 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_07,
738 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
739 : : .signature_preferences = &s2n_signature_preferences_20140601,
740 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
741 : : .rules = {
742 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
743 : : },
744 : : };
745 : :
746 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2020_12 = {
747 : : .minimum_protocol_version = S2N_TLS10,
748 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2020_12,
749 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
750 : : .signature_preferences = &s2n_signature_preferences_20200207,
751 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
752 : : .rules = {
753 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
754 : : },
755 : : };
756 : :
757 : : const struct s2n_security_policy security_policy_pq_tls_1_1_2021_05_17 = {
758 : : .minimum_protocol_version = S2N_TLS11,
759 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_17,
760 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
761 : : .signature_preferences = &s2n_signature_preferences_20140601,
762 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
763 : : };
764 : :
765 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_18 = {
766 : : .minimum_protocol_version = S2N_TLS10,
767 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_18,
768 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
769 : : .signature_preferences = &s2n_signature_preferences_20140601,
770 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
771 : : };
772 : :
773 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_19 = {
774 : : .minimum_protocol_version = S2N_TLS10,
775 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_19,
776 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
777 : : .signature_preferences = &s2n_signature_preferences_20140601,
778 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
779 : : };
780 : :
781 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_20 = {
782 : : .minimum_protocol_version = S2N_TLS10,
783 : : /* Yes, this is the same cipher_preferences as kms_pq_tls_1_0_2020_07. The difference between these policies is
784 : : * the ecc_preferences, with this one adding support for x25519. */
785 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_07,
786 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
787 : : .signature_preferences = &s2n_signature_preferences_20140601,
788 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
789 : : .rules = {
790 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
791 : : },
792 : : };
793 : :
794 : : const struct s2n_security_policy security_policy_pq_tls_1_1_2021_05_21 = {
795 : : .minimum_protocol_version = S2N_TLS11,
796 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
797 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
798 : : .signature_preferences = &s2n_signature_preferences_20200207,
799 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
800 : : };
801 : :
802 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_22 = {
803 : : .minimum_protocol_version = S2N_TLS10,
804 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
805 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
806 : : .signature_preferences = &s2n_signature_preferences_20200207,
807 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
808 : : };
809 : :
810 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_23 = {
811 : : .minimum_protocol_version = S2N_TLS10,
812 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_23,
813 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
814 : : .signature_preferences = &s2n_signature_preferences_20200207,
815 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
816 : : };
817 : :
818 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_24 = {
819 : : .minimum_protocol_version = S2N_TLS10,
820 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
821 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
822 : : .signature_preferences = &s2n_signature_preferences_20200207,
823 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
824 : : .rules = {
825 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
826 : : },
827 : : };
828 : :
829 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_25 = {
830 : : .minimum_protocol_version = S2N_TLS10,
831 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_25,
832 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
833 : : .signature_preferences = &s2n_signature_preferences_20140601,
834 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
835 : : };
836 : :
837 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_26 = {
838 : : .minimum_protocol_version = S2N_TLS10,
839 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
840 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
841 : : .signature_preferences = &s2n_signature_preferences_20200207,
842 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
843 : : };
844 : :
845 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2023_01_24 = {
846 : : .minimum_protocol_version = S2N_TLS10,
847 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
848 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2023_01,
849 : : .signature_preferences = &s2n_signature_preferences_20200207,
850 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
851 : : .rules = {
852 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
853 : : },
854 : : };
855 : :
856 : : /* Same as security_policy_pq_tls_1_1_2021_05_21, but with TLS 1.2 as minimum */
857 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_07 = {
858 : : .minimum_protocol_version = S2N_TLS12,
859 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
860 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
861 : : .signature_preferences = &s2n_signature_preferences_20200207,
862 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
863 : : };
864 : :
865 : : /* Same as security_policy_pq_tls_1_0_2021_05_22, but with TLS 1.2 as minimum */
866 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_08 = {
867 : : .minimum_protocol_version = S2N_TLS12,
868 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
869 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
870 : : .signature_preferences = &s2n_signature_preferences_20200207,
871 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
872 : : };
873 : :
874 : : /* Same as security_policy_pq_tls_1_0_2021_05_24, but with TLS 1.2 as minimum */
875 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_09 = {
876 : : .minimum_protocol_version = S2N_TLS12,
877 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
878 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
879 : : .signature_preferences = &s2n_signature_preferences_20200207,
880 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
881 : : .rules = {
882 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
883 : : },
884 : : };
885 : :
886 : : /* Same as security_policy_pq_tls_1_0_2021_05_26, but with TLS 1.2 as minimum */
887 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_10 = {
888 : : .minimum_protocol_version = S2N_TLS12,
889 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
890 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
891 : : .signature_preferences = &s2n_signature_preferences_20200207,
892 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
893 : : };
894 : :
895 : : const struct s2n_security_policy security_policy_pq_tls_1_3_2023_06_01 = {
896 : : .minimum_protocol_version = S2N_TLS12,
897 : : .cipher_preferences = &cipher_preferences_pq_tls_1_3_2023_06_01,
898 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
899 : : .signature_preferences = &s2n_signature_preferences_20200207,
900 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
901 : : };
902 : :
903 : : /* Same as security_policy_pq_tls_1_2_2023_04_07, but with updated KEM prefs */
904 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_07 = {
905 : : .minimum_protocol_version = S2N_TLS12,
906 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
907 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
908 : : .signature_preferences = &s2n_signature_preferences_20200207,
909 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
910 : : };
911 : :
912 : : /* Same as security_policy_pq_tls_1_2_2023_04_08, but with updated KEM prefs */
913 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_08 = {
914 : : .minimum_protocol_version = S2N_TLS12,
915 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
916 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
917 : : .signature_preferences = &s2n_signature_preferences_20200207,
918 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
919 : : };
920 : :
921 : : /* Same as security_policy_pq_tls_1_2_2023_04_09, but with updated KEM prefs */
922 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_09 = {
923 : : .minimum_protocol_version = S2N_TLS12,
924 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
925 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
926 : : .signature_preferences = &s2n_signature_preferences_20200207,
927 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
928 : : .rules = {
929 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
930 : : },
931 : : };
932 : :
933 : : /* Same as security_policy_pq_tls_1_2_2023_04_10, but with updated KEM prefs */
934 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10 = {
935 : : .minimum_protocol_version = S2N_TLS12,
936 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
937 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
938 : : .signature_preferences = &s2n_signature_preferences_20200207,
939 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
940 : : };
941 : :
942 : : /* General purpose "mostly" FIPS + PQ policy (with the exception of supporting RSA Key Exchange for backwards compatibility). */
943 : : const struct s2n_security_policy security_policy_pq_20231213 = {
944 : : .minimum_protocol_version = S2N_TLS12,
945 : : .cipher_preferences = &cipher_preferences_20231213,
946 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
947 : : .signature_preferences = &s2n_signature_preferences_20230317,
948 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
949 : : };
950 : :
951 : : /* General purpose FIPS + PQ policy that meets all current FIPS requirements. */
952 : : const struct s2n_security_policy security_policy_pq_20231214 = {
953 : : .minimum_protocol_version = S2N_TLS12,
954 : : .cipher_preferences = &cipher_preferences_20231214,
955 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
956 : : .signature_preferences = &s2n_signature_preferences_20230317,
957 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
958 : : .rules = {
959 : : [S2N_FIPS_140_3] = true,
960 : : },
961 : : };
962 : :
963 : : /* FIPS + PQ Policy that uses KMS's FIPS cipher preference list and meets all current FIPS requirements. */
964 : : const struct s2n_security_policy security_policy_pq_20231215 = {
965 : : .minimum_protocol_version = S2N_TLS12,
966 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
967 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
968 : : .signature_preferences = &s2n_signature_preferences_20230317,
969 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
970 : : .rules = {
971 : : [S2N_FIPS_140_3] = true,
972 : : },
973 : : };
974 : :
975 : : /* Same as security_policy_aws_crt_sdk_tls_10_06_23 but with (IETF-standardized) ML-KEM Support */
976 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_07_25_pq = {
977 : : .minimum_protocol_version = S2N_TLS10,
978 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
979 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
980 : : .signature_preferences = &s2n_signature_preferences_20200207,
981 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
982 : : };
983 : :
984 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with (IETF-standardized) ML-KEM Support */
985 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_07_25_pq = {
986 : : .minimum_protocol_version = S2N_TLS12,
987 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
988 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
989 : : .signature_preferences = &s2n_signature_preferences_20200207,
990 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
991 : : };
992 : :
993 : : /* Same as security_policy_aws_crt_sdk_tls_13_06_23 but with (IETF-standardized) ML-KEM Support */
994 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_07_25_pq = {
995 : : .minimum_protocol_version = S2N_TLS13,
996 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
997 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
998 : : .signature_preferences = &s2n_signature_preferences_20200207,
999 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1000 : : };
1001 : :
1002 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with ML-KEM Support */
1003 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23_pq = {
1004 : : .minimum_protocol_version = S2N_TLS12,
1005 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
1006 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1007 : : .signature_preferences = &s2n_signature_preferences_20200207,
1008 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
1009 : : };
1010 : :
1011 : : /* Same as security_policy_pq_tls_1_2_2023_10_07, but with TLS 1.2 Kyber removed, and added ML-KEM support */
1012 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_07 = {
1013 : : .minimum_protocol_version = S2N_TLS12,
1014 : : .cipher_preferences = &elb_security_policy_tls13_1_2_Ext2_2021_06,
1015 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1016 : : .signature_preferences = &s2n_signature_preferences_20200207,
1017 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1018 : : };
1019 : :
1020 : : /* Same as security_policy_pq_tls_1_2_2023_10_08, but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
1021 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08 = {
1022 : : .minimum_protocol_version = S2N_TLS12,
1023 : : .cipher_preferences = &cipher_preferences_20241008,
1024 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1025 : : .signature_preferences = &s2n_signature_preferences_20200207,
1026 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1027 : : };
1028 : :
1029 : : /* Same as security_policy_pq_tls_1_2_2023_10_10, but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
1030 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08_gcm = {
1031 : : .minimum_protocol_version = S2N_TLS12,
1032 : : .cipher_preferences = &cipher_preferences_20241008_gcm,
1033 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1034 : : .signature_preferences = &s2n_signature_preferences_20200207,
1035 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1036 : : };
1037 : :
1038 : : /* Same as security_policy_pq_tls_1_2_2023_10_09 but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
1039 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_09 = {
1040 : : .minimum_protocol_version = S2N_TLS12,
1041 : : .cipher_preferences = &cipher_preferences_20241009,
1042 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
1043 : : .signature_preferences = &s2n_signature_preferences_20200207,
1044 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1045 : : .rules = {
1046 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1047 : : },
1048 : : };
1049 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = {
1050 : : .minimum_protocol_version = S2N_TLS12,
1051 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2018_10,
1052 : : .kem_preferences = &kem_preferences_null,
1053 : : .signature_preferences = &s2n_signature_preferences_20140601,
1054 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1055 : : .rules = {
1056 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1057 : : },
1058 : : };
1059 : :
1060 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2021_08 = {
1061 : : .minimum_protocol_version = S2N_TLS12,
1062 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
1063 : : .kem_preferences = &kem_preferences_null,
1064 : : .signature_preferences = &s2n_signature_preferences_20200207,
1065 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1066 : : .rules = {
1067 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1068 : : },
1069 : : };
1070 : :
1071 : : /* Same as security_policy_pq_20231215, but with only ML-KEM Support */
1072 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2024_10 = {
1073 : : .minimum_protocol_version = S2N_TLS12,
1074 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
1075 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
1076 : : .signature_preferences = &s2n_signature_preferences_20230317,
1077 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1078 : : .rules = {
1079 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1080 : : [S2N_FIPS_140_3] = true,
1081 : : },
1082 : : };
1083 : :
1084 : : const struct s2n_security_policy security_policy_20140601 = {
1085 : : .minimum_protocol_version = S2N_SSLv3,
1086 : : .cipher_preferences = &cipher_preferences_20140601,
1087 : : .kem_preferences = &kem_preferences_null,
1088 : : .signature_preferences = &s2n_signature_preferences_20140601,
1089 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1090 : : };
1091 : :
1092 : : const struct s2n_security_policy security_policy_20141001 = {
1093 : : .minimum_protocol_version = S2N_TLS10,
1094 : : .cipher_preferences = &cipher_preferences_20141001,
1095 : : .kem_preferences = &kem_preferences_null,
1096 : : .signature_preferences = &s2n_signature_preferences_20140601,
1097 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1098 : : };
1099 : :
1100 : : const struct s2n_security_policy security_policy_20150202 = {
1101 : : .minimum_protocol_version = S2N_TLS10,
1102 : : .cipher_preferences = &cipher_preferences_20150202,
1103 : : .kem_preferences = &kem_preferences_null,
1104 : : .signature_preferences = &s2n_signature_preferences_20140601,
1105 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1106 : : };
1107 : :
1108 : : const struct s2n_security_policy security_policy_20150214 = {
1109 : : .minimum_protocol_version = S2N_TLS10,
1110 : : .cipher_preferences = &cipher_preferences_20150214,
1111 : : .kem_preferences = &kem_preferences_null,
1112 : : .signature_preferences = &s2n_signature_preferences_20140601,
1113 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1114 : : };
1115 : :
1116 : : const struct s2n_security_policy security_policy_20160411 = {
1117 : : .minimum_protocol_version = S2N_TLS10,
1118 : : .cipher_preferences = &cipher_preferences_20160411,
1119 : : .kem_preferences = &kem_preferences_null,
1120 : : .signature_preferences = &s2n_signature_preferences_20140601,
1121 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1122 : : };
1123 : :
1124 : : const struct s2n_security_policy security_policy_20150306 = {
1125 : : .minimum_protocol_version = S2N_TLS10,
1126 : : .cipher_preferences = &cipher_preferences_20150306,
1127 : : .kem_preferences = &kem_preferences_null,
1128 : : .signature_preferences = &s2n_signature_preferences_20140601,
1129 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1130 : : };
1131 : :
1132 : : const struct s2n_security_policy security_policy_20160804 = {
1133 : : .minimum_protocol_version = S2N_TLS10,
1134 : : .cipher_preferences = &cipher_preferences_20160804,
1135 : : .kem_preferences = &kem_preferences_null,
1136 : : .signature_preferences = &s2n_signature_preferences_20140601,
1137 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1138 : : };
1139 : :
1140 : : const struct s2n_security_policy security_policy_20160824 = {
1141 : : .minimum_protocol_version = S2N_TLS10,
1142 : : .cipher_preferences = &cipher_preferences_20160824,
1143 : : .kem_preferences = &kem_preferences_null,
1144 : : .signature_preferences = &s2n_signature_preferences_20140601,
1145 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1146 : : };
1147 : :
1148 : : const struct s2n_security_policy security_policy_20190122 = {
1149 : : .minimum_protocol_version = S2N_TLS10,
1150 : : .cipher_preferences = &cipher_preferences_20190122,
1151 : : .kem_preferences = &kem_preferences_null,
1152 : : .signature_preferences = &s2n_signature_preferences_20140601,
1153 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1154 : : };
1155 : :
1156 : : const struct s2n_security_policy security_policy_20190121 = {
1157 : : .minimum_protocol_version = S2N_TLS10,
1158 : : .cipher_preferences = &cipher_preferences_20190121,
1159 : : .kem_preferences = &kem_preferences_null,
1160 : : .signature_preferences = &s2n_signature_preferences_20140601,
1161 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1162 : : };
1163 : :
1164 : : const struct s2n_security_policy security_policy_20190120 = {
1165 : : .minimum_protocol_version = S2N_TLS10,
1166 : : .cipher_preferences = &cipher_preferences_20190120,
1167 : : .kem_preferences = &kem_preferences_null,
1168 : : .signature_preferences = &s2n_signature_preferences_20140601,
1169 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1170 : : };
1171 : :
1172 : : const struct s2n_security_policy security_policy_20190214 = {
1173 : : .minimum_protocol_version = S2N_TLS10,
1174 : : .cipher_preferences = &cipher_preferences_20190214,
1175 : : .kem_preferences = &kem_preferences_null,
1176 : : .signature_preferences = &s2n_signature_preferences_20140601,
1177 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1178 : : };
1179 : :
1180 : : const struct s2n_security_policy security_policy_20190214_gcm = {
1181 : : .minimum_protocol_version = S2N_TLS10,
1182 : : .cipher_preferences = &cipher_preferences_20190214_gcm,
1183 : : .kem_preferences = &kem_preferences_null,
1184 : : .signature_preferences = &s2n_signature_preferences_20140601,
1185 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1186 : : };
1187 : :
1188 : : const struct s2n_security_policy security_policy_20210825 = {
1189 : : .minimum_protocol_version = S2N_TLS10,
1190 : : .cipher_preferences = &cipher_preferences_20210825,
1191 : : .kem_preferences = &kem_preferences_null,
1192 : : .signature_preferences = &s2n_signature_preferences_20200207,
1193 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1194 : : };
1195 : :
1196 : : const struct s2n_security_policy security_policy_20210825_gcm = {
1197 : : .minimum_protocol_version = S2N_TLS10,
1198 : : .cipher_preferences = &cipher_preferences_20210825_gcm,
1199 : : .kem_preferences = &kem_preferences_null,
1200 : : .signature_preferences = &s2n_signature_preferences_20200207,
1201 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1202 : : };
1203 : :
1204 : : const struct s2n_security_policy security_policy_20170328 = {
1205 : : .minimum_protocol_version = S2N_TLS10,
1206 : : .cipher_preferences = &cipher_preferences_20170328,
1207 : : .kem_preferences = &kem_preferences_null,
1208 : : .signature_preferences = &s2n_signature_preferences_20140601,
1209 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1210 : : };
1211 : :
1212 : : const struct s2n_security_policy security_policy_20170328_gcm = {
1213 : : .minimum_protocol_version = S2N_TLS10,
1214 : : .cipher_preferences = &cipher_preferences_20170328_gcm,
1215 : : .kem_preferences = &kem_preferences_null,
1216 : : .signature_preferences = &s2n_signature_preferences_20140601,
1217 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1218 : : };
1219 : :
1220 : : const struct s2n_security_policy security_policy_20170718 = {
1221 : : .minimum_protocol_version = S2N_TLS10,
1222 : : .cipher_preferences = &cipher_preferences_20170718,
1223 : : .kem_preferences = &kem_preferences_null,
1224 : : .signature_preferences = &s2n_signature_preferences_20140601,
1225 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1226 : : };
1227 : :
1228 : : const struct s2n_security_policy security_policy_20170718_gcm = {
1229 : : .minimum_protocol_version = S2N_TLS10,
1230 : : .cipher_preferences = &cipher_preferences_20170718_gcm,
1231 : : .kem_preferences = &kem_preferences_null,
1232 : : .signature_preferences = &s2n_signature_preferences_20140601,
1233 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1234 : : };
1235 : :
1236 : : const struct s2n_security_policy security_policy_20201021 = {
1237 : : .minimum_protocol_version = S2N_TLS10,
1238 : : .cipher_preferences = &cipher_preferences_20190122,
1239 : : .kem_preferences = &kem_preferences_null,
1240 : : .signature_preferences = &s2n_signature_preferences_20201021,
1241 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1242 : : };
1243 : :
1244 : : const struct s2n_security_policy security_policy_20210816 = {
1245 : : .minimum_protocol_version = S2N_TLS12,
1246 : : .cipher_preferences = &cipher_preferences_20210816,
1247 : : .kem_preferences = &kem_preferences_null,
1248 : : .signature_preferences = &s2n_signature_preferences_20210816,
1249 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1250 : : .rules = {
1251 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1252 : : [S2N_FIPS_140_3] = true,
1253 : : },
1254 : : };
1255 : :
1256 : : const struct s2n_security_policy security_policy_20210816_gcm = {
1257 : : .minimum_protocol_version = S2N_TLS12,
1258 : : .cipher_preferences = &cipher_preferences_20210816_gcm,
1259 : : .kem_preferences = &kem_preferences_null,
1260 : : .signature_preferences = &s2n_signature_preferences_20210816,
1261 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1262 : : .rules = {
1263 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1264 : : [S2N_FIPS_140_3] = true,
1265 : : },
1266 : : };
1267 : :
1268 : : /*
1269 : : * This security policy is derived from the following specification:
1270 : : * https://datatracker.ietf.org/doc/html/rfc9151
1271 : : */
1272 : : const struct s2n_security_policy security_policy_20250429 = {
1273 : : .minimum_protocol_version = S2N_TLS12,
1274 : : .cipher_preferences = &cipher_preferences_20250429,
1275 : : .kem_preferences = &kem_preferences_null,
1276 : : .signature_preferences = &s2n_signature_preferences_20250429,
1277 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250429,
1278 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20250429,
1279 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1280 : : .certificate_preferences_apply_locally = true,
1281 : : };
1282 : :
1283 : : /*
1284 : : * This security policy is a mix of default_tls13 (20240503) and rfc9151, with
1285 : : * a primary requirement that AES-256 is the ciphersuite chosen. Other
1286 : : * requirements are generally picked to raise minimum thresholds (e.g.,
1287 : : * requiring TLS 1.3) where possible without losing compatibility with modern
1288 : : * default_tls13 clients or servers.
1289 : : */
1290 : : const struct s2n_security_policy security_policy_20250211 = {
1291 : : .minimum_protocol_version = S2N_TLS13,
1292 : : .cipher_preferences = &cipher_preferences_20250211,
1293 : : .kem_preferences = &kem_preferences_null,
1294 : : .signature_preferences = &s2n_signature_preferences_20250429,
1295 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1296 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1297 : : .rules = {
1298 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1299 : : },
1300 : : };
1301 : :
1302 : : /*
1303 : : * This is essentially identical to 20250211, but fixes a bug which required
1304 : : * P-384 keys on certificates, which invalidated the compatibility promise for
1305 : : * that policy.
1306 : : */
1307 : : const struct s2n_security_policy security_policy_20250414 = {
1308 : : .minimum_protocol_version = S2N_TLS13,
1309 : : .cipher_preferences = &cipher_preferences_20250211,
1310 : : .kem_preferences = &kem_preferences_null,
1311 : : .signature_preferences = &s2n_signature_preferences_20240501,
1312 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1313 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1314 : : .rules = {
1315 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1316 : : [S2N_FIPS_140_3] = true,
1317 : : },
1318 : : };
1319 : :
1320 : : const struct s2n_security_policy security_policy_test_all = {
1321 : : .minimum_protocol_version = S2N_SSLv3,
1322 : : .cipher_preferences = &cipher_preferences_test_all,
1323 : : .kem_preferences = &kem_preferences_all,
1324 : : .signature_preferences = &s2n_signature_preferences_all,
1325 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1326 : : };
1327 : :
1328 : : const struct s2n_security_policy security_policy_test_all_tls12 = {
1329 : : .minimum_protocol_version = S2N_SSLv3,
1330 : : .cipher_preferences = &cipher_preferences_test_all_tls12,
1331 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1332 : : .signature_preferences = &s2n_signature_preferences_20201021,
1333 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1334 : : };
1335 : :
1336 : : const struct s2n_security_policy security_policy_test_all_fips = {
1337 : : .minimum_protocol_version = S2N_TLS12,
1338 : : .cipher_preferences = &cipher_preferences_test_all_fips,
1339 : : .kem_preferences = &kem_preferences_null,
1340 : : .signature_preferences = &s2n_signature_preferences_test_all_fips,
1341 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1342 : : .rules = {
1343 : : [S2N_FIPS_140_3] = true,
1344 : : },
1345 : : };
1346 : :
1347 : : const struct s2n_security_policy security_policy_test_all_ecdsa = {
1348 : : .minimum_protocol_version = S2N_TLS10,
1349 : : .cipher_preferences = &cipher_preferences_test_all_ecdsa,
1350 : : .kem_preferences = &kem_preferences_null,
1351 : : .signature_preferences = &s2n_signature_preferences_20201021,
1352 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1353 : : .rules = {
1354 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1355 : : },
1356 : : };
1357 : :
1358 : : const struct s2n_security_policy security_policy_test_all_rsa_kex = {
1359 : : .minimum_protocol_version = S2N_TLS10,
1360 : : .cipher_preferences = &cipher_preferences_test_all_rsa_kex,
1361 : : .kem_preferences = &kem_preferences_null,
1362 : : .signature_preferences = &s2n_signature_preferences_20140601,
1363 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1364 : : };
1365 : :
1366 : : const struct s2n_security_policy security_policy_test_all_tls13 = {
1367 : : .minimum_protocol_version = S2N_SSLv3,
1368 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1369 : : .kem_preferences = &kem_preferences_null,
1370 : : .signature_preferences = &s2n_signature_preferences_all,
1371 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1372 : : .rules = {
1373 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1374 : : },
1375 : : };
1376 : :
1377 : : const struct s2n_security_policy security_policy_20200207 = {
1378 : : .minimum_protocol_version = S2N_SSLv3,
1379 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1380 : : .kem_preferences = &kem_preferences_null,
1381 : : .signature_preferences = &s2n_signature_preferences_20201021,
1382 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1383 : : .rules = {
1384 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1385 : : },
1386 : : };
1387 : :
1388 : : const struct s2n_security_policy security_policy_test_ecdsa_priority = {
1389 : : .minimum_protocol_version = S2N_SSLv3,
1390 : : .cipher_preferences = &cipher_preferences_test_ecdsa_priority,
1391 : : .kem_preferences = &kem_preferences_null,
1392 : : .signature_preferences = &s2n_signature_preferences_20201021,
1393 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1394 : : };
1395 : :
1396 : : const struct s2n_security_policy security_policy_null = {
1397 : : .minimum_protocol_version = S2N_TLS10,
1398 : : .cipher_preferences = &cipher_preferences_null,
1399 : : .kem_preferences = &kem_preferences_null,
1400 : : .signature_preferences = &s2n_signature_preferences_null,
1401 : : .ecc_preferences = &s2n_ecc_preferences_null,
1402 : : };
1403 : :
1404 : : struct s2n_security_policy_selection security_policy_selection[] = {
1405 : : /* If changing named policies, please update the usage guide's docs on the corresponding policy.
1406 : : * You likely also want to update the compatibility unit tests in (tests/unit/s2n_security_rules_test.c).
1407 : : */
1408 : : { .version = "default", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1409 : : { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1410 : : { .version = "default_fips", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1411 : : { .version = "default_pq", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1412 : : { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1413 : : { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1414 : : { .version = "20240502", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1415 : : { .version = "20240503", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1416 : : { .version = "20230317", .security_policy = &security_policy_20230317, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1417 : : { .version = "20240331", .security_policy = &security_policy_20240331, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1418 : : { .version = "20240417", .security_policy = &security_policy_20240417, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1419 : : { .version = "20240416", .security_policy = &security_policy_20240416, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1420 : : { .version = "20240730", .security_policy = &security_policy_20240730, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1421 : : { .version = "20241001", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1422 : : { .version = "20250512", .security_policy = &security_policy_20250512, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1423 : : { .version = "20250721", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1424 : : { .version = "20241001_pq_mixed", .security_policy = &security_policy_20241001_pq_mixed, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1425 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-04", .security_policy = &security_policy_elb_2015_04, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1426 : : /* Not a mistake. TLS-1-0-2015-05 and 2016-08 are equivalent */
1427 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-05", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1428 : : { .version = "ELBSecurityPolicy-2016-08", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1429 : : { .version = "ELBSecurityPolicy-TLS-1-1-2017-01", .security_policy = &security_policy_elb_tls_1_1_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1430 : : { .version = "ELBSecurityPolicy-TLS-1-2-2017-01", .security_policy = &security_policy_elb_tls_1_2_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1431 : : { .version = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", .security_policy = &security_policy_elb_tls_1_2_ext_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1432 : : { .version = "ELBSecurityPolicy-FS-2018-06", .security_policy = &security_policy_elb_fs_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1433 : : { .version = "ELBSecurityPolicy-FS-1-2-2019-08", .security_policy = &security_policy_elb_fs_1_2_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1434 : : { .version = "ELBSecurityPolicy-FS-1-1-2019-08", .security_policy = &security_policy_elb_fs_1_1_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1435 : : { .version = "ELBSecurityPolicy-FS-1-2-Res-2019-08", .security_policy = &security_policy_elb_fs_1_2_Res_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1436 : : { .version = "CloudFront-Upstream", .security_policy = &security_policy_cloudfront_upstream, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1437 : : { .version = "CloudFront-Upstream-TLS-1-0", .security_policy = &security_policy_cloudfront_upstream_tls10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1438 : : { .version = "CloudFront-Upstream-TLS-1-1", .security_policy = &security_policy_cloudfront_upstream_tls11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1439 : : { .version = "CloudFront-Upstream-TLS-1-2", .security_policy = &security_policy_cloudfront_upstream_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1440 : : { .version = "CloudFront-Upstream-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1441 : : { .version = "CloudFront-Upstream-TLS-1-0-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1442 : : { .version = "CloudFront-Upstream-TLS-1-1-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1443 : : { .version = "CloudFront-Upstream-TLS-1-2-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1444 : : { .version = "CloudFront-Upstream-TLS-1-3-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1445 : : { .version = "CloudFront-Upstream-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1446 : : { .version = "CloudFront-Upstream-TLS-1-0-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls10_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1447 : : { .version = "CloudFront-Upstream-TLS-1-1-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls11_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1448 : : { .version = "CloudFront-Upstream-TLS-1-2-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls12_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1449 : : { .version = "CloudFront-Upstream-TLS-1-3-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls13_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1450 : : /* CloudFront Viewer Facing */
1451 : : { .version = "CloudFront-SSL-v-3", .security_policy = &security_policy_cloudfront_ssl_v_3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1452 : : { .version = "CloudFront-TLS-1-0-2014", .security_policy = &security_policy_cloudfront_tls_1_0_2014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1453 : : { .version = "CloudFront-TLS-1-0-2016", .security_policy = &security_policy_cloudfront_tls_1_0_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1454 : : { .version = "CloudFront-TLS-1-1-2016", .security_policy = &security_policy_cloudfront_tls_1_1_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1455 : : { .version = "CloudFront-TLS-1-2-2017", .security_policy = &security_policy_cloudfront_tls_1_2_2017, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1456 : : { .version = "CloudFront-TLS-1-2-2018", .security_policy = &security_policy_cloudfront_tls_1_2_2018, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1457 : : { .version = "CloudFront-TLS-1-2-2019", .security_policy = &security_policy_cloudfront_tls_1_2_2019, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1458 : : { .version = "CloudFront-TLS-1-2-2021", .security_policy = &security_policy_cloudfront_tls_1_2_2021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1459 : : { .version = "CloudFront-TLS-1-2-2021-Chacha20-Boosted", .security_policy = &security_policy_cloudfront_tls_1_2_2021_chacha20_boosted, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1460 : : /* CloudFront Legacy (TLS 1.2) policies */
1461 : : { .version = "CloudFront-SSL-v-3-Legacy", .security_policy = &security_policy_cloudfront_ssl_v_3_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1462 : : { .version = "CloudFront-TLS-1-0-2014-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2014_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1463 : : { .version = "CloudFront-TLS-1-0-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1464 : : { .version = "CloudFront-TLS-1-1-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_1_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1465 : : { .version = "CloudFront-TLS-1-2-2018-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2018_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1466 : : { .version = "CloudFront-TLS-1-2-2019-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2019_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1467 : : /* CRT allows users to choose the minimal TLS protocol they want to negotiate with. This translates to 5 different security policies in s2n */
1468 : : { .version = "AWS-CRT-SDK-SSLv3.0", .security_policy = &security_policy_aws_crt_sdk_ssl_v3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1469 : : { .version = "AWS-CRT-SDK-TLSv1.0", .security_policy = &security_policy_aws_crt_sdk_tls_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1470 : : { .version = "AWS-CRT-SDK-TLSv1.1", .security_policy = &security_policy_aws_crt_sdk_tls_11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1471 : : { .version = "AWS-CRT-SDK-TLSv1.2", .security_policy = &security_policy_aws_crt_sdk_tls_12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1472 : : { .version = "AWS-CRT-SDK-TLSv1.3", .security_policy = &security_policy_aws_crt_sdk_tls_13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1473 : : { .version = "AWS-CRT-SDK-SSLv3.0-2023", .security_policy = &security_policy_aws_crt_sdk_ssl_v3_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1474 : : { .version = "AWS-CRT-SDK-TLSv1.0-2023", .security_policy = &security_policy_aws_crt_sdk_tls_10_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1475 : : { .version = "AWS-CRT-SDK-TLSv1.0-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_10_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1476 : : { .version = "AWS-CRT-SDK-TLSv1.1-2023", .security_policy = &security_policy_aws_crt_sdk_tls_11_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1477 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1478 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1479 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025", .security_policy = &security_policy_aws_crt_sdk_tls_30_06_25, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1480 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1481 : : { .version = "AWS-CRT-SDK-TLSv1.3-2023", .security_policy = &security_policy_aws_crt_sdk_tls_13_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1482 : : { .version = "AWS-CRT-SDK-TLSv1.3-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_13_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1483 : : /* KMS TLS Policies*/
1484 : : { .version = "KMS-TLS-1-0-2018-10", .security_policy = &security_policy_kms_tls_1_0_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1485 : : { .version = "KMS-TLS-1-0-2021-08", .security_policy = &security_policy_kms_tls_1_0_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1486 : : { .version = "KMS-TLS-1-2-2023-06", .security_policy = &security_policy_kms_tls_1_2_2023_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1487 : : { .version = "KMS-FIPS-TLS-1-2-2018-10", .security_policy = &security_policy_kms_fips_tls_1_2_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1488 : : { .version = "KMS-FIPS-TLS-1-2-2021-08", .security_policy = &security_policy_kms_fips_tls_1_2_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1489 : : { .version = "KMS-FIPS-TLS-1-2-2024-10", .security_policy = &security_policy_kms_fips_tls_1_2_2024_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1490 : : { .version = "PQ-TLS-1-0-2023-01-24", .security_policy = &security_policy_pq_tls_1_0_2023_01_24, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1491 : : { .version = "PQ-TLS-1-2-2023-04-07", .security_policy = &security_policy_pq_tls_1_2_2023_04_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1492 : : { .version = "PQ-TLS-1-2-2023-04-08", .security_policy = &security_policy_pq_tls_1_2_2023_04_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1493 : : { .version = "PQ-TLS-1-2-2023-04-09", .security_policy = &security_policy_pq_tls_1_2_2023_04_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1494 : : { .version = "PQ-TLS-1-2-2023-04-10", .security_policy = &security_policy_pq_tls_1_2_2023_04_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1495 : : { .version = "PQ-TLS-1-3-2023-06-01", .security_policy = &security_policy_pq_tls_1_3_2023_06_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1496 : : { .version = "PQ-TLS-1-2-2023-10-07", .security_policy = &security_policy_pq_tls_1_2_2023_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1497 : : { .version = "PQ-TLS-1-2-2023-10-08", .security_policy = &security_policy_pq_tls_1_2_2023_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1498 : : { .version = "PQ-TLS-1-2-2023-10-09", .security_policy = &security_policy_pq_tls_1_2_2023_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1499 : : { .version = "PQ-TLS-1-2-2023-10-10", .security_policy = &security_policy_pq_tls_1_2_2023_10_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1500 : : { .version = "PQ-TLS-1-2-2023-12-13", .security_policy = &security_policy_pq_20231213, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1501 : : { .version = "PQ-TLS-1-2-2023-12-14", .security_policy = &security_policy_pq_20231214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1502 : : { .version = "PQ-TLS-1-2-2023-12-15", .security_policy = &security_policy_pq_20231215, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1503 : : { .version = "PQ-TLS-1-2-2024-10-07", .security_policy = &security_policy_pq_tls_1_2_2024_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1504 : : { .version = "PQ-TLS-1-2-2024-10-08", .security_policy = &security_policy_pq_tls_1_2_2024_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1505 : : { .version = "PQ-TLS-1-2-2024-10-08_gcm", .security_policy = &security_policy_pq_tls_1_2_2024_10_08_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1506 : : { .version = "PQ-TLS-1-2-2024-10-09", .security_policy = &security_policy_pq_tls_1_2_2024_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1507 : : { .version = "20140601", .security_policy = &security_policy_20140601, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1508 : : { .version = "20141001", .security_policy = &security_policy_20141001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1509 : : { .version = "20150202", .security_policy = &security_policy_20150202, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1510 : : { .version = "20150214", .security_policy = &security_policy_20150214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1511 : : { .version = "20150306", .security_policy = &security_policy_20150306, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1512 : : { .version = "20160411", .security_policy = &security_policy_20160411, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1513 : : { .version = "20160804", .security_policy = &security_policy_20160804, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1514 : : { .version = "20160824", .security_policy = &security_policy_20160824, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1515 : : { .version = "20170210", .security_policy = &security_policy_20170210, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1516 : : { .version = "20170328", .security_policy = &security_policy_20170328, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1517 : : { .version = "20170328_gcm", .security_policy = &security_policy_20170328_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1518 : : { .version = "20190214", .security_policy = &security_policy_20190214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1519 : : { .version = "20190214_gcm", .security_policy = &security_policy_20190214_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1520 : : { .version = "20210825", .security_policy = &security_policy_20210825, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1521 : : { .version = "20210825_gcm", .security_policy = &security_policy_20210825_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1522 : : { .version = "20170405", .security_policy = &security_policy_20170405, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1523 : : { .version = "20170405_gcm", .security_policy = &security_policy_20170405_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1524 : : { .version = "20170718", .security_policy = &security_policy_20170718, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1525 : : { .version = "20170718_gcm", .security_policy = &security_policy_20170718_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1526 : : { .version = "20190120", .security_policy = &security_policy_20190120, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1527 : : { .version = "20190121", .security_policy = &security_policy_20190121, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1528 : : { .version = "20190122", .security_policy = &security_policy_20190122, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1529 : : { .version = "20190801", .security_policy = &security_policy_20190801, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1530 : : { .version = "20190802", .security_policy = &security_policy_20190802, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1531 : : { .version = "20200207", .security_policy = &security_policy_20200207, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1532 : : { .version = "20201021", .security_policy = &security_policy_20201021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1533 : : { .version = "20210816", .security_policy = &security_policy_20210816, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1534 : : { .version = "20210816_GCM", .security_policy = &security_policy_20210816_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1535 : : { .version = "20240603", .security_policy = &security_policy_20240603, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1536 : : { .version = "20250211", .security_policy = &security_policy_20250211, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1537 : : { .version = "20250414", .security_policy = &security_policy_20250414, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1538 : : { .version = "20250429", .security_policy = &security_policy_20250429, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1539 : : /* If changing this, please update the usage guide's docs on the corresponding policy. */
1540 : : { .version = "rfc9151", .security_policy = &security_policy_20250429, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1541 : : { .version = "test_all", .security_policy = &security_policy_test_all, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1542 : : { .version = "test_all_fips", .security_policy = &security_policy_test_all_fips, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1543 : : { .version = "test_all_ecdsa", .security_policy = &security_policy_test_all_ecdsa, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1544 : : { .version = "test_all_rsa_kex", .security_policy = &security_policy_test_all_rsa_kex, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1545 : : { .version = "test_ecdsa_priority", .security_policy = &security_policy_test_ecdsa_priority, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1546 : : { .version = "test_all_tls12", .security_policy = &security_policy_test_all_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1547 : : { .version = "test_all_tls13", .security_policy = &security_policy_test_all_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1548 : : { .version = "null", .security_policy = &security_policy_null, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1549 : : { .version = NULL, .security_policy = NULL, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }
1550 : : };
1551 : :
1552 : : const char *deprecated_security_policies[] = {
1553 : : "KMS-PQ-TLS-1-0-2019-06",
1554 : : "KMS-PQ-TLS-1-0-2020-02",
1555 : : "KMS-PQ-TLS-1-0-2020-07",
1556 : : "PQ-TLS-1-0-2020-12",
1557 : : "PQ-TLS-1-1-2021-05-17",
1558 : : "PQ-TLS-1-0-2021-05-18",
1559 : : "PQ-TLS-1-0-2021-05-19",
1560 : : "PQ-TLS-1-0-2021-05-20",
1561 : : "PQ-TLS-1-1-2021-05-21",
1562 : : "PQ-TLS-1-0-2021-05-22",
1563 : : "PQ-TLS-1-0-2021-05-23",
1564 : : "PQ-TLS-1-0-2021-05-24",
1565 : : "PQ-TLS-1-0-2021-05-25",
1566 : : "PQ-TLS-1-0-2021-05-26",
1567 : : "PQ-SIKE-TEST-TLS-1-0-2019-11",
1568 : : "PQ-SIKE-TEST-TLS-1-0-2020-02",
1569 : : };
1570 : : const size_t deprecated_security_policies_len = s2n_array_len(deprecated_security_policies);
1571 : :
1572 : : int s2n_find_security_policy_from_version(const char *version, const struct s2n_security_policy **security_policy)
1573 : 6688 : {
1574 [ + + ][ + - ]: 6688 : POSIX_ENSURE_REF(version);
1575 [ - + ][ # # ]: 6686 : POSIX_ENSURE_REF(security_policy);
1576 : :
1577 [ + + ]: 87580 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1578 [ + + ]: 87558 : if (!strcasecmp(version, security_policy_selection[i].version)) {
1579 : 6664 : *security_policy = security_policy_selection[i].security_policy;
1580 : 6664 : return 0;
1581 : 6664 : }
1582 : 87558 : }
1583 : :
1584 [ + + ]: 235 : for (size_t i = 0; i < deprecated_security_policies_len; i++) {
1585 [ + + ]: 231 : if (!strcasecmp(version, deprecated_security_policies[i])) {
1586 [ + - ]: 18 : POSIX_BAIL(S2N_ERR_DEPRECATED_SECURITY_POLICY);
1587 : 18 : }
1588 : 231 : }
1589 : :
1590 [ + - ]: 4 : POSIX_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
1591 : 4 : }
1592 : :
1593 : : int s2n_config_set_security_policy(struct s2n_config *config, const struct s2n_security_policy *security_policy)
1594 : 5069 : {
1595 [ - + ][ # # ]: 5069 : POSIX_ENSURE_REF(config);
1596 [ - + ][ # # ]: 5069 : POSIX_ENSURE_REF(security_policy);
1597 [ - + ][ # # ]: 5069 : POSIX_ENSURE_REF(security_policy->cipher_preferences);
1598 [ - + ][ # # ]: 5069 : POSIX_ENSURE_REF(security_policy->kem_preferences);
1599 [ - + ][ # # ]: 5069 : POSIX_ENSURE_REF(security_policy->signature_preferences);
1600 [ - + ][ # # ]: 5069 : POSIX_ENSURE_REF(security_policy->ecc_preferences);
1601 : :
1602 : : /* If the security policy's minimum version is higher than what libcrypto supports, return an error. */
1603 [ # # ][ - + ]: 5069 : POSIX_ENSURE((security_policy->minimum_protocol_version <= s2n_get_highest_fully_supported_tls_version()), S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED);
1604 : :
1605 : : /* If the config contains certificates violating the security policy cert preferences, return an error. */
1606 [ + + ]: 5069 : POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy));
1607 : 5068 : config->security_policy = security_policy;
1608 : 5068 : return 0;
1609 : 5069 : }
1610 : :
1611 : : int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *version)
1612 : 5071 : {
1613 : 5071 : const struct s2n_security_policy *security_policy = NULL;
1614 [ + + ]: 5071 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1615 [ + + ]: 5069 : POSIX_GUARD(s2n_config_set_security_policy(config, security_policy));
1616 : 5068 : return S2N_SUCCESS;
1617 : 5069 : }
1618 : :
1619 : : int s2n_connection_set_security_policy(struct s2n_connection *conn, const struct s2n_security_policy *security_policy)
1620 : 1763 : {
1621 [ - + ][ # # ]: 1763 : POSIX_ENSURE_REF(conn);
1622 [ - + ][ # # ]: 1763 : POSIX_ENSURE_REF(security_policy);
1623 [ # # ][ - + ]: 1763 : POSIX_ENSURE_REF(security_policy->cipher_preferences);
1624 [ - + ][ # # ]: 1763 : POSIX_ENSURE_REF(security_policy->kem_preferences);
1625 [ - + ][ # # ]: 1763 : POSIX_ENSURE_REF(security_policy->signature_preferences);
1626 [ - + ][ # # ]: 1763 : POSIX_ENSURE_REF(security_policy->ecc_preferences);
1627 : :
1628 : : /* If the security policy's minimum version is higher than what libcrypto supports, return an error. */
1629 [ # # ][ - + ]: 1763 : POSIX_ENSURE((security_policy->minimum_protocol_version <= s2n_get_highest_fully_supported_tls_version()), S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED);
1630 : :
1631 : : /* If the certificates loaded in the config are incompatible with the security
1632 : : * policy's certificate preferences, return an error. */
1633 [ + + ]: 1763 : POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(conn->config, security_policy));
1634 : :
1635 : 1762 : conn->security_policy_override = security_policy;
1636 : 1762 : return 0;
1637 : 1763 : }
1638 : :
1639 : : int s2n_connection_set_cipher_preferences(struct s2n_connection *conn, const char *version)
1640 : 1159 : {
1641 : 1159 : const struct s2n_security_policy *security_policy = NULL;
1642 [ + + ]: 1159 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1643 [ + + ]: 1157 : POSIX_GUARD(s2n_connection_set_security_policy(conn, security_policy));
1644 : 1156 : return S2N_SUCCESS;
1645 : 1157 : }
1646 : :
1647 : : int s2n_security_policies_init()
1648 : 549 : {
1649 [ + + ]: 74664 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1650 : 74115 : const struct s2n_security_policy *security_policy = security_policy_selection[i].security_policy;
1651 [ - + ][ # # ]: 74115 : POSIX_ENSURE_REF(security_policy);
1652 : 74115 : const struct s2n_cipher_preferences *cipher_preference = security_policy->cipher_preferences;
1653 [ - + ][ # # ]: 74115 : POSIX_ENSURE_REF(cipher_preference);
1654 : 74115 : const struct s2n_kem_preferences *kem_preference = security_policy->kem_preferences;
1655 [ # # ][ - + ]: 74115 : POSIX_ENSURE_REF(kem_preference);
1656 : 74115 : const struct s2n_ecc_preferences *ecc_preference = security_policy->ecc_preferences;
1657 [ - + ][ # # ]: 74115 : POSIX_ENSURE_REF(ecc_preference);
1658 [ - + ]: 74115 : POSIX_GUARD(s2n_check_ecc_preferences_curves_list(ecc_preference));
1659 : :
1660 : 74115 : const struct s2n_signature_preferences *certificate_signature_preference = security_policy->certificate_signature_preferences;
1661 [ + + ]: 74115 : if (certificate_signature_preference != NULL) {
1662 [ - + ]: 10431 : POSIX_GUARD_RESULT(s2n_validate_certificate_signature_preferences(certificate_signature_preference));
1663 : 10431 : }
1664 : :
1665 [ + + ]: 74115 : if (security_policy != &security_policy_null) {
1666 : : /* All policies must have at least one ecc curve configured. */
1667 [ - + ][ # # ]: 73566 : S2N_ERROR_IF(ecc_preference->count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
1668 : 73566 : }
1669 : :
1670 [ + + ]: 1212192 : for (int j = 0; j < cipher_preference->count; j++) {
1671 : 1138077 : struct s2n_cipher_suite *cipher = cipher_preference->suites[j];
1672 [ - + ][ # # ]: 1138077 : POSIX_ENSURE_REF(cipher);
1673 : :
1674 : 1138077 : const uint8_t *iana = cipher->iana_value;
1675 : :
1676 [ + + ]: 1138077 : if (cipher->minimum_required_tls_version >= S2N_TLS13) {
1677 : 121329 : security_policy_selection[i].supports_tls13 = 1;
1678 : 121329 : }
1679 : :
1680 : : /* Sanity check that valid tls13 has minimum tls version set correctly */
1681 [ - + ][ # # ]: 1138077 : S2N_ERROR_IF(s2n_is_valid_tls13_cipher(iana) ^ (cipher->minimum_required_tls_version >= S2N_TLS13),
1682 : 1138077 : S2N_ERR_INVALID_SECURITY_POLICY);
1683 : :
1684 [ + + ]: 1138077 : if (s2n_cipher_suite_requires_ecc_extension(cipher)) {
1685 : 764208 : security_policy_selection[i].ecc_extension_required = 1;
1686 : 764208 : }
1687 : :
1688 [ - + ][ # # ]: 1138077 : if (s2n_cipher_suite_requires_pq_extension(cipher) && kem_preference->kem_count > 0) {
1689 : 0 : security_policy_selection[i].pq_kem_extension_required = 1;
1690 : 0 : }
1691 : 1138077 : }
1692 : :
1693 [ - + ]: 74115 : POSIX_GUARD(s2n_validate_kem_preferences(kem_preference, security_policy_selection[i].pq_kem_extension_required));
1694 : :
1695 : : /* Validate that security rules are correctly applied.
1696 : : * This should be checked by a unit test, but outside of unit tests we
1697 : : * check again here to cover the case where the unit tests are not run.
1698 : : */
1699 [ - + ]: 74115 : if (!s2n_in_unit_test()) {
1700 : 0 : struct s2n_security_rule_result result = { 0 };
1701 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_security_policy_validate_security_rules(security_policy, &result));
1702 [ # # ][ # # ]: 0 : POSIX_ENSURE(!result.found_error, S2N_ERR_INVALID_SECURITY_POLICY);
1703 : 0 : }
1704 : 74115 : }
1705 : 549 : return 0;
1706 : 549 : }
1707 : :
1708 : : bool s2n_ecc_is_extension_required(const struct s2n_security_policy *security_policy)
1709 : 15274 : {
1710 [ + + ]: 15274 : if (security_policy == NULL) {
1711 : 1 : return false;
1712 : 1 : }
1713 : :
1714 [ + + ]: 973365 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1715 [ + + ]: 967930 : if (security_policy_selection[i].security_policy == security_policy) {
1716 : 9838 : return 1 == security_policy_selection[i].ecc_extension_required;
1717 : 9838 : }
1718 : 967930 : }
1719 : :
1720 : : /* If cipher preference is not in the official list, compute the result */
1721 : 5435 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1722 [ - + ]: 5435 : if (cipher_preferences == NULL) {
1723 : 0 : return false;
1724 : 0 : }
1725 [ + + ]: 138663 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1726 [ + + ]: 136199 : if (s2n_cipher_suite_requires_ecc_extension(cipher_preferences->suites[i])) {
1727 : 2971 : return true;
1728 : 2971 : }
1729 : 136199 : }
1730 : :
1731 : 2464 : return false;
1732 : 5435 : }
1733 : :
1734 : : bool s2n_pq_kem_is_extension_required(const struct s2n_security_policy *security_policy)
1735 : 7641 : {
1736 [ + + ]: 7641 : if (security_policy == NULL) {
1737 : 1 : return false;
1738 : 1 : }
1739 : :
1740 [ + + ]: 487001 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1741 [ + + ]: 484283 : if (security_policy_selection[i].security_policy == security_policy) {
1742 : 4922 : return 1 == security_policy_selection[i].pq_kem_extension_required;
1743 : 4922 : }
1744 : 484283 : }
1745 : :
1746 : : /* Preferences with no KEMs for the TLS 1.2 PQ KEM extension do not require that extension. */
1747 [ + - ][ + + ]: 2718 : if (security_policy->kem_preferences && security_policy->kem_preferences->kem_count == 0) {
1748 : 2717 : return false;
1749 : 2717 : }
1750 : :
1751 : : /* If cipher preference is not in the official list, compute the result */
1752 : 1 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1753 [ - + ]: 1 : if (cipher_preferences == NULL) {
1754 : 0 : return false;
1755 : 0 : }
1756 [ + + ]: 2 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1757 [ - + ]: 1 : if (s2n_cipher_suite_requires_pq_extension(cipher_preferences->suites[i])) {
1758 : 0 : return true;
1759 : 0 : }
1760 : 1 : }
1761 : 1 : return false;
1762 : 1 : }
1763 : :
1764 : : /* Checks whether cipher preference supports TLS 1.3 based on whether it is configured
1765 : : * with TLS 1.3 ciphers. Returns true or false.
1766 : : */
1767 : : bool s2n_security_policy_supports_tls13(const struct s2n_security_policy *security_policy)
1768 : 15440 : {
1769 [ + + ]: 15440 : if (security_policy == NULL) {
1770 : 1 : return false;
1771 : 1 : }
1772 : :
1773 [ + + ]: 843844 : for (uint8_t i = 0; security_policy_selection[i].version != NULL; i++) {
1774 [ + + ]: 838947 : if (security_policy_selection[i].security_policy == security_policy) {
1775 : 10542 : return security_policy_selection[i].supports_tls13 == 1;
1776 : 10542 : }
1777 : 838947 : }
1778 : :
1779 : : /* if cipher preference is not in the official list, compute the result */
1780 : 4897 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1781 [ - + ]: 4897 : if (cipher_preferences == NULL) {
1782 : 0 : return false;
1783 : 0 : }
1784 : :
1785 [ + + ]: 106815 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1786 [ + + ]: 103470 : if (cipher_preferences->suites[i]->minimum_required_tls_version >= S2N_TLS13) {
1787 : 1552 : return true;
1788 : 1552 : }
1789 : 103470 : }
1790 : :
1791 : 3345 : return false;
1792 : 4897 : }
1793 : :
1794 : : int s2n_connection_is_valid_for_cipher_preferences(struct s2n_connection *conn, const char *version)
1795 : 7 : {
1796 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(conn);
1797 [ # # ][ - + ]: 7 : POSIX_ENSURE_REF(version);
1798 [ # # ][ - + ]: 7 : POSIX_ENSURE_REF(conn->secure);
1799 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
1800 : :
1801 : 7 : const struct s2n_security_policy *security_policy = NULL;
1802 [ + + ]: 7 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1803 [ - + ][ # # ]: 6 : POSIX_ENSURE_REF(security_policy);
1804 : :
1805 : : /* make sure we dont use a tls version lower than that configured by the version */
1806 [ + + ]: 6 : if (s2n_connection_get_actual_protocol_version(conn) < security_policy->minimum_protocol_version) {
1807 : 2 : return 0;
1808 : 2 : }
1809 : :
1810 : 4 : struct s2n_cipher_suite *cipher = conn->secure->cipher_suite;
1811 [ - + ][ # # ]: 4 : POSIX_ENSURE_REF(cipher);
1812 [ + + ]: 9 : for (int i = 0; i < security_policy->cipher_preferences->count; ++i) {
1813 [ + + ]: 8 : if (s2n_constant_time_equals(security_policy->cipher_preferences->suites[i]->iana_value, cipher->iana_value, S2N_TLS_CIPHER_SUITE_LEN)) {
1814 : 3 : return 1;
1815 : 3 : }
1816 : 8 : }
1817 : :
1818 : 1 : return 0;
1819 : 4 : }
1820 : :
1821 : : int s2n_validate_kem_preferences(const struct s2n_kem_preferences *kem_preferences, bool pq_kem_extension_required)
1822 : 74123 : {
1823 [ + + ][ + - ]: 74123 : POSIX_ENSURE_REF(kem_preferences);
1824 : :
1825 : : /* Basic sanity checks to assert that the count is 0 if and only if the associated list is NULL */
1826 [ + + ][ + - ]: 74122 : POSIX_ENSURE(S2N_IFF(kem_preferences->tls13_kem_group_count == 0, kem_preferences->tls13_kem_groups == NULL),
1827 : 74120 : S2N_ERR_INVALID_SECURITY_POLICY);
1828 [ + - ][ + + ]: 74120 : POSIX_ENSURE(S2N_IFF(kem_preferences->kem_count == 0, kem_preferences->kems == NULL),
1829 : 74118 : S2N_ERR_INVALID_SECURITY_POLICY);
1830 [ - + ][ # # ]: 74118 : POSIX_ENSURE(kem_preferences->tls13_kem_group_count <= S2N_KEM_GROUPS_COUNT, S2N_ERR_ARRAY_INDEX_OOB);
1831 : :
1832 : : /* The PQ KEM extension is applicable only to TLS 1.2 */
1833 [ + + ]: 74118 : if (pq_kem_extension_required) {
1834 [ + - ][ + - ]: 1 : POSIX_ENSURE(kem_preferences->kem_count > 0, S2N_ERR_INVALID_SECURITY_POLICY);
1835 [ # # ][ # # ]: 0 : POSIX_ENSURE(kem_preferences->kems != NULL, S2N_ERR_INVALID_SECURITY_POLICY);
1836 : 74117 : } else {
1837 [ # # ][ - + ]: 74117 : POSIX_ENSURE(kem_preferences->kem_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
1838 [ - + ][ # # ]: 74117 : POSIX_ENSURE(kem_preferences->kems == NULL, S2N_ERR_INVALID_SECURITY_POLICY);
1839 : 74117 : }
1840 : :
1841 : 74117 : return S2N_SUCCESS;
1842 : 74118 : }
1843 : :
1844 : : S2N_RESULT s2n_validate_certificate_signature_preferences(const struct s2n_signature_preferences *certificate_signature_preferences)
1845 : 10434 : {
1846 [ # # ][ - + ]: 10434 : RESULT_ENSURE_REF(certificate_signature_preferences);
1847 : :
1848 : 10434 : size_t rsa_pss_scheme_count = 0;
1849 : :
1850 [ + + ]: 142203 : for (size_t i = 0; i < certificate_signature_preferences->count; i++) {
1851 [ + + ]: 131769 : if (certificate_signature_preferences->signature_schemes[i]->libcrypto_nid == NID_rsassaPss) {
1852 : 52712 : rsa_pss_scheme_count++;
1853 : 52712 : }
1854 : 131769 : }
1855 : :
1856 : : /*
1857 : : * https://github.com/aws/s2n-tls/issues/3435
1858 : : *
1859 : : * The Openssl function used to parse signatures off certificates does not differentiate between any rsa pss
1860 : : * signature schemes. Therefore a security policy with a certificate signatures preference list must include
1861 : : * all rsa_pss signature schemes. */
1862 [ + - ][ + + ]: 10434 : RESULT_ENSURE(rsa_pss_scheme_count == NUM_RSA_PSS_SCHEMES || rsa_pss_scheme_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
[ + + ]
1863 : 10433 : return S2N_RESULT_OK;
1864 : 10434 : }
1865 : :
1866 : : S2N_RESULT s2n_security_policy_get_version(const struct s2n_security_policy *security_policy, const char **version)
1867 : 72 : {
1868 [ - + ][ # # ]: 72 : RESULT_ENSURE_REF(version);
1869 : 72 : *version = NULL;
1870 [ + + ]: 5301 : for (uint8_t i = 0; security_policy_selection[i].version != NULL; i++) {
1871 [ + + ]: 5286 : if (security_policy_selection[i].security_policy == security_policy) {
1872 : 57 : *version = security_policy_selection[i].version;
1873 : 57 : return S2N_RESULT_OK;
1874 : 57 : }
1875 : 5286 : }
1876 [ + - ]: 15 : RESULT_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
1877 : 15 : }
1878 : :
1879 : : S2N_RESULT s2n_security_policy_validate_cert_signature(const struct s2n_security_policy *security_policy,
1880 : : const struct s2n_cert_info *info, s2n_error error)
1881 : 463 : {
1882 [ - + ][ # # ]: 463 : RESULT_ENSURE_REF(info);
1883 [ # # ][ - + ]: 463 : RESULT_ENSURE_REF(security_policy);
1884 : 463 : const struct s2n_signature_preferences *sig_preferences = security_policy->certificate_signature_preferences;
1885 : :
1886 [ + + ]: 463 : if (sig_preferences != NULL) {
1887 [ + + ]: 1449 : for (size_t i = 0; i < sig_preferences->count; i++) {
1888 [ + + ]: 1438 : if (sig_preferences->signature_schemes[i]->libcrypto_nid == info->signature_nid) {
1889 : 263 : return S2N_RESULT_OK;
1890 : 263 : }
1891 : 1438 : }
1892 : :
1893 [ + - ]: 11 : RESULT_BAIL(error);
1894 : 11 : }
1895 : 189 : return S2N_RESULT_OK;
1896 : 463 : }
1897 : :
1898 : : S2N_RESULT s2n_security_policy_validate_cert_key(const struct s2n_security_policy *security_policy,
1899 : : const struct s2n_cert_info *info, s2n_error error)
1900 : 879 : {
1901 [ - + ][ # # ]: 879 : RESULT_ENSURE_REF(info);
1902 [ - + ][ # # ]: 879 : RESULT_ENSURE_REF(security_policy);
1903 : 879 : const struct s2n_certificate_key_preferences *key_preferences = security_policy->certificate_key_preferences;
1904 : :
1905 [ + + ]: 879 : if (key_preferences != NULL) {
1906 [ + + ]: 114 : for (size_t i = 0; i < key_preferences->count; i++) {
1907 [ + + ]: 105 : if (key_preferences->certificate_keys[i]->public_key_libcrypto_nid == info->public_key_nid
1908 [ + + ]: 105 : && key_preferences->certificate_keys[i]->bits == info->public_key_bits) {
1909 : 77 : return S2N_RESULT_OK;
1910 : 77 : }
1911 : 105 : }
1912 [ + - ]: 9 : RESULT_BAIL(error);
1913 : 9 : }
1914 : 793 : return S2N_RESULT_OK;
1915 : 879 : }
1916 : :
1917 : : S2N_RESULT s2n_security_policy_validate_certificate_chain(
1918 : : const struct s2n_security_policy *security_policy,
1919 : : const struct s2n_cert_chain_and_key *cert_key_pair)
1920 : 1246 : {
1921 [ # # ][ - + ]: 1246 : RESULT_ENSURE_REF(security_policy);
1922 [ # # ][ - + ]: 1246 : RESULT_ENSURE_REF(cert_key_pair);
1923 [ # # ][ - + ]: 1246 : RESULT_ENSURE_REF(cert_key_pair->cert_chain);
1924 : :
1925 [ + + ]: 1246 : if (!security_policy->certificate_preferences_apply_locally) {
1926 : 1213 : return S2N_RESULT_OK;
1927 : 1213 : }
1928 : :
1929 : 33 : struct s2n_cert *current = cert_key_pair->cert_chain->head;
1930 [ + + ]: 96 : while (current != NULL) {
1931 [ + + ]: 78 : RESULT_GUARD(s2n_security_policy_validate_cert_key(security_policy, ¤t->info,
1932 : 72 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
1933 [ + + ]: 72 : RESULT_GUARD(s2n_security_policy_validate_cert_signature(security_policy, ¤t->info,
1934 : 63 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
1935 : 63 : current = current->next;
1936 : 63 : }
1937 : 18 : return S2N_RESULT_OK;
1938 : 33 : }
|
