Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_security_policies.h"
17 : :
18 : : #include "api/s2n.h"
19 : : #include "crypto/s2n_pq.h"
20 : : #include "tls/s2n_certificate_keys.h"
21 : : #include "tls/s2n_connection.h"
22 : : #include "tls/s2n_supported_group_preferences.h"
23 : : #include "utils/s2n_safety.h"
24 : :
25 : : /* Default as of 10/13 */
26 : : const struct s2n_security_policy security_policy_20251014 = {
27 : : .minimum_protocol_version = S2N_TLS12,
28 : : .cipher_preferences = &cipher_preferences_20251014,
29 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
30 : : .signature_preferences = &s2n_signature_preferences_20240501,
31 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
32 : : .rules = {
33 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
34 : : },
35 : : };
36 : :
37 : : /* FIPS default as of 10/13 */
38 : : const struct s2n_security_policy security_policy_20251015 = {
39 : : .minimum_protocol_version = S2N_TLS12,
40 : : .cipher_preferences = &cipher_preferences_20251015,
41 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
42 : : .signature_preferences = &s2n_signature_preferences_20240501,
43 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
44 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
45 : : .rules = {
46 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
47 : : [S2N_FIPS_140_3] = true,
48 : : },
49 : : };
50 : :
51 : : const struct s2n_security_policy security_policy_20240501 = {
52 : : .minimum_protocol_version = S2N_TLS12,
53 : : .cipher_preferences = &cipher_preferences_20240331,
54 : : .kem_preferences = &kem_preferences_null,
55 : : .signature_preferences = &s2n_signature_preferences_20240501,
56 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
57 : : .rules = {
58 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
59 : : },
60 : : };
61 : :
62 : : const struct s2n_security_policy security_policy_20240502 = {
63 : : .minimum_protocol_version = S2N_TLS12,
64 : : .cipher_preferences = &cipher_preferences_20240331,
65 : : .kem_preferences = &kem_preferences_null,
66 : : .signature_preferences = &s2n_signature_preferences_20240501,
67 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
68 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
69 : : .rules = {
70 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
71 : : [S2N_FIPS_140_3] = true,
72 : : },
73 : : };
74 : :
75 : : /* TLS1.3 default as of 05/24 */
76 : : const struct s2n_security_policy security_policy_20240503 = {
77 : : .minimum_protocol_version = S2N_TLS12,
78 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
79 : : .kem_preferences = &kem_preferences_null,
80 : : .signature_preferences = &s2n_signature_preferences_20240501,
81 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
82 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
83 : : .rules = {
84 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
85 : : },
86 : : };
87 : :
88 : : const struct s2n_security_policy security_policy_20241001 = {
89 : : .minimum_protocol_version = S2N_TLS12,
90 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
91 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
92 : : .signature_preferences = &s2n_signature_preferences_20240501,
93 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
94 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
95 : : .rules = {
96 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
97 : : },
98 : : };
99 : :
100 : : /* 20241001, but with ML-DSA added */
101 : : const struct s2n_security_policy security_policy_20250512 = {
102 : : .minimum_protocol_version = S2N_TLS12,
103 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
104 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
105 : : .signature_preferences = &s2n_signature_preferences_20250512,
106 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
107 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
108 : : .rules = {
109 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
110 : : },
111 : : };
112 : :
113 : : const struct s2n_security_policy security_policy_20250721 = {
114 : : .minimum_protocol_version = S2N_TLS12,
115 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
116 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
117 : : .signature_preferences = &s2n_signature_preferences_20250512,
118 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
119 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
120 : : .rules = {
121 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
122 : : },
123 : : };
124 : :
125 : : const struct s2n_security_policy security_policy_20241001_pq_mixed = {
126 : : .minimum_protocol_version = S2N_TLS12,
127 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
128 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
129 : : .signature_preferences = &s2n_signature_preferences_20240501,
130 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
131 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
132 : : .rules = {
133 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
134 : : },
135 : : };
136 : :
137 : : const struct s2n_security_policy security_policy_20240603 = {
138 : : .minimum_protocol_version = S2N_TLS12,
139 : : .cipher_preferences = &cipher_preferences_20240603,
140 : : .kem_preferences = &kem_preferences_null,
141 : : .signature_preferences = &s2n_signature_preferences_20240501,
142 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
143 : : .ecc_preferences = &s2n_ecc_preferences_20240603,
144 : : };
145 : :
146 : : const struct s2n_security_policy security_policy_20170210 = {
147 : : .minimum_protocol_version = S2N_TLS10,
148 : : .cipher_preferences = &cipher_preferences_20170210,
149 : : .kem_preferences = &kem_preferences_null,
150 : : .signature_preferences = &s2n_signature_preferences_20140601,
151 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
152 : : };
153 : :
154 : : const struct s2n_security_policy security_policy_20240417 = {
155 : : .minimum_protocol_version = S2N_TLS10,
156 : : .cipher_preferences = &cipher_preferences_20210831,
157 : : .kem_preferences = &kem_preferences_null,
158 : : .signature_preferences = &s2n_signature_preferences_20200207,
159 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
160 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
161 : : };
162 : :
163 : : /*
164 : : * This security policy is derived from the following specification:
165 : : * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
166 : : *
167 : : * Supports TLS1.2
168 : : */
169 : : const struct s2n_security_policy security_policy_20240416 = {
170 : : .minimum_protocol_version = S2N_TLS12,
171 : : .cipher_preferences = &cipher_preferences_default_fips,
172 : : .kem_preferences = &kem_preferences_null,
173 : : .signature_preferences = &s2n_signature_preferences_default_fips,
174 : : .certificate_signature_preferences = &s2n_signature_preferences_default_fips,
175 : : .ecc_preferences = &s2n_ecc_preferences_default_fips,
176 : : .rules = {
177 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
178 : : [S2N_FIPS_140_3] = true,
179 : : },
180 : : };
181 : :
182 : : const struct s2n_security_policy security_policy_20230317 = {
183 : : .minimum_protocol_version = S2N_TLS12,
184 : : .cipher_preferences = &cipher_preferences_20230317,
185 : : .kem_preferences = &kem_preferences_null,
186 : : .signature_preferences = &s2n_signature_preferences_20230317,
187 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
188 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
189 : : .rules = {
190 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
191 : : [S2N_FIPS_140_3] = true,
192 : : },
193 : : };
194 : :
195 : : const struct s2n_security_policy security_policy_20240331 = {
196 : : .minimum_protocol_version = S2N_TLS12,
197 : : .cipher_preferences = &cipher_preferences_20240331,
198 : : .kem_preferences = &kem_preferences_null,
199 : : .signature_preferences = &s2n_signature_preferences_20230317,
200 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
201 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
202 : : .rules = {
203 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
204 : : [S2N_FIPS_140_3] = true,
205 : : },
206 : : };
207 : :
208 : : const struct s2n_security_policy security_policy_20190801 = {
209 : : .minimum_protocol_version = S2N_TLS10,
210 : : .cipher_preferences = &cipher_preferences_20190801,
211 : : .kem_preferences = &kem_preferences_null,
212 : : /* The discrepancy in the date exists because the signature preferences
213 : : * were named when cipher preferences and signature preferences were
214 : : * tracked separately, and we chose to keep the cipher preference
215 : : * name because customers use it.
216 : : */
217 : : .signature_preferences = &s2n_signature_preferences_20200207,
218 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
219 : : };
220 : :
221 : : const struct s2n_security_policy security_policy_20190802 = {
222 : : .minimum_protocol_version = S2N_TLS10,
223 : : .cipher_preferences = &cipher_preferences_20190801,
224 : : .kem_preferences = &kem_preferences_null,
225 : : /* The discrepancy in the date exists because the signature preferences
226 : : * were named when cipher preferences and signature preferences were
227 : : * tracked separately, and we chose to keep the cipher preference
228 : : * name because customers use it.
229 : : */
230 : : .signature_preferences = &s2n_signature_preferences_20200207,
231 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
232 : : };
233 : :
234 : : const struct s2n_security_policy security_policy_20170405 = {
235 : : .minimum_protocol_version = S2N_TLS10,
236 : : .cipher_preferences = &cipher_preferences_20170405,
237 : : .kem_preferences = &kem_preferences_null,
238 : : .signature_preferences = &s2n_signature_preferences_20140601,
239 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
240 : : };
241 : :
242 : : const struct s2n_security_policy security_policy_20170405_gcm = {
243 : : .minimum_protocol_version = S2N_TLS10,
244 : : .cipher_preferences = &cipher_preferences_20170405_gcm,
245 : : .kem_preferences = &kem_preferences_null,
246 : : .signature_preferences = &s2n_signature_preferences_20140601,
247 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
248 : : };
249 : :
250 : : const struct s2n_security_policy security_policy_elb_2015_04 = {
251 : : .minimum_protocol_version = S2N_TLS10,
252 : : .cipher_preferences = &elb_security_policy_2015_04,
253 : : .kem_preferences = &kem_preferences_null,
254 : : .signature_preferences = &s2n_signature_preferences_20140601,
255 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
256 : : };
257 : :
258 : : const struct s2n_security_policy security_policy_elb_2016_08 = {
259 : : .minimum_protocol_version = S2N_TLS10,
260 : : .cipher_preferences = &elb_security_policy_2016_08,
261 : : .kem_preferences = &kem_preferences_null,
262 : : .signature_preferences = &s2n_signature_preferences_20140601,
263 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
264 : : };
265 : :
266 : : const struct s2n_security_policy security_policy_elb_tls_1_1_2017_01 = {
267 : : .minimum_protocol_version = S2N_TLS11,
268 : : .cipher_preferences = &elb_security_policy_tls_1_1_2017_01,
269 : : .kem_preferences = &kem_preferences_null,
270 : : .signature_preferences = &s2n_signature_preferences_20140601,
271 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
272 : : };
273 : :
274 : : const struct s2n_security_policy security_policy_elb_tls_1_2_2017_01 = {
275 : : .minimum_protocol_version = S2N_TLS12,
276 : : .cipher_preferences = &elb_security_policy_tls_1_2_2017_01,
277 : : .kem_preferences = &kem_preferences_null,
278 : : .signature_preferences = &s2n_signature_preferences_20140601,
279 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
280 : : };
281 : :
282 : : const struct s2n_security_policy security_policy_elb_tls_1_2_ext_2018_06 = {
283 : : .minimum_protocol_version = S2N_TLS12,
284 : : .cipher_preferences = &elb_security_policy_tls_1_2_ext_2018_06,
285 : : .kem_preferences = &kem_preferences_null,
286 : : .signature_preferences = &s2n_signature_preferences_20140601,
287 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
288 : : };
289 : :
290 : : const struct s2n_security_policy security_policy_elb_fs_2018_06 = {
291 : : .minimum_protocol_version = S2N_TLS10,
292 : : .cipher_preferences = &elb_security_policy_fs_2018_06,
293 : : .kem_preferences = &kem_preferences_null,
294 : : .signature_preferences = &s2n_signature_preferences_20140601,
295 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
296 : : .rules = {
297 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
298 : : },
299 : : };
300 : :
301 : : const struct s2n_security_policy security_policy_elb_fs_1_2_2019_08 = {
302 : : .minimum_protocol_version = S2N_TLS12,
303 : : .cipher_preferences = &elb_security_policy_fs_1_2_2019_08,
304 : : .kem_preferences = &kem_preferences_null,
305 : : .signature_preferences = &s2n_signature_preferences_20140601,
306 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
307 : : .rules = {
308 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
309 : : },
310 : : };
311 : :
312 : : const struct s2n_security_policy security_policy_elb_fs_1_1_2019_08 = {
313 : : .minimum_protocol_version = S2N_TLS11,
314 : : .cipher_preferences = &elb_security_policy_fs_1_1_2019_08,
315 : : .kem_preferences = &kem_preferences_null,
316 : : .signature_preferences = &s2n_signature_preferences_20140601,
317 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
318 : : .rules = {
319 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
320 : : },
321 : : };
322 : :
323 : : const struct s2n_security_policy security_policy_elb_fs_1_2_Res_2019_08 = {
324 : : .minimum_protocol_version = S2N_TLS12,
325 : : .cipher_preferences = &elb_security_policy_fs_1_2_Res_2019_08,
326 : : .kem_preferences = &kem_preferences_null,
327 : : .signature_preferences = &s2n_signature_preferences_20140601,
328 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
329 : : .rules = {
330 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
331 : : },
332 : : };
333 : :
334 : : /* CloudFront upstream */
335 : : const struct s2n_security_policy security_policy_cloudfront_upstream = {
336 : : .minimum_protocol_version = S2N_SSLv3,
337 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream,
338 : : .kem_preferences = &kem_preferences_null,
339 : : .signature_preferences = &s2n_signature_preferences_20140601,
340 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
341 : : };
342 : :
343 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls10 = {
344 : : .minimum_protocol_version = S2N_TLS10,
345 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls10,
346 : : .kem_preferences = &kem_preferences_null,
347 : : .signature_preferences = &s2n_signature_preferences_20140601,
348 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
349 : : };
350 : :
351 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls11 = {
352 : : .minimum_protocol_version = S2N_TLS11,
353 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls11,
354 : : .kem_preferences = &kem_preferences_null,
355 : : .signature_preferences = &s2n_signature_preferences_20140601,
356 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
357 : : };
358 : :
359 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls12 = {
360 : : .minimum_protocol_version = S2N_TLS12,
361 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls12,
362 : : .kem_preferences = &kem_preferences_null,
363 : : .signature_preferences = &s2n_signature_preferences_20140601,
364 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
365 : : };
366 : :
367 : : /* CloudFront upstream 2025 -- same as original upstream above, but with:
368 : : * 1. TLSv1.3 enabled and
369 : : * 2. signature preferences updated to 2020-10-21, expanding support for RSA
370 : : * PSS while preserving support for legacy signature algorithms
371 : : */
372 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08 = {
373 : : .minimum_protocol_version = S2N_SSLv3,
374 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
375 : : .kem_preferences = &kem_preferences_null,
376 : : .signature_preferences = &s2n_signature_preferences_20250820,
377 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
378 : : };
379 : :
380 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls10 = {
381 : : .minimum_protocol_version = S2N_TLS10,
382 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
383 : : .kem_preferences = &kem_preferences_null,
384 : : .signature_preferences = &s2n_signature_preferences_20250820,
385 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
386 : : };
387 : :
388 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls11 = {
389 : : .minimum_protocol_version = S2N_TLS11,
390 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
391 : : .kem_preferences = &kem_preferences_null,
392 : : .signature_preferences = &s2n_signature_preferences_20250820,
393 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
394 : : };
395 : :
396 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls12 = {
397 : : .minimum_protocol_version = S2N_TLS12,
398 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
399 : : .kem_preferences = &kem_preferences_null,
400 : : .signature_preferences = &s2n_signature_preferences_20250820,
401 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
402 : : };
403 : :
404 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls13 = {
405 : : .minimum_protocol_version = S2N_TLS13,
406 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
407 : : .kem_preferences = &kem_preferences_null,
408 : : .signature_preferences = &s2n_signature_preferences_20250820,
409 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
410 : : };
411 : :
412 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_pq = {
413 : : .minimum_protocol_version = S2N_SSLv3,
414 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
415 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
416 : : .signature_preferences = &s2n_signature_preferences_20250821,
417 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
418 : : };
419 : :
420 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls10_pq = {
421 : : .minimum_protocol_version = S2N_TLS10,
422 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
423 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
424 : : .signature_preferences = &s2n_signature_preferences_20250821,
425 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
426 : : };
427 : :
428 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls11_pq = {
429 : : .minimum_protocol_version = S2N_TLS11,
430 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
431 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
432 : : .signature_preferences = &s2n_signature_preferences_20250821,
433 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
434 : : };
435 : :
436 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls12_pq = {
437 : : .minimum_protocol_version = S2N_TLS12,
438 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08,
439 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
440 : : .signature_preferences = &s2n_signature_preferences_20250821,
441 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
442 : : };
443 : :
444 : : const struct s2n_security_policy security_policy_cloudfront_upstream_2025_08_08_tls13_pq = {
445 : : .minimum_protocol_version = S2N_TLS13,
446 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
447 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
448 : : .signature_preferences = &s2n_signature_preferences_20250821,
449 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
450 : : };
451 : :
452 : : /* CloudFront viewer facing */
453 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3 = {
454 : : .minimum_protocol_version = S2N_SSLv3,
455 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3,
456 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
457 : : .signature_preferences = &s2n_signature_preferences_20200207,
458 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
459 : : };
460 : :
461 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014 = {
462 : : .minimum_protocol_version = S2N_TLS10,
463 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014,
464 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
465 : : .signature_preferences = &s2n_signature_preferences_20200207,
466 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
467 : : };
468 : :
469 : : /* Same as security_policy_cloudfront_tls_1_0_2014, but with IETF standard KEM Groups */
470 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_pq_beta = {
471 : : .minimum_protocol_version = S2N_TLS10,
472 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014,
473 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
474 : : .signature_preferences = &s2n_signature_preferences_20200207,
475 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
476 : : };
477 : :
478 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_sha256 = {
479 : : .minimum_protocol_version = S2N_TLS10,
480 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014_sha256,
481 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
482 : : .signature_preferences = &s2n_signature_preferences_20200207,
483 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
484 : : };
485 : :
486 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016 = {
487 : : .minimum_protocol_version = S2N_TLS10,
488 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
489 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
490 : : .signature_preferences = &s2n_signature_preferences_20200207,
491 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
492 : : };
493 : :
494 : : /* Same as security_policy_cloudfront_tls_1_0_2016, but with TLS 1.2 as minimum */
495 : : const struct s2n_security_policy security_policy_20241106 = {
496 : : .minimum_protocol_version = S2N_TLS12,
497 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
498 : : .kem_preferences = &kem_preferences_null,
499 : : .signature_preferences = &s2n_signature_preferences_20200207,
500 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
501 : : };
502 : :
503 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016 = {
504 : : .minimum_protocol_version = S2N_TLS11,
505 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016,
506 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
507 : : .signature_preferences = &s2n_signature_preferences_20200207,
508 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
509 : : };
510 : :
511 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2017 = {
512 : : .minimum_protocol_version = S2N_TLS12,
513 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2017,
514 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
515 : : .signature_preferences = &s2n_signature_preferences_20200207,
516 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
517 : : };
518 : :
519 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_no_sha1 = {
520 : : .minimum_protocol_version = S2N_TLS12,
521 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018,
522 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
523 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
524 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
525 : : };
526 : :
527 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_beta = {
528 : : .minimum_protocol_version = S2N_TLS12,
529 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018_beta,
530 : : .kem_preferences = &kem_preferences_null,
531 : : .signature_preferences = &s2n_signature_preferences_20200207,
532 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
533 : : };
534 : :
535 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019_no_sha1 = {
536 : : .minimum_protocol_version = S2N_TLS12,
537 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
538 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
539 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
540 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
541 : : .rules = {
542 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
543 : : },
544 : : };
545 : :
546 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_no_sha1 = {
547 : : .minimum_protocol_version = S2N_TLS12,
548 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
549 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
550 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
551 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
552 : : .rules = {
553 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
554 : : },
555 : : };
556 : :
557 : : /* Same as security_policy_cloudfront_tls_1_2_2021_no_sha1, but with IETF standard KEM Groups */
558 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_no_sha1_pq_beta = {
559 : : .minimum_protocol_version = S2N_TLS12,
560 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
561 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
562 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
563 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
564 : : .rules = {
565 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
566 : : },
567 : : };
568 : :
569 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_chacha20_boosted = {
570 : : .minimum_protocol_version = S2N_TLS12,
571 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021_chacha20_boosted,
572 : : .kem_preferences = &kem_preferences_null,
573 : : .signature_preferences = &s2n_signature_preferences_20200207,
574 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
575 : : .rules = {
576 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
577 : : },
578 : : };
579 : :
580 : : /* FIPS 140-3 compliant version of security_policy_cloudfront_tls_1_2_2021 */
581 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2025 = {
582 : : .minimum_protocol_version = S2N_TLS12,
583 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2025,
584 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
585 : : .signature_preferences = &s2n_signature_preferences_20250813,
586 : : .ecc_preferences = &s2n_ecc_preferences_default_fips,
587 : : .rules = {
588 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
589 : : [S2N_FIPS_140_3] = true,
590 : : },
591 : : };
592 : :
593 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_3_2025 = {
594 : : .minimum_protocol_version = S2N_TLS13,
595 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_3_2025,
596 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
597 : : .signature_preferences = &s2n_signature_preferences_20250813,
598 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
599 : : .rules = {
600 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
601 : : },
602 : : };
603 : :
604 : : /* CloudFront non-pq viewer facing policies */
605 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3_no_pq = {
606 : : .minimum_protocol_version = S2N_SSLv3,
607 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3,
608 : : .kem_preferences = &kem_preferences_null,
609 : : .signature_preferences = &s2n_signature_preferences_20200207,
610 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
611 : : };
612 : :
613 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_no_pq = {
614 : : .minimum_protocol_version = S2N_TLS10,
615 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014,
616 : : .kem_preferences = &kem_preferences_null,
617 : : .signature_preferences = &s2n_signature_preferences_20200207,
618 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
619 : : };
620 : :
621 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_sha256_no_pq = {
622 : : .minimum_protocol_version = S2N_TLS10,
623 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014_sha256,
624 : : .kem_preferences = &kem_preferences_null,
625 : : .signature_preferences = &s2n_signature_preferences_20200207,
626 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
627 : : };
628 : :
629 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016_no_pq = {
630 : : .minimum_protocol_version = S2N_TLS10,
631 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
632 : : .kem_preferences = &kem_preferences_null,
633 : : .signature_preferences = &s2n_signature_preferences_20200207,
634 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
635 : : };
636 : :
637 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016_no_pq = {
638 : : .minimum_protocol_version = S2N_TLS11,
639 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016,
640 : : .kem_preferences = &kem_preferences_null,
641 : : .signature_preferences = &s2n_signature_preferences_20200207,
642 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
643 : : };
644 : :
645 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2017_no_pq = {
646 : : .minimum_protocol_version = S2N_TLS12,
647 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2017,
648 : : .kem_preferences = &kem_preferences_null,
649 : : .signature_preferences = &s2n_signature_preferences_20200207,
650 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
651 : : };
652 : :
653 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_no_sha1_no_pq = {
654 : : .minimum_protocol_version = S2N_TLS12,
655 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018,
656 : : .kem_preferences = &kem_preferences_null,
657 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
658 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
659 : : };
660 : :
661 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019_no_sha1_no_pq = {
662 : : .minimum_protocol_version = S2N_TLS12,
663 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
664 : : .kem_preferences = &kem_preferences_null,
665 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
666 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
667 : : .rules = {
668 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
669 : : },
670 : : };
671 : :
672 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_no_sha1_no_pq = {
673 : : .minimum_protocol_version = S2N_TLS12,
674 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
675 : : .kem_preferences = &kem_preferences_null,
676 : : .signature_preferences = &s2n_signature_preferences_20200207_no_sha1,
677 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
678 : : .rules = {
679 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
680 : : },
681 : : };
682 : :
683 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2025_no_pq = {
684 : : .minimum_protocol_version = S2N_TLS12,
685 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2025,
686 : : .kem_preferences = &kem_preferences_null,
687 : : .signature_preferences = &s2n_signature_preferences_20250813,
688 : : .ecc_preferences = &s2n_ecc_preferences_default_fips,
689 : : .rules = {
690 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
691 : : [S2N_FIPS_140_3] = true,
692 : : },
693 : : };
694 : :
695 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_3_2025_no_pq = {
696 : : .minimum_protocol_version = S2N_TLS13,
697 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_3_2025,
698 : : .kem_preferences = &kem_preferences_null,
699 : : .signature_preferences = &s2n_signature_preferences_20250813,
700 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
701 : : .rules = {
702 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
703 : : },
704 : : };
705 : :
706 : : /* CloudFront viewer facing legacy policies */
707 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018 = {
708 : : .minimum_protocol_version = S2N_TLS12,
709 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018,
710 : : .kem_preferences = &kem_preferences_null,
711 : : .signature_preferences = &s2n_signature_preferences_20200207,
712 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
713 : : };
714 : :
715 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019 = {
716 : : .minimum_protocol_version = S2N_TLS12,
717 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
718 : : .kem_preferences = &kem_preferences_null,
719 : : .signature_preferences = &s2n_signature_preferences_20200207,
720 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
721 : : .rules = {
722 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
723 : : },
724 : : };
725 : :
726 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021 = {
727 : : .minimum_protocol_version = S2N_TLS12,
728 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
729 : : .kem_preferences = &kem_preferences_null,
730 : : .signature_preferences = &s2n_signature_preferences_20200207,
731 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
732 : : .rules = {
733 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
734 : : },
735 : : };
736 : :
737 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3_legacy = {
738 : : .minimum_protocol_version = S2N_SSLv3,
739 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3_legacy,
740 : : .kem_preferences = &kem_preferences_null,
741 : : .signature_preferences = &s2n_signature_preferences_20140601,
742 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
743 : : };
744 : :
745 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_legacy = {
746 : : .minimum_protocol_version = S2N_TLS10,
747 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014_legacy,
748 : : .kem_preferences = &kem_preferences_null,
749 : : .signature_preferences = &s2n_signature_preferences_20140601,
750 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
751 : : };
752 : :
753 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016_legacy = {
754 : : .minimum_protocol_version = S2N_TLS10,
755 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016_legacy,
756 : : .kem_preferences = &kem_preferences_null,
757 : : .signature_preferences = &s2n_signature_preferences_20140601,
758 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
759 : : };
760 : :
761 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016_legacy = {
762 : : .minimum_protocol_version = S2N_TLS11,
763 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016_legacy,
764 : : .kem_preferences = &kem_preferences_null,
765 : : .signature_preferences = &s2n_signature_preferences_20140601,
766 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
767 : : };
768 : :
769 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_legacy = {
770 : : .minimum_protocol_version = S2N_TLS12,
771 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018_legacy,
772 : : .kem_preferences = &kem_preferences_null,
773 : : .signature_preferences = &s2n_signature_preferences_20140601,
774 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
775 : : };
776 : :
777 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019_legacy = {
778 : : .minimum_protocol_version = S2N_TLS12,
779 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019_legacy,
780 : : .kem_preferences = &kem_preferences_null,
781 : : .signature_preferences = &s2n_signature_preferences_20140601,
782 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
783 : : .rules = {
784 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
785 : : },
786 : : };
787 : :
788 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3 = {
789 : : .minimum_protocol_version = S2N_SSLv3,
790 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
791 : : .kem_preferences = &kem_preferences_null,
792 : : .signature_preferences = &s2n_signature_preferences_20200207,
793 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
794 : : };
795 : :
796 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10 = {
797 : : .minimum_protocol_version = S2N_TLS10,
798 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
799 : : .kem_preferences = &kem_preferences_null,
800 : : .signature_preferences = &s2n_signature_preferences_20200207,
801 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
802 : : };
803 : :
804 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11 = {
805 : : .minimum_protocol_version = S2N_TLS11,
806 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
807 : : .kem_preferences = &kem_preferences_null,
808 : : .signature_preferences = &s2n_signature_preferences_20200207,
809 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
810 : : };
811 : :
812 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12 = {
813 : : .minimum_protocol_version = S2N_TLS12,
814 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
815 : : .kem_preferences = &kem_preferences_null,
816 : : .signature_preferences = &s2n_signature_preferences_20200207,
817 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
818 : : };
819 : :
820 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13 = {
821 : : .minimum_protocol_version = S2N_TLS13,
822 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
823 : : .kem_preferences = &kem_preferences_null,
824 : : .signature_preferences = &s2n_signature_preferences_20200207,
825 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
826 : : .rules = {
827 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
828 : : },
829 : : };
830 : :
831 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3_06_23 = {
832 : : .minimum_protocol_version = S2N_SSLv3,
833 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
834 : : .kem_preferences = &kem_preferences_null,
835 : : .signature_preferences = &s2n_signature_preferences_20200207,
836 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
837 : : };
838 : :
839 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_06_23 = {
840 : : .minimum_protocol_version = S2N_TLS10,
841 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
842 : : .kem_preferences = &kem_preferences_null,
843 : : .signature_preferences = &s2n_signature_preferences_20200207,
844 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
845 : : };
846 : :
847 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11_06_23 = {
848 : : .minimum_protocol_version = S2N_TLS11,
849 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
850 : : .kem_preferences = &kem_preferences_null,
851 : : .signature_preferences = &s2n_signature_preferences_20200207,
852 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
853 : : };
854 : :
855 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23 = {
856 : : .minimum_protocol_version = S2N_TLS12,
857 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
858 : : .kem_preferences = &kem_preferences_null,
859 : : .signature_preferences = &s2n_signature_preferences_20200207,
860 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
861 : : };
862 : :
863 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_30_06_25 = {
864 : : .minimum_protocol_version = S2N_TLS12,
865 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_2025,
866 : : .kem_preferences = &kem_preferences_null,
867 : : .signature_preferences = &s2n_signature_preferences_20240501,
868 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
869 : : .rules = {
870 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
871 : : [S2N_FIPS_140_3] = true,
872 : : },
873 : : };
874 : :
875 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_06_23 = {
876 : : .minimum_protocol_version = S2N_TLS13,
877 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
878 : : .kem_preferences = &kem_preferences_null,
879 : : .signature_preferences = &s2n_signature_preferences_20200207,
880 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
881 : : .rules = {
882 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
883 : : },
884 : : };
885 : :
886 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2018_10 = {
887 : : .minimum_protocol_version = S2N_TLS10,
888 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2018_10,
889 : : .kem_preferences = &kem_preferences_null,
890 : : .signature_preferences = &s2n_signature_preferences_20140601,
891 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
892 : : .rules = {
893 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
894 : : },
895 : : };
896 : :
897 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2021_08 = {
898 : : .minimum_protocol_version = S2N_TLS10,
899 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
900 : : .kem_preferences = &kem_preferences_null,
901 : : .signature_preferences = &s2n_signature_preferences_20200207,
902 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
903 : : .rules = {
904 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
905 : : },
906 : : };
907 : :
908 : : const struct s2n_security_policy security_policy_kms_tls_1_2_2023_06 = {
909 : : .minimum_protocol_version = S2N_TLS12,
910 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
911 : : .kem_preferences = &kem_preferences_null,
912 : : .signature_preferences = &s2n_signature_preferences_20200207,
913 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
914 : : .rules = {
915 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
916 : : },
917 : : };
918 : :
919 : : /* Same as security_policy_aws_crt_sdk_tls_10_06_23 but with (IETF-standardized) ML-KEM Support */
920 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_07_25_pq = {
921 : : .minimum_protocol_version = S2N_TLS10,
922 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
923 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
924 : : .signature_preferences = &s2n_signature_preferences_20200207,
925 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
926 : : };
927 : :
928 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with (IETF-standardized) ML-KEM Support */
929 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_07_25_pq = {
930 : : .minimum_protocol_version = S2N_TLS12,
931 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
932 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
933 : : .signature_preferences = &s2n_signature_preferences_20200207,
934 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
935 : : };
936 : :
937 : : /* Same as security_policy_aws_crt_sdk_tls_13_06_23 but with (IETF-standardized) ML-KEM Support */
938 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_07_25_pq = {
939 : : .minimum_protocol_version = S2N_TLS13,
940 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
941 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
942 : : .signature_preferences = &s2n_signature_preferences_20200207,
943 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
944 : : };
945 : :
946 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with ML-KEM Support */
947 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23_pq = {
948 : : .minimum_protocol_version = S2N_TLS12,
949 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
950 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
951 : : .signature_preferences = &s2n_signature_preferences_20200207,
952 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
953 : : };
954 : :
955 : : /* Same as security_policy_pq_tls_1_2_2023_10_07, but with ML-KEM support */
956 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_07 = {
957 : : .minimum_protocol_version = S2N_TLS12,
958 : : .cipher_preferences = &elb_security_policy_tls13_1_2_Ext2_2021_06,
959 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
960 : : .signature_preferences = &s2n_signature_preferences_20200207,
961 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
962 : : };
963 : :
964 : : /* Same as security_policy_pq_tls_1_2_2023_10_08, but with 3DES removed, and added ML-KEM support */
965 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08 = {
966 : : .minimum_protocol_version = S2N_TLS12,
967 : : .cipher_preferences = &cipher_preferences_20241008,
968 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
969 : : .signature_preferences = &s2n_signature_preferences_20200207,
970 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
971 : : };
972 : :
973 : : /* Same as security_policy_pq_tls_1_2_2023_10_10, but with 3DES removed, and added ML-KEM support */
974 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08_gcm = {
975 : : .minimum_protocol_version = S2N_TLS12,
976 : : .cipher_preferences = &cipher_preferences_20241008_gcm,
977 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
978 : : .signature_preferences = &s2n_signature_preferences_20200207,
979 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
980 : : };
981 : :
982 : : /* Same as security_policy_pq_tls_1_2_2023_10_09 but with 3DES removed, and added ML-KEM support */
983 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_09 = {
984 : : .minimum_protocol_version = S2N_TLS12,
985 : : .cipher_preferences = &cipher_preferences_20241009,
986 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
987 : : .signature_preferences = &s2n_signature_preferences_20200207,
988 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
989 : : .rules = {
990 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
991 : : },
992 : : };
993 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = {
994 : : .minimum_protocol_version = S2N_TLS12,
995 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2018_10,
996 : : .kem_preferences = &kem_preferences_null,
997 : : .signature_preferences = &s2n_signature_preferences_20140601,
998 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
999 : : .rules = {
1000 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1001 : : },
1002 : : };
1003 : :
1004 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2021_08 = {
1005 : : .minimum_protocol_version = S2N_TLS12,
1006 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
1007 : : .kem_preferences = &kem_preferences_null,
1008 : : .signature_preferences = &s2n_signature_preferences_20200207,
1009 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1010 : : .rules = {
1011 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1012 : : },
1013 : : };
1014 : :
1015 : : /* Same as security_policy_pq_20231215, but with only ML-KEM Support */
1016 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2024_10 = {
1017 : : .minimum_protocol_version = S2N_TLS12,
1018 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
1019 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
1020 : : .signature_preferences = &s2n_signature_preferences_20230317,
1021 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1022 : : .rules = {
1023 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1024 : : [S2N_FIPS_140_3] = true,
1025 : : },
1026 : : };
1027 : :
1028 : : const struct s2n_security_policy security_policy_20140601 = {
1029 : : .minimum_protocol_version = S2N_SSLv3,
1030 : : .cipher_preferences = &cipher_preferences_20140601,
1031 : : .kem_preferences = &kem_preferences_null,
1032 : : .signature_preferences = &s2n_signature_preferences_20140601,
1033 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1034 : : };
1035 : :
1036 : : const struct s2n_security_policy security_policy_20141001 = {
1037 : : .minimum_protocol_version = S2N_TLS10,
1038 : : .cipher_preferences = &cipher_preferences_20141001,
1039 : : .kem_preferences = &kem_preferences_null,
1040 : : .signature_preferences = &s2n_signature_preferences_20140601,
1041 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1042 : : };
1043 : :
1044 : : const struct s2n_security_policy security_policy_20150202 = {
1045 : : .minimum_protocol_version = S2N_TLS10,
1046 : : .cipher_preferences = &cipher_preferences_20150202,
1047 : : .kem_preferences = &kem_preferences_null,
1048 : : .signature_preferences = &s2n_signature_preferences_20140601,
1049 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1050 : : };
1051 : :
1052 : : const struct s2n_security_policy security_policy_20150214 = {
1053 : : .minimum_protocol_version = S2N_TLS10,
1054 : : .cipher_preferences = &cipher_preferences_20150214,
1055 : : .kem_preferences = &kem_preferences_null,
1056 : : .signature_preferences = &s2n_signature_preferences_20140601,
1057 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1058 : : };
1059 : :
1060 : : const struct s2n_security_policy security_policy_20160411 = {
1061 : : .minimum_protocol_version = S2N_TLS10,
1062 : : .cipher_preferences = &cipher_preferences_20160411,
1063 : : .kem_preferences = &kem_preferences_null,
1064 : : .signature_preferences = &s2n_signature_preferences_20140601,
1065 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1066 : : };
1067 : :
1068 : : const struct s2n_security_policy security_policy_20150306 = {
1069 : : .minimum_protocol_version = S2N_TLS10,
1070 : : .cipher_preferences = &cipher_preferences_20150306,
1071 : : .kem_preferences = &kem_preferences_null,
1072 : : .signature_preferences = &s2n_signature_preferences_20140601,
1073 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1074 : : };
1075 : :
1076 : : const struct s2n_security_policy security_policy_20160804 = {
1077 : : .minimum_protocol_version = S2N_TLS10,
1078 : : .cipher_preferences = &cipher_preferences_20160804,
1079 : : .kem_preferences = &kem_preferences_null,
1080 : : .signature_preferences = &s2n_signature_preferences_20140601,
1081 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1082 : : };
1083 : :
1084 : : const struct s2n_security_policy security_policy_20160824 = {
1085 : : .minimum_protocol_version = S2N_TLS10,
1086 : : .cipher_preferences = &cipher_preferences_20160824,
1087 : : .kem_preferences = &kem_preferences_null,
1088 : : .signature_preferences = &s2n_signature_preferences_20140601,
1089 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1090 : : };
1091 : :
1092 : : const struct s2n_security_policy security_policy_20190122 = {
1093 : : .minimum_protocol_version = S2N_TLS10,
1094 : : .cipher_preferences = &cipher_preferences_20190122,
1095 : : .kem_preferences = &kem_preferences_null,
1096 : : .signature_preferences = &s2n_signature_preferences_20140601,
1097 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1098 : : };
1099 : :
1100 : : const struct s2n_security_policy security_policy_20190121 = {
1101 : : .minimum_protocol_version = S2N_TLS10,
1102 : : .cipher_preferences = &cipher_preferences_20190121,
1103 : : .kem_preferences = &kem_preferences_null,
1104 : : .signature_preferences = &s2n_signature_preferences_20140601,
1105 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1106 : : };
1107 : :
1108 : : const struct s2n_security_policy security_policy_20190120 = {
1109 : : .minimum_protocol_version = S2N_TLS10,
1110 : : .cipher_preferences = &cipher_preferences_20190120,
1111 : : .kem_preferences = &kem_preferences_null,
1112 : : .signature_preferences = &s2n_signature_preferences_20140601,
1113 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1114 : : };
1115 : :
1116 : : const struct s2n_security_policy security_policy_20190214 = {
1117 : : .minimum_protocol_version = S2N_TLS10,
1118 : : .cipher_preferences = &cipher_preferences_20190214,
1119 : : .kem_preferences = &kem_preferences_null,
1120 : : .signature_preferences = &s2n_signature_preferences_20140601,
1121 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1122 : : };
1123 : :
1124 : : const struct s2n_security_policy security_policy_20190214_gcm = {
1125 : : .minimum_protocol_version = S2N_TLS10,
1126 : : .cipher_preferences = &cipher_preferences_20190214_gcm,
1127 : : .kem_preferences = &kem_preferences_null,
1128 : : .signature_preferences = &s2n_signature_preferences_20140601,
1129 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1130 : : };
1131 : :
1132 : : const struct s2n_security_policy security_policy_20210825 = {
1133 : : .minimum_protocol_version = S2N_TLS10,
1134 : : .cipher_preferences = &cipher_preferences_20210825,
1135 : : .kem_preferences = &kem_preferences_null,
1136 : : .signature_preferences = &s2n_signature_preferences_20200207,
1137 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1138 : : };
1139 : :
1140 : : const struct s2n_security_policy security_policy_20210825_gcm = {
1141 : : .minimum_protocol_version = S2N_TLS10,
1142 : : .cipher_preferences = &cipher_preferences_20210825_gcm,
1143 : : .kem_preferences = &kem_preferences_null,
1144 : : .signature_preferences = &s2n_signature_preferences_20200207,
1145 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1146 : : };
1147 : :
1148 : : const struct s2n_security_policy security_policy_20170328 = {
1149 : : .minimum_protocol_version = S2N_TLS10,
1150 : : .cipher_preferences = &cipher_preferences_20170328,
1151 : : .kem_preferences = &kem_preferences_null,
1152 : : .signature_preferences = &s2n_signature_preferences_20140601,
1153 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1154 : : };
1155 : :
1156 : : const struct s2n_security_policy security_policy_20170328_gcm = {
1157 : : .minimum_protocol_version = S2N_TLS10,
1158 : : .cipher_preferences = &cipher_preferences_20170328_gcm,
1159 : : .kem_preferences = &kem_preferences_null,
1160 : : .signature_preferences = &s2n_signature_preferences_20140601,
1161 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1162 : : };
1163 : :
1164 : : const struct s2n_security_policy security_policy_20170718 = {
1165 : : .minimum_protocol_version = S2N_TLS10,
1166 : : .cipher_preferences = &cipher_preferences_20170718,
1167 : : .kem_preferences = &kem_preferences_null,
1168 : : .signature_preferences = &s2n_signature_preferences_20140601,
1169 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1170 : : };
1171 : :
1172 : : const struct s2n_security_policy security_policy_20170718_gcm = {
1173 : : .minimum_protocol_version = S2N_TLS10,
1174 : : .cipher_preferences = &cipher_preferences_20170718_gcm,
1175 : : .kem_preferences = &kem_preferences_null,
1176 : : .signature_preferences = &s2n_signature_preferences_20140601,
1177 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1178 : : };
1179 : :
1180 : : const struct s2n_security_policy security_policy_20201021 = {
1181 : : .minimum_protocol_version = S2N_TLS10,
1182 : : .cipher_preferences = &cipher_preferences_20190122,
1183 : : .kem_preferences = &kem_preferences_null,
1184 : : .signature_preferences = &s2n_signature_preferences_20201021,
1185 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1186 : : };
1187 : :
1188 : : const struct s2n_security_policy security_policy_20210816 = {
1189 : : .minimum_protocol_version = S2N_TLS12,
1190 : : .cipher_preferences = &cipher_preferences_20210816,
1191 : : .kem_preferences = &kem_preferences_null,
1192 : : .signature_preferences = &s2n_signature_preferences_20210816,
1193 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1194 : : .rules = {
1195 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1196 : : [S2N_FIPS_140_3] = true,
1197 : : },
1198 : : };
1199 : :
1200 : : const struct s2n_security_policy security_policy_20210816_gcm = {
1201 : : .minimum_protocol_version = S2N_TLS12,
1202 : : .cipher_preferences = &cipher_preferences_20210816_gcm,
1203 : : .kem_preferences = &kem_preferences_null,
1204 : : .signature_preferences = &s2n_signature_preferences_20210816,
1205 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1206 : : .rules = {
1207 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1208 : : [S2N_FIPS_140_3] = true,
1209 : : },
1210 : : };
1211 : :
1212 : : /*
1213 : : * This security policy is derived from the following specification:
1214 : : * https://datatracker.ietf.org/doc/html/rfc9151
1215 : : */
1216 : : const struct s2n_security_policy security_policy_20250429 = {
1217 : : .minimum_protocol_version = S2N_TLS12,
1218 : : .cipher_preferences = &cipher_preferences_20250429,
1219 : : .kem_preferences = &kem_preferences_null,
1220 : : .signature_preferences = &s2n_signature_preferences_20250429,
1221 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250429,
1222 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20250429,
1223 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1224 : : .certificate_preferences_apply_locally = true,
1225 : : };
1226 : :
1227 : : /*
1228 : : * This security policy is derived from the following specification:
1229 : : * https://datatracker.ietf.org/doc/html/rfc9151
1230 : : *
1231 : : * The following exceptions to this specification are made:
1232 : : * - RSA cipher suites are not supported to allow for perfect forward secrecy.
1233 : : * - DHE cipher suites are not supported to remove the possibility of improper Diffie-Hellman
1234 : : * parameter configuration.
1235 : : */
1236 : : const struct s2n_security_policy security_policy_20251013 = {
1237 : : .minimum_protocol_version = S2N_TLS12,
1238 : : .cipher_preferences = &cipher_preferences_20251013,
1239 : : .kem_preferences = &kem_preferences_null,
1240 : : .signature_preferences = &s2n_signature_preferences_20250429,
1241 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250429,
1242 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20250429,
1243 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1244 : : .certificate_preferences_apply_locally = true,
1245 : : .rules = {
1246 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1247 : : [S2N_FIPS_140_3] = true,
1248 : : },
1249 : : };
1250 : :
1251 : : /*
1252 : : * This security policy is a mix of default_tls13 (20240503) and rfc9151, with
1253 : : * a primary requirement that AES-256 is the ciphersuite chosen. Other
1254 : : * requirements are generally picked to raise minimum thresholds (e.g.,
1255 : : * requiring TLS 1.3) where possible without losing compatibility with modern
1256 : : * default_tls13 clients or servers.
1257 : : */
1258 : : const struct s2n_security_policy security_policy_20250211 = {
1259 : : .minimum_protocol_version = S2N_TLS13,
1260 : : .cipher_preferences = &cipher_preferences_20250211,
1261 : : .kem_preferences = &kem_preferences_null,
1262 : : .signature_preferences = &s2n_signature_preferences_20250429,
1263 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1264 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1265 : : .rules = {
1266 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1267 : : },
1268 : : };
1269 : :
1270 : : /*
1271 : : * This is essentially identical to 20250211, but fixes a bug which required
1272 : : * P-384 keys on certificates, which invalidated the compatibility promise for
1273 : : * that policy.
1274 : : */
1275 : : const struct s2n_security_policy security_policy_20250414 = {
1276 : : .minimum_protocol_version = S2N_TLS13,
1277 : : .cipher_preferences = &cipher_preferences_20250211,
1278 : : .kem_preferences = &kem_preferences_null,
1279 : : .signature_preferences = &s2n_signature_preferences_20240501,
1280 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1281 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1282 : : .rules = {
1283 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1284 : : [S2N_FIPS_140_3] = true,
1285 : : },
1286 : : };
1287 : :
1288 : : const struct s2n_security_policy security_policy_20251113 = {
1289 : : .minimum_protocol_version = S2N_TLS12,
1290 : : .cipher_preferences = &cipher_preferences_20251113,
1291 : : .kem_preferences = &kem_preferences_null,
1292 : : .signature_preferences = &s2n_signature_preferences_20251113,
1293 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1294 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1295 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1296 : : };
1297 : :
1298 : : const struct s2n_security_policy security_policy_20251114 = {
1299 : : .minimum_protocol_version = S2N_TLS12,
1300 : : .cipher_preferences = &cipher_preferences_20251114,
1301 : : .kem_preferences = &kem_preferences_null,
1302 : : .signature_preferences = &s2n_signature_preferences_20251113,
1303 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1304 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1305 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1306 : : };
1307 : :
1308 : : const struct s2n_security_policy security_policy_20251115 = {
1309 : : .minimum_protocol_version = S2N_TLS12,
1310 : : .cipher_preferences = &cipher_preferences_20251115,
1311 : : .kem_preferences = &kem_preferences_null,
1312 : : .signature_preferences = &s2n_signature_preferences_20251113,
1313 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1314 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1315 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1316 : : };
1317 : :
1318 : : const struct s2n_security_policy security_policy_20251116 = {
1319 : : .minimum_protocol_version = S2N_TLS10,
1320 : : .cipher_preferences = &cipher_preferences_20251116,
1321 : : .kem_preferences = &kem_preferences_null,
1322 : : .signature_preferences = &s2n_signature_preferences_20251113,
1323 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1324 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1325 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1326 : : };
1327 : :
1328 : : const struct s2n_security_policy security_policy_20251117 = {
1329 : : .minimum_protocol_version = S2N_TLS12,
1330 : : .cipher_preferences = &cipher_preferences_20251117,
1331 : : .kem_preferences = &kem_preferences_null,
1332 : : .signature_preferences = &s2n_signature_preferences_20251113,
1333 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20251113,
1334 : : .ecc_preferences = &s2n_ecc_preferences_20251113,
1335 : : .strongly_preferred_groups = &cnsa_1_strong_preference,
1336 : : };
1337 : :
1338 : : const struct s2n_security_policy security_policy_20260219 = {
1339 : : .minimum_protocol_version = S2N_TLS13,
1340 : : .cipher_preferences = &cipher_preferences_20250211,
1341 : : .kem_preferences = &kem_preferences_pq_tls_1_3_cnsa2_2026_02,
1342 : : .signature_preferences = &s2n_signature_preferences_20260219,
1343 : : .certificate_signature_preferences = &s2n_signature_preferences_20260219,
1344 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20260219,
1345 : : .ecc_preferences = &s2n_ecc_preferences_null,
1346 : : .certificate_preferences_apply_locally = true,
1347 : : .rules = {
1348 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1349 : : [S2N_FIPS_140_3] = true,
1350 : : },
1351 : : };
1352 : :
1353 : : const struct s2n_security_policy security_policy_20260220 = {
1354 : : .minimum_protocol_version = S2N_TLS12,
1355 : : .cipher_preferences = &cipher_preferences_20260220,
1356 : : .kem_preferences = &kem_preferences_pq_tls_1_3_cnsa2_2026_02,
1357 : : .signature_preferences = &s2n_signature_preferences_20260220,
1358 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20260220,
1359 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20260220,
1360 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1361 : : .certificate_preferences_apply_locally = true,
1362 : : .rules = {
1363 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1364 : : [S2N_FIPS_140_3] = true,
1365 : : },
1366 : : };
1367 : :
1368 : : const struct s2n_security_policy security_policy_test_all = {
1369 : : .minimum_protocol_version = S2N_SSLv3,
1370 : : .cipher_preferences = &cipher_preferences_test_all,
1371 : : .kem_preferences = &kem_preferences_all,
1372 : : .signature_preferences = &s2n_signature_preferences_all,
1373 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1374 : : };
1375 : :
1376 : : const struct s2n_security_policy security_policy_test_all_tls12 = {
1377 : : .minimum_protocol_version = S2N_SSLv3,
1378 : : .cipher_preferences = &cipher_preferences_test_all_tls12,
1379 : : .kem_preferences = &kem_preferences_null,
1380 : : .signature_preferences = &s2n_signature_preferences_20201021,
1381 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1382 : : };
1383 : :
1384 : : const struct s2n_security_policy security_policy_test_all_fips = {
1385 : : .minimum_protocol_version = S2N_TLS12,
1386 : : .cipher_preferences = &cipher_preferences_test_all_fips,
1387 : : .kem_preferences = &kem_preferences_all,
1388 : : .signature_preferences = &s2n_signature_preferences_test_all_fips,
1389 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1390 : : .rules = {
1391 : : [S2N_FIPS_140_3] = true,
1392 : : },
1393 : : };
1394 : :
1395 : : const struct s2n_security_policy security_policy_test_all_ecdsa = {
1396 : : .minimum_protocol_version = S2N_TLS10,
1397 : : .cipher_preferences = &cipher_preferences_test_all_ecdsa,
1398 : : .kem_preferences = &kem_preferences_null,
1399 : : .signature_preferences = &s2n_signature_preferences_20201021,
1400 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1401 : : .rules = {
1402 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1403 : : },
1404 : : };
1405 : :
1406 : : const struct s2n_security_policy security_policy_test_all_rsa_kex = {
1407 : : .minimum_protocol_version = S2N_TLS10,
1408 : : .cipher_preferences = &cipher_preferences_test_all_rsa_kex,
1409 : : .kem_preferences = &kem_preferences_null,
1410 : : .signature_preferences = &s2n_signature_preferences_20140601,
1411 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1412 : : };
1413 : :
1414 : : const struct s2n_security_policy security_policy_test_all_tls13 = {
1415 : : .minimum_protocol_version = S2N_SSLv3,
1416 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1417 : : .kem_preferences = &kem_preferences_null,
1418 : : .signature_preferences = &s2n_signature_preferences_all,
1419 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1420 : : .rules = {
1421 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1422 : : },
1423 : : };
1424 : :
1425 : : const struct s2n_security_policy security_policy_test_pq_only = {
1426 : : .minimum_protocol_version = S2N_TLS13,
1427 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_2025_08_08_tls13,
1428 : : .kem_preferences = &kem_preferences_all,
1429 : : .signature_preferences = &s2n_signature_preferences_20240501,
1430 : : .certificate_signature_preferences = &s2n_signature_preferences_20240501,
1431 : : .ecc_preferences = &s2n_ecc_preferences_null,
1432 : : .rules = {
1433 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1434 : : },
1435 : : };
1436 : :
1437 : : const struct s2n_security_policy security_policy_20200207 = {
1438 : : .minimum_protocol_version = S2N_SSLv3,
1439 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1440 : : .kem_preferences = &kem_preferences_null,
1441 : : .signature_preferences = &s2n_signature_preferences_20201021,
1442 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1443 : : .rules = {
1444 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1445 : : },
1446 : : };
1447 : :
1448 : : const struct s2n_security_policy security_policy_test_ecdsa_priority = {
1449 : : .minimum_protocol_version = S2N_SSLv3,
1450 : : .cipher_preferences = &cipher_preferences_test_ecdsa_priority,
1451 : : .kem_preferences = &kem_preferences_null,
1452 : : .signature_preferences = &s2n_signature_preferences_20201021,
1453 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1454 : : };
1455 : :
1456 : : const struct s2n_security_policy security_policy_null = {
1457 : : .minimum_protocol_version = S2N_TLS10,
1458 : : .cipher_preferences = &cipher_preferences_null,
1459 : : .kem_preferences = &kem_preferences_null,
1460 : : .signature_preferences = &s2n_signature_preferences_null,
1461 : : .ecc_preferences = &s2n_ecc_preferences_null,
1462 : : };
1463 : :
1464 : : struct s2n_security_policy_selection security_policy_selection[] = {
1465 : : /* If changing named policies, please update the usage guide's docs on the corresponding policy.
1466 : : * You likely also want to update the compatibility unit tests in (tests/unit/s2n_security_rules_test.c).
1467 : : */
1468 : : { .version = "default", .security_policy = &security_policy_20251014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1469 : : { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1470 : : { .version = "default_fips", .security_policy = &security_policy_20251015, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1471 : : { .version = "default_pq", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1472 : : { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1473 : : { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1474 : : { .version = "20240502", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1475 : : { .version = "20240503", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1476 : : { .version = "20230317", .security_policy = &security_policy_20230317, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1477 : : { .version = "20240331", .security_policy = &security_policy_20240331, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1478 : : { .version = "20240417", .security_policy = &security_policy_20240417, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1479 : : { .version = "20240416", .security_policy = &security_policy_20240416, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1480 : : { .version = "20241001", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1481 : : { .version = "20250512", .security_policy = &security_policy_20250512, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1482 : : { .version = "20250721", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1483 : : { .version = "20251014", .security_policy = &security_policy_20251014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1484 : : { .version = "20251015", .security_policy = &security_policy_20251015, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1485 : : { .version = "20241001_pq_mixed", .security_policy = &security_policy_20241001_pq_mixed, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1486 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-04", .security_policy = &security_policy_elb_2015_04, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1487 : : /* Not a mistake. TLS-1-0-2015-05 and 2016-08 are equivalent */
1488 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-05", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1489 : : { .version = "ELBSecurityPolicy-2016-08", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1490 : : { .version = "ELBSecurityPolicy-TLS-1-1-2017-01", .security_policy = &security_policy_elb_tls_1_1_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1491 : : { .version = "ELBSecurityPolicy-TLS-1-2-2017-01", .security_policy = &security_policy_elb_tls_1_2_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1492 : : { .version = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", .security_policy = &security_policy_elb_tls_1_2_ext_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1493 : : { .version = "ELBSecurityPolicy-FS-2018-06", .security_policy = &security_policy_elb_fs_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1494 : : { .version = "ELBSecurityPolicy-FS-1-2-2019-08", .security_policy = &security_policy_elb_fs_1_2_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1495 : : { .version = "ELBSecurityPolicy-FS-1-1-2019-08", .security_policy = &security_policy_elb_fs_1_1_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1496 : : { .version = "ELBSecurityPolicy-FS-1-2-Res-2019-08", .security_policy = &security_policy_elb_fs_1_2_Res_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1497 : : { .version = "CloudFront-Upstream", .security_policy = &security_policy_cloudfront_upstream, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1498 : : { .version = "CloudFront-Upstream-TLS-1-0", .security_policy = &security_policy_cloudfront_upstream_tls10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1499 : : { .version = "CloudFront-Upstream-TLS-1-1", .security_policy = &security_policy_cloudfront_upstream_tls11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1500 : : { .version = "CloudFront-Upstream-TLS-1-2", .security_policy = &security_policy_cloudfront_upstream_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1501 : : { .version = "CloudFront-Upstream-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1502 : : { .version = "CloudFront-Upstream-TLS-1-0-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1503 : : { .version = "CloudFront-Upstream-TLS-1-1-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1504 : : { .version = "CloudFront-Upstream-TLS-1-2-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1505 : : { .version = "CloudFront-Upstream-TLS-1-3-2025", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1506 : : { .version = "CloudFront-Upstream-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1507 : : { .version = "CloudFront-Upstream-TLS-1-0-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls10_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1508 : : { .version = "CloudFront-Upstream-TLS-1-1-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls11_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1509 : : { .version = "CloudFront-Upstream-TLS-1-2-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls12_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1510 : : { .version = "CloudFront-Upstream-TLS-1-3-2025-PQ", .security_policy = &security_policy_cloudfront_upstream_2025_08_08_tls13_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1511 : : /* CloudFront Viewer Facing */
1512 : : { .version = "CloudFront-SSL-v-3", .security_policy = &security_policy_cloudfront_ssl_v_3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1513 : : { .version = "CloudFront-TLS-1-0-2014", .security_policy = &security_policy_cloudfront_tls_1_0_2014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1514 : : { .version = "CloudFront-TLS-1-0-2014-sha256", .security_policy = &security_policy_cloudfront_tls_1_0_2014_sha256, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1515 : : { .version = "CloudFront-TLS-1-0-2016", .security_policy = &security_policy_cloudfront_tls_1_0_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1516 : : { .version = "CloudFront-TLS-1-1-2016", .security_policy = &security_policy_cloudfront_tls_1_1_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1517 : : { .version = "CloudFront-TLS-1-2-2017", .security_policy = &security_policy_cloudfront_tls_1_2_2017, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1518 : : { .version = "CloudFront-TLS-1-2-2018-no-sha1", .security_policy = &security_policy_cloudfront_tls_1_2_2018_no_sha1, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1519 : : { .version = "CloudFront-TLS-1-2-2019-no-sha1", .security_policy = &security_policy_cloudfront_tls_1_2_2019_no_sha1, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1520 : : { .version = "CloudFront-TLS-1-2-2021-no-sha1", .security_policy = &security_policy_cloudfront_tls_1_2_2021_no_sha1, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1521 : : { .version = "CloudFront-TLS-1-2-2025", .security_policy = &security_policy_cloudfront_tls_1_2_2025, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1522 : : { .version = "CloudFront-TLS-1-3-2025", .security_policy = &security_policy_cloudfront_tls_1_3_2025, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1523 : : /* CloudFront Non-PQ Viewer Facing */
1524 : : { .version = "CloudFront-SSL-v-3-no-pq", .security_policy = &security_policy_cloudfront_ssl_v_3_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1525 : : { .version = "CloudFront-TLS-1-0-2014-no-pq", .security_policy = &security_policy_cloudfront_tls_1_0_2014_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1526 : : { .version = "CloudFront-TLS-1-0-2014-sha256-no-pq", .security_policy = &security_policy_cloudfront_tls_1_0_2014_sha256_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1527 : : { .version = "CloudFront-TLS-1-0-2016-no-pq", .security_policy = &security_policy_cloudfront_tls_1_0_2016_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1528 : : { .version = "CloudFront-TLS-1-1-2016-no-pq", .security_policy = &security_policy_cloudfront_tls_1_1_2016_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1529 : : { .version = "CloudFront-TLS-1-2-2017-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2017_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1530 : : { .version = "CloudFront-TLS-1-2-2018-no-sha1-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2018_no_sha1_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1531 : : { .version = "CloudFront-TLS-1-2-2019-no-sha1-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2019_no_sha1_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1532 : : { .version = "CloudFront-TLS-1-2-2021-no-sha1-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2021_no_sha1_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1533 : : { .version = "CloudFront-TLS-1-2-2025-no-pq", .security_policy = &security_policy_cloudfront_tls_1_2_2025_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1534 : : { .version = "CloudFront-TLS-1-3-2025-no-pq", .security_policy = &security_policy_cloudfront_tls_1_3_2025_no_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1535 : : /* CloudFront Unofficial Viewer Facing */
1536 : : { .version = "CloudFront-TLS-1-0-2014-PQ-Beta", .security_policy = &security_policy_cloudfront_tls_1_0_2014_pq_beta, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1537 : : { .version = "CloudFront-TLS-1-2-2021-no-sha1-PQ-Beta", .security_policy = &security_policy_cloudfront_tls_1_2_2021_no_sha1_pq_beta, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1538 : : { .version = "CloudFront-TLS-1-2-2018-Beta", .security_policy = &security_policy_cloudfront_tls_1_2_2018_beta, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1539 : : { .version = "CloudFront-TLS-1-2-2021-Chacha20-Boosted", .security_policy = &security_policy_cloudfront_tls_1_2_2021_chacha20_boosted, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1540 : : /* CloudFront Legacy policies */
1541 : : { .version = "CloudFront-SSL-v-3-Legacy", .security_policy = &security_policy_cloudfront_ssl_v_3_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1542 : : { .version = "CloudFront-TLS-1-0-2014-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2014_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1543 : : { .version = "CloudFront-TLS-1-0-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1544 : : { .version = "CloudFront-TLS-1-1-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_1_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1545 : : { .version = "CloudFront-TLS-1-2-2018-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2018_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1546 : : { .version = "CloudFront-TLS-1-2-2019-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2019_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1547 : : { .version = "CloudFront-TLS-1-2-2018", .security_policy = &security_policy_cloudfront_tls_1_2_2018, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1548 : : { .version = "CloudFront-TLS-1-2-2019", .security_policy = &security_policy_cloudfront_tls_1_2_2019, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1549 : : { .version = "CloudFront-TLS-1-2-2021", .security_policy = &security_policy_cloudfront_tls_1_2_2021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1550 : : /* CRT allows users to choose the minimal TLS protocol they want to negotiate with. This translates to 5 different security policies in s2n */
1551 : : { .version = "AWS-CRT-SDK-SSLv3.0", .security_policy = &security_policy_aws_crt_sdk_ssl_v3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1552 : : { .version = "AWS-CRT-SDK-TLSv1.0", .security_policy = &security_policy_aws_crt_sdk_tls_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1553 : : { .version = "AWS-CRT-SDK-TLSv1.1", .security_policy = &security_policy_aws_crt_sdk_tls_11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1554 : : { .version = "AWS-CRT-SDK-TLSv1.2", .security_policy = &security_policy_aws_crt_sdk_tls_12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1555 : : { .version = "AWS-CRT-SDK-TLSv1.3", .security_policy = &security_policy_aws_crt_sdk_tls_13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1556 : : { .version = "AWS-CRT-SDK-SSLv3.0-2023", .security_policy = &security_policy_aws_crt_sdk_ssl_v3_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1557 : : { .version = "AWS-CRT-SDK-TLSv1.0-2023", .security_policy = &security_policy_aws_crt_sdk_tls_10_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1558 : : { .version = "AWS-CRT-SDK-TLSv1.0-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_10_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1559 : : { .version = "AWS-CRT-SDK-TLSv1.1-2023", .security_policy = &security_policy_aws_crt_sdk_tls_11_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1560 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1561 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1562 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025", .security_policy = &security_policy_aws_crt_sdk_tls_30_06_25, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1563 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1564 : : { .version = "AWS-CRT-SDK-TLSv1.3-2023", .security_policy = &security_policy_aws_crt_sdk_tls_13_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1565 : : { .version = "AWS-CRT-SDK-TLSv1.3-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_13_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1566 : : /* KMS TLS Policies*/
1567 : : { .version = "KMS-TLS-1-0-2018-10", .security_policy = &security_policy_kms_tls_1_0_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1568 : : { .version = "KMS-TLS-1-0-2021-08", .security_policy = &security_policy_kms_tls_1_0_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1569 : : { .version = "KMS-TLS-1-2-2023-06", .security_policy = &security_policy_kms_tls_1_2_2023_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1570 : : { .version = "KMS-FIPS-TLS-1-2-2018-10", .security_policy = &security_policy_kms_fips_tls_1_2_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1571 : : { .version = "KMS-FIPS-TLS-1-2-2021-08", .security_policy = &security_policy_kms_fips_tls_1_2_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1572 : : { .version = "KMS-FIPS-TLS-1-2-2024-10", .security_policy = &security_policy_kms_fips_tls_1_2_2024_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1573 : : { .version = "PQ-TLS-1-2-2024-10-07", .security_policy = &security_policy_pq_tls_1_2_2024_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1574 : : { .version = "PQ-TLS-1-2-2024-10-08", .security_policy = &security_policy_pq_tls_1_2_2024_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1575 : : { .version = "PQ-TLS-1-2-2024-10-08_gcm", .security_policy = &security_policy_pq_tls_1_2_2024_10_08_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1576 : : { .version = "PQ-TLS-1-2-2024-10-09", .security_policy = &security_policy_pq_tls_1_2_2024_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1577 : : { .version = "20140601", .security_policy = &security_policy_20140601, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1578 : : { .version = "20141001", .security_policy = &security_policy_20141001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1579 : : { .version = "20150202", .security_policy = &security_policy_20150202, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1580 : : { .version = "20150214", .security_policy = &security_policy_20150214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1581 : : { .version = "20150306", .security_policy = &security_policy_20150306, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1582 : : { .version = "20160411", .security_policy = &security_policy_20160411, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1583 : : { .version = "20160804", .security_policy = &security_policy_20160804, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1584 : : { .version = "20160824", .security_policy = &security_policy_20160824, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1585 : : { .version = "20170210", .security_policy = &security_policy_20170210, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1586 : : { .version = "20170328", .security_policy = &security_policy_20170328, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1587 : : { .version = "20170328_gcm", .security_policy = &security_policy_20170328_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1588 : : { .version = "20190214", .security_policy = &security_policy_20190214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1589 : : { .version = "20190214_gcm", .security_policy = &security_policy_20190214_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1590 : : { .version = "20210825", .security_policy = &security_policy_20210825, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1591 : : { .version = "20210825_gcm", .security_policy = &security_policy_20210825_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1592 : : { .version = "20170405", .security_policy = &security_policy_20170405, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1593 : : { .version = "20170405_gcm", .security_policy = &security_policy_20170405_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1594 : : { .version = "20170718", .security_policy = &security_policy_20170718, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1595 : : { .version = "20170718_gcm", .security_policy = &security_policy_20170718_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1596 : : { .version = "20190120", .security_policy = &security_policy_20190120, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1597 : : { .version = "20190121", .security_policy = &security_policy_20190121, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1598 : : { .version = "20190122", .security_policy = &security_policy_20190122, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1599 : : { .version = "20190801", .security_policy = &security_policy_20190801, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1600 : : { .version = "20190802", .security_policy = &security_policy_20190802, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1601 : : { .version = "20200207", .security_policy = &security_policy_20200207, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1602 : : { .version = "20201021", .security_policy = &security_policy_20201021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1603 : : { .version = "20210816", .security_policy = &security_policy_20210816, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1604 : : { .version = "20210816_GCM", .security_policy = &security_policy_20210816_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1605 : : { .version = "20240603", .security_policy = &security_policy_20240603, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1606 : : { .version = "20250211", .security_policy = &security_policy_20250211, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1607 : : { .version = "20250414", .security_policy = &security_policy_20250414, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1608 : : { .version = "20250429", .security_policy = &security_policy_20250429, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1609 : : { .version = "20251013", .security_policy = &security_policy_20251013, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1610 : : { .version = "20251113", .security_policy = &security_policy_20251113, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1611 : : { .version = "20251114", .security_policy = &security_policy_20251114, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1612 : : { .version = "20251115", .security_policy = &security_policy_20251115, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1613 : : { .version = "20251116", .security_policy = &security_policy_20251116, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1614 : : /* the same as 20251114, but without any SHA1 HMAC ciphers */
1615 : : { .version = "20251117", .security_policy = &security_policy_20251117, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1616 : : /* If changing this, please update the usage guide's docs on the corresponding policy. */
1617 : : { .version = "rfc9151", .security_policy = &security_policy_20251013, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1618 : : { .version = "cnsa_1", .security_policy = &security_policy_20251013, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1619 : : { .version = "cnsa_2", .security_policy = &security_policy_20260219, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1620 : : { .version = "cnsa_1_2_interop", .security_policy = &security_policy_20260220, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1621 : : { .version = "test_all", .security_policy = &security_policy_test_all, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1622 : : { .version = "test_all_fips", .security_policy = &security_policy_test_all_fips, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1623 : : { .version = "test_all_ecdsa", .security_policy = &security_policy_test_all_ecdsa, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1624 : : { .version = "test_all_rsa_kex", .security_policy = &security_policy_test_all_rsa_kex, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1625 : : { .version = "test_ecdsa_priority", .security_policy = &security_policy_test_ecdsa_priority, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1626 : : { .version = "test_all_tls12", .security_policy = &security_policy_test_all_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1627 : : { .version = "test_all_tls13", .security_policy = &security_policy_test_all_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1628 : : { .version = "test_pq_only", .security_policy = &security_policy_test_pq_only, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1629 : : { .version = "null", .security_policy = &security_policy_null, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1630 : : { .version = NULL, .security_policy = NULL, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }
1631 : : };
1632 : :
1633 : : const char *deprecated_security_policies[] = {
1634 : : "KMS-PQ-TLS-1-0-2019-06",
1635 : : "KMS-PQ-TLS-1-0-2020-02",
1636 : : "KMS-PQ-TLS-1-0-2020-07",
1637 : : "PQ-TLS-1-0-2020-12",
1638 : : "PQ-TLS-1-1-2021-05-17",
1639 : : "PQ-TLS-1-0-2021-05-18",
1640 : : "PQ-TLS-1-0-2021-05-19",
1641 : : "PQ-TLS-1-0-2021-05-20",
1642 : : "PQ-TLS-1-1-2021-05-21",
1643 : : "PQ-TLS-1-0-2021-05-22",
1644 : : "PQ-TLS-1-0-2021-05-23",
1645 : : "PQ-TLS-1-0-2021-05-24",
1646 : : "PQ-TLS-1-0-2021-05-25",
1647 : : "PQ-TLS-1-0-2021-05-26",
1648 : : "PQ-TLS-1-0-2023-01-24",
1649 : : "PQ-TLS-1-2-2023-04-07",
1650 : : "PQ-TLS-1-2-2023-04-08",
1651 : : "PQ-TLS-1-2-2023-04-09",
1652 : : "PQ-TLS-1-2-2023-04-10",
1653 : : "PQ-TLS-1-3-2023-06-01",
1654 : : "PQ-TLS-1-2-2023-10-07",
1655 : : "PQ-TLS-1-2-2023-10-08",
1656 : : "PQ-TLS-1-2-2023-10-09",
1657 : : "PQ-TLS-1-2-2023-10-10",
1658 : : "PQ-TLS-1-2-2023-12-13",
1659 : : "PQ-TLS-1-2-2023-12-14",
1660 : : "PQ-TLS-1-2-2023-12-15",
1661 : : "PQ-SIKE-TEST-TLS-1-0-2019-11",
1662 : : "PQ-SIKE-TEST-TLS-1-0-2020-02",
1663 : : "20240730",
1664 : : };
1665 : : const size_t deprecated_security_policies_len = s2n_array_len(deprecated_security_policies);
1666 : :
1667 : : int s2n_find_security_policy_from_version(const char *version, const struct s2n_security_policy **security_policy)
1668 : 6150 : {
1669 [ + + ][ + - ]: 6150 : POSIX_ENSURE_REF(version);
1670 [ - + ][ # # ]: 6148 : POSIX_ENSURE_REF(security_policy);
1671 : :
1672 [ + + ]: 84332 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1673 [ + + ]: 84297 : if (!strcasecmp(version, security_policy_selection[i].version)) {
1674 : 6113 : *security_policy = security_policy_selection[i].security_policy;
1675 : 6113 : return 0;
1676 : 6113 : }
1677 : 84297 : }
1678 : :
1679 [ + + ]: 615 : for (size_t i = 0; i < deprecated_security_policies_len; i++) {
1680 [ + + ]: 612 : if (!strcasecmp(version, deprecated_security_policies[i])) {
1681 [ + - ]: 32 : POSIX_BAIL(S2N_ERR_DEPRECATED_SECURITY_POLICY);
1682 : 32 : }
1683 : 612 : }
1684 : :
1685 [ + - ]: 3 : POSIX_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
1686 : 3 : }
1687 : :
1688 : : static int s2n_config_validate_security_policy(struct s2n_config *config, const struct s2n_security_policy *security_policy)
1689 : 6468 : {
1690 [ # # ][ - + ]: 6468 : POSIX_ENSURE_REF(config);
1691 [ # # ][ - + ]: 6468 : POSIX_ENSURE_REF(security_policy);
1692 [ # # ][ - + ]: 6468 : POSIX_ENSURE_REF(security_policy->cipher_preferences);
1693 [ # # ][ - + ]: 6468 : POSIX_ENSURE_REF(security_policy->kem_preferences);
1694 [ # # ][ - + ]: 6468 : POSIX_ENSURE_REF(security_policy->signature_preferences);
1695 [ # # ][ - + ]: 6468 : POSIX_ENSURE_REF(security_policy->ecc_preferences);
1696 : :
1697 : : /* If the security policy's minimum version is higher than what libcrypto supports, return an error. */
1698 [ - + ][ # # ]: 6468 : POSIX_ENSURE((security_policy->minimum_protocol_version <= s2n_get_highest_fully_supported_tls_version()), S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED);
1699 : :
1700 [ + + ]: 6468 : if (security_policy == &security_policy_null) {
1701 : 4 : return S2N_SUCCESS;
1702 : 4 : }
1703 : :
1704 : : /* Ensure that all strongly preferred groups are supported by our libcrypto. */
1705 [ - + ][ # # ]: 6464 : for (size_t i = 0; security_policy->strongly_preferred_groups != NULL && i < security_policy->strongly_preferred_groups->count; i++) {
1706 : 0 : const struct s2n_kem_group *strongly_preferred_kem_group = NULL;
1707 : 0 : bool found_kem_group_from_iana = false;
1708 [ # # ]: 0 : POSIX_GUARD(s2n_find_kem_group_from_iana_id(security_policy->strongly_preferred_groups->iana_ids[i], &strongly_preferred_kem_group, &found_kem_group_from_iana));
1709 : :
1710 [ # # ]: 0 : if (found_kem_group_from_iana) {
1711 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_kem_group_is_available(strongly_preferred_kem_group), S2N_ERR_INVALID_SECURITY_POLICY);
1712 : 0 : }
1713 : 0 : }
1714 : :
1715 : : /* Ensure that an ECC or PQ key exchange can occur. */
1716 : 6464 : uint32_t ecc_available = security_policy->ecc_preferences->count;
1717 : 6464 : uint32_t kem_groups_available = 0;
1718 [ - + ]: 6464 : POSIX_GUARD_RESULT(s2n_kem_preferences_groups_available(security_policy->kem_preferences, &kem_groups_available));
1719 [ + + ][ + - ]: 6464 : POSIX_ENSURE(ecc_available + kem_groups_available > 0, S2N_ERR_INVALID_SECURITY_POLICY);
1720 : :
1721 : : /* If the config contains certificates violating the security policy cert preferences, return an error. */
1722 [ + + ]: 6462 : POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy));
1723 : 6460 : return S2N_SUCCESS;
1724 : 6462 : }
1725 : :
1726 : : int s2n_config_set_security_policy(struct s2n_config *config, const struct s2n_security_policy *security_policy)
1727 : 4633 : {
1728 [ # # ][ - + ]: 4633 : POSIX_ENSURE_REF(config);
1729 [ + + ]: 4633 : POSIX_GUARD(s2n_config_validate_security_policy(config, security_policy));
1730 : 4630 : config->security_policy = security_policy;
1731 : 4630 : return 0;
1732 : 4633 : }
1733 : :
1734 : : int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *version)
1735 : 4635 : {
1736 : 4635 : const struct s2n_security_policy *security_policy = NULL;
1737 [ + + ]: 4635 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1738 [ + + ]: 4633 : POSIX_GUARD(s2n_config_set_security_policy(config, security_policy));
1739 : 4630 : return S2N_SUCCESS;
1740 : 4633 : }
1741 : :
1742 : : int s2n_connection_set_security_policy(struct s2n_connection *conn, const struct s2n_security_policy *security_policy)
1743 : 1835 : {
1744 [ - + ][ # # ]: 1835 : POSIX_ENSURE_REF(conn);
1745 [ + + ]: 1835 : POSIX_GUARD(s2n_config_validate_security_policy(conn->config, security_policy));
1746 : 1834 : conn->security_policy_override = security_policy;
1747 : 1834 : return 0;
1748 : 1835 : }
1749 : :
1750 : : int s2n_connection_set_cipher_preferences(struct s2n_connection *conn, const char *version)
1751 : 1259 : {
1752 : 1259 : const struct s2n_security_policy *security_policy = NULL;
1753 [ + + ]: 1259 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1754 [ + + ]: 1257 : POSIX_GUARD(s2n_connection_set_security_policy(conn, security_policy));
1755 : 1256 : return S2N_SUCCESS;
1756 : 1257 : }
1757 : :
1758 : : int s2n_security_policies_init()
1759 : 368 : {
1760 [ + + ]: 56672 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1761 : 56304 : const struct s2n_security_policy *security_policy = security_policy_selection[i].security_policy;
1762 [ - + ][ # # ]: 56304 : POSIX_ENSURE_REF(security_policy);
1763 : 56304 : const struct s2n_cipher_preferences *cipher_preference = security_policy->cipher_preferences;
1764 [ - + ][ # # ]: 56304 : POSIX_ENSURE_REF(cipher_preference);
1765 : 56304 : const struct s2n_kem_preferences *kem_preference = security_policy->kem_preferences;
1766 [ # # ][ - + ]: 56304 : POSIX_ENSURE_REF(kem_preference);
1767 : 56304 : const struct s2n_ecc_preferences *ecc_preference = security_policy->ecc_preferences;
1768 [ - + ][ # # ]: 56304 : POSIX_ENSURE_REF(ecc_preference);
1769 [ - + ]: 56304 : POSIX_GUARD(s2n_check_ecc_preferences_curves_list(ecc_preference));
1770 : :
1771 : 56304 : const struct s2n_signature_preferences *certificate_signature_preference = security_policy->certificate_signature_preferences;
1772 [ + + ]: 56304 : if (certificate_signature_preference != NULL) {
1773 [ - + ]: 10672 : POSIX_GUARD_RESULT(s2n_validate_certificate_signature_preferences(certificate_signature_preference));
1774 : 10672 : }
1775 : :
1776 [ + + ]: 56304 : if (security_policy != &security_policy_null) {
1777 : : /* All policies must have at least one ecc curve or PQ kem group configured. */
1778 : 55936 : bool ecc_kx_supported = ecc_preference->count > 0;
1779 : 55936 : bool pq_kx_supported = kem_preference->tls13_kem_group_count > 0;
1780 [ # # ][ + - ]: 55936 : POSIX_ENSURE(ecc_kx_supported || pq_kx_supported, S2N_ERR_INVALID_SECURITY_POLICY);
[ + + ]
1781 : :
1782 : : /* A PQ key exchange is only supported in TLS 1.3, so PQ-only policies must require TLS 1.3.*/
1783 [ + + ]: 55936 : if (!ecc_kx_supported) {
1784 [ - + ][ # # ]: 736 : POSIX_ENSURE(security_policy->minimum_protocol_version >= S2N_TLS13, S2N_ERR_INVALID_SECURITY_POLICY);
1785 : 736 : }
1786 : 55936 : }
1787 : :
1788 [ + + ]: 863328 : for (int j = 0; j < cipher_preference->count; j++) {
1789 : 807024 : struct s2n_cipher_suite *cipher = cipher_preference->suites[j];
1790 [ # # ][ - + ]: 807024 : POSIX_ENSURE_REF(cipher);
1791 : :
1792 : 807024 : const uint8_t *iana = cipher->iana_value;
1793 : :
1794 [ + + ]: 807024 : if (cipher->minimum_required_tls_version >= S2N_TLS13) {
1795 : 98256 : security_policy_selection[i].supports_tls13 = 1;
1796 : 98256 : }
1797 : :
1798 : : /* Sanity check that valid tls13 has minimum tls version set correctly */
1799 [ - + ][ # # ]: 807024 : S2N_ERROR_IF(s2n_is_valid_tls13_cipher(iana) ^ (cipher->minimum_required_tls_version >= S2N_TLS13),
1800 : 807024 : S2N_ERR_INVALID_SECURITY_POLICY);
1801 : :
1802 [ + + ]: 807024 : if (s2n_cipher_suite_requires_ecc_extension(cipher)) {
1803 : 565248 : security_policy_selection[i].ecc_extension_required = 1;
1804 : 565248 : }
1805 : :
1806 [ - + ][ # # ]: 807024 : if (s2n_cipher_suite_requires_pq_extension(cipher) && kem_preference->kem_count > 0) {
1807 : 0 : security_policy_selection[i].pq_kem_extension_required = 1;
1808 : 0 : }
1809 : 807024 : }
1810 : :
1811 [ - + ]: 56304 : POSIX_GUARD(s2n_validate_kem_preferences(kem_preference, security_policy_selection[i].pq_kem_extension_required));
1812 : :
1813 : : /* Validate that security rules are correctly applied.
1814 : : * This should be checked by a unit test, but outside of unit tests we
1815 : : * check again here to cover the case where the unit tests are not run.
1816 : : */
1817 [ - + ]: 56304 : if (!s2n_in_unit_test()) {
1818 : 0 : struct s2n_security_rule_result result = { 0 };
1819 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_security_policy_validate_security_rules(security_policy, &result));
1820 [ # # ][ # # ]: 0 : POSIX_ENSURE(!result.found_error, S2N_ERR_INVALID_SECURITY_POLICY);
1821 : 0 : }
1822 : 56304 : }
1823 : 368 : return 0;
1824 : 368 : }
1825 : :
1826 : : bool s2n_ecc_is_extension_required(const struct s2n_security_policy *security_policy)
1827 : 15443 : {
1828 [ + + ]: 15443 : if (security_policy == NULL) {
1829 : 1 : return false;
1830 : 1 : }
1831 : :
1832 [ + + ]: 1101993 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1833 [ + + ]: 1096588 : if (security_policy_selection[i].security_policy == security_policy) {
1834 : 10037 : return 1 == security_policy_selection[i].ecc_extension_required;
1835 : 10037 : }
1836 : 1096588 : }
1837 : :
1838 : : /* If cipher preference is not in the official list, compute the result */
1839 : 5405 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1840 [ - + ]: 5405 : if (cipher_preferences == NULL) {
1841 : 0 : return false;
1842 : 0 : }
1843 [ + + ]: 138633 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1844 [ + + ]: 136169 : if (s2n_cipher_suite_requires_ecc_extension(cipher_preferences->suites[i])) {
1845 : 2941 : return true;
1846 : 2941 : }
1847 : 136169 : }
1848 : :
1849 : 2464 : return false;
1850 : 5405 : }
1851 : :
1852 : : bool s2n_pq_kem_is_extension_required(const struct s2n_security_policy *security_policy)
1853 : 7727 : {
1854 [ + + ]: 7727 : if (security_policy == NULL) {
1855 : 1 : return false;
1856 : 1 : }
1857 : :
1858 [ + + ]: 551425 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1859 [ + + ]: 548722 : if (security_policy_selection[i].security_policy == security_policy) {
1860 : 5023 : return 1 == security_policy_selection[i].pq_kem_extension_required;
1861 : 5023 : }
1862 : 548722 : }
1863 : :
1864 : : /* Preferences with no KEMs for the TLS 1.2 PQ KEM extension do not require that extension. */
1865 [ + - ][ + + ]: 2703 : if (security_policy->kem_preferences && security_policy->kem_preferences->kem_count == 0) {
1866 : 2702 : return false;
1867 : 2702 : }
1868 : :
1869 : : /* If cipher preference is not in the official list, compute the result */
1870 : 1 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1871 [ - + ]: 1 : if (cipher_preferences == NULL) {
1872 : 0 : return false;
1873 : 0 : }
1874 [ + + ]: 2 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1875 [ - + ]: 1 : if (s2n_cipher_suite_requires_pq_extension(cipher_preferences->suites[i])) {
1876 : 0 : return true;
1877 : 0 : }
1878 : 1 : }
1879 : 1 : return false;
1880 : 1 : }
1881 : :
1882 : : /* Checks whether cipher preference supports TLS 1.3 based on whether it is configured
1883 : : * with TLS 1.3 ciphers. Returns true or false.
1884 : : */
1885 : : bool s2n_security_policy_supports_tls13(const struct s2n_security_policy *security_policy)
1886 : 15597 : {
1887 [ + + ]: 15597 : if (security_policy == NULL) {
1888 : 1 : return false;
1889 : 1 : }
1890 : :
1891 [ + + ]: 951383 : for (size_t i = 0; security_policy_selection[i].version != NULL; i++) {
1892 [ + + ]: 946556 : if (security_policy_selection[i].security_policy == security_policy) {
1893 : 10769 : return security_policy_selection[i].supports_tls13 == 1;
1894 : 10769 : }
1895 : 946556 : }
1896 : :
1897 : : /* if cipher preference is not in the official list, compute the result */
1898 : 4827 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1899 [ - + ]: 4827 : if (cipher_preferences == NULL) {
1900 : 0 : return false;
1901 : 0 : }
1902 : :
1903 [ + + ]: 106745 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1904 [ + + ]: 103400 : if (cipher_preferences->suites[i]->minimum_required_tls_version >= S2N_TLS13) {
1905 : 1482 : return true;
1906 : 1482 : }
1907 : 103400 : }
1908 : :
1909 : 3345 : return false;
1910 : 4827 : }
1911 : :
1912 : : int s2n_connection_is_valid_for_cipher_preferences(struct s2n_connection *conn, const char *version)
1913 : 7 : {
1914 [ # # ][ - + ]: 7 : POSIX_ENSURE_REF(conn);
1915 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(version);
1916 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(conn->secure);
1917 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
1918 : :
1919 : 7 : const struct s2n_security_policy *security_policy = NULL;
1920 [ + + ]: 7 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1921 [ - + ][ # # ]: 6 : POSIX_ENSURE_REF(security_policy);
1922 : :
1923 : : /* make sure we dont use a tls version lower than that configured by the version */
1924 [ + + ]: 6 : if (s2n_connection_get_actual_protocol_version(conn) < security_policy->minimum_protocol_version) {
1925 : 2 : return 0;
1926 : 2 : }
1927 : :
1928 : 4 : struct s2n_cipher_suite *cipher = conn->secure->cipher_suite;
1929 [ - + ][ # # ]: 4 : POSIX_ENSURE_REF(cipher);
1930 [ + + ]: 9 : for (int i = 0; i < security_policy->cipher_preferences->count; ++i) {
1931 [ + + ]: 8 : if (s2n_constant_time_equals(security_policy->cipher_preferences->suites[i]->iana_value, cipher->iana_value, S2N_TLS_CIPHER_SUITE_LEN)) {
1932 : 3 : return 1;
1933 : 3 : }
1934 : 8 : }
1935 : :
1936 : 1 : return 0;
1937 : 4 : }
1938 : :
1939 : : int s2n_validate_kem_preferences(const struct s2n_kem_preferences *kem_preferences, bool pq_kem_extension_required)
1940 : 56311 : {
1941 [ + - ][ + + ]: 56311 : POSIX_ENSURE_REF(kem_preferences);
1942 : :
1943 : : /* Basic sanity checks to assert that the count is 0 if and only if the associated list is NULL */
1944 [ + + ][ + - ]: 56310 : POSIX_ENSURE(S2N_IFF(kem_preferences->tls13_kem_group_count == 0, kem_preferences->tls13_kem_groups == NULL),
1945 : 56308 : S2N_ERR_INVALID_SECURITY_POLICY);
1946 [ + + ][ + - ]: 56308 : POSIX_ENSURE(S2N_IFF(kem_preferences->kem_count == 0, kem_preferences->kems == NULL),
1947 : 56307 : S2N_ERR_INVALID_SECURITY_POLICY);
1948 [ - + ][ # # ]: 56307 : POSIX_ENSURE(kem_preferences->tls13_kem_group_count <= S2N_KEM_GROUPS_COUNT, S2N_ERR_ARRAY_INDEX_OOB);
1949 : :
1950 : : /* The PQ KEM extension is applicable only to TLS 1.2 */
1951 [ + + ]: 56307 : if (pq_kem_extension_required) {
1952 [ + - ][ + - ]: 1 : POSIX_ENSURE(kem_preferences->kem_count > 0, S2N_ERR_INVALID_SECURITY_POLICY);
1953 [ # # ][ # # ]: 0 : POSIX_ENSURE(kem_preferences->kems != NULL, S2N_ERR_INVALID_SECURITY_POLICY);
1954 : 56306 : } else {
1955 [ - + ][ # # ]: 56306 : POSIX_ENSURE(kem_preferences->kem_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
1956 [ # # ][ - + ]: 56306 : POSIX_ENSURE(kem_preferences->kems == NULL, S2N_ERR_INVALID_SECURITY_POLICY);
1957 : 56306 : }
1958 : :
1959 : 56306 : return S2N_SUCCESS;
1960 : 56307 : }
1961 : :
1962 : : S2N_RESULT s2n_validate_certificate_signature_preferences(const struct s2n_signature_preferences *certificate_signature_preferences)
1963 : 10675 : {
1964 [ - + ][ # # ]: 10675 : RESULT_ENSURE_REF(certificate_signature_preferences);
1965 : :
1966 : 10675 : size_t rsa_pss_scheme_count = 0;
1967 : :
1968 [ + + ]: 128444 : for (size_t i = 0; i < certificate_signature_preferences->count; i++) {
1969 [ + + ]: 117769 : if (certificate_signature_preferences->signature_schemes[i]->libcrypto_nid == NID_rsassaPss) {
1970 : 48584 : rsa_pss_scheme_count++;
1971 : 48584 : }
1972 : 117769 : }
1973 : :
1974 : : /*
1975 : : * https://github.com/aws/s2n-tls/issues/3435
1976 : : *
1977 : : * The Openssl function used to parse signatures off certificates does not differentiate between any rsa pss
1978 : : * signature schemes. Therefore a security policy with a certificate signatures preference list must include
1979 : : * all rsa_pss signature schemes. */
1980 [ + - ][ + + ]: 10675 : RESULT_ENSURE(rsa_pss_scheme_count == NUM_RSA_PSS_SCHEMES || rsa_pss_scheme_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
[ + + ]
1981 : 10674 : return S2N_RESULT_OK;
1982 : 10675 : }
1983 : :
1984 : : S2N_RESULT s2n_security_policy_get_version(const struct s2n_security_policy *security_policy, const char **version)
1985 : 91 : {
1986 [ # # ][ - + ]: 91 : RESULT_ENSURE_REF(version);
1987 : 91 : *version = NULL;
1988 [ + + ]: 7793 : for (size_t i = 0; security_policy_selection[i].version != NULL; i++) {
1989 [ + + ]: 7778 : if (security_policy_selection[i].security_policy == security_policy) {
1990 : 76 : *version = security_policy_selection[i].version;
1991 : 76 : return S2N_RESULT_OK;
1992 : 76 : }
1993 : 7778 : }
1994 [ + - ]: 15 : RESULT_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
1995 : 15 : }
1996 : :
1997 : : S2N_RESULT s2n_security_policy_validate_cert_signature(const struct s2n_security_policy *security_policy,
1998 : : const struct s2n_cert_info *info, s2n_error error)
1999 : 717 : {
2000 [ - + ][ # # ]: 717 : RESULT_ENSURE_REF(info);
2001 [ - + ][ # # ]: 717 : RESULT_ENSURE_REF(security_policy);
2002 : 717 : const struct s2n_signature_preferences *sig_preferences = security_policy->certificate_signature_preferences;
2003 : :
2004 [ + + ]: 717 : if (sig_preferences != NULL) {
2005 [ + + ]: 1455 : for (size_t i = 0; i < sig_preferences->count; i++) {
2006 [ + + ]: 1444 : if (sig_preferences->signature_schemes[i]->libcrypto_nid == info->signature_nid) {
2007 : 269 : return S2N_RESULT_OK;
2008 : 269 : }
2009 : 1444 : }
2010 : :
2011 [ + - ]: 11 : RESULT_BAIL(error);
2012 : 11 : }
2013 : 437 : return S2N_RESULT_OK;
2014 : 717 : }
2015 : :
2016 : : S2N_RESULT s2n_security_policy_validate_cert_key(const struct s2n_security_policy *security_policy,
2017 : : const struct s2n_cert_info *info, s2n_error error)
2018 : 1304 : {
2019 [ # # ][ - + ]: 1304 : RESULT_ENSURE_REF(info);
2020 [ # # ][ - + ]: 1304 : RESULT_ENSURE_REF(security_policy);
2021 : 1304 : const struct s2n_certificate_key_preferences *key_preferences = security_policy->certificate_key_preferences;
2022 : :
2023 [ + + ]: 1304 : if (key_preferences != NULL) {
2024 [ + + ]: 120 : for (size_t i = 0; i < key_preferences->count; i++) {
2025 [ + + ]: 111 : if (key_preferences->certificate_keys[i]->public_key_libcrypto_nid == info->public_key_nid
2026 [ + + ]: 111 : && key_preferences->certificate_keys[i]->bits == info->public_key_bits) {
2027 : 83 : return S2N_RESULT_OK;
2028 : 83 : }
2029 : 111 : }
2030 [ + - ]: 9 : RESULT_BAIL(error);
2031 : 9 : }
2032 : 1212 : return S2N_RESULT_OK;
2033 : 1304 : }
2034 : :
2035 : : S2N_RESULT s2n_security_policy_validate_certificate_chain(
2036 : : const struct s2n_security_policy *security_policy,
2037 : : const struct s2n_cert_chain_and_key *cert_key_pair)
2038 : 1356 : {
2039 [ - + ][ # # ]: 1356 : RESULT_ENSURE_REF(security_policy);
2040 [ - + ][ # # ]: 1356 : RESULT_ENSURE_REF(cert_key_pair);
2041 [ - + ][ # # ]: 1356 : RESULT_ENSURE_REF(cert_key_pair->cert_chain);
2042 : :
2043 [ + + ]: 1356 : if (!security_policy->certificate_preferences_apply_locally) {
2044 : 1321 : return S2N_RESULT_OK;
2045 : 1321 : }
2046 : :
2047 : 35 : struct s2n_cert *current = cert_key_pair->cert_chain->head;
2048 [ + + ]: 104 : while (current != NULL) {
2049 [ + + ]: 84 : RESULT_GUARD(s2n_security_policy_validate_cert_key(security_policy, ¤t->info,
2050 : 78 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
2051 [ + + ]: 78 : RESULT_GUARD(s2n_security_policy_validate_cert_signature(security_policy, ¤t->info,
2052 : 69 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
2053 : 69 : current = current->next;
2054 : 69 : }
2055 : 20 : return S2N_RESULT_OK;
2056 : 35 : }
|
