Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_security_policies.h"
17 : :
18 : : #include "api/s2n.h"
19 : : #include "tls/s2n_certificate_keys.h"
20 : : #include "tls/s2n_connection.h"
21 : : #include "utils/s2n_safety.h"
22 : :
23 : : /* TLS1.2 default as of 05/24 */
24 : : const struct s2n_security_policy security_policy_20240501 = {
25 : : .minimum_protocol_version = S2N_TLS12,
26 : : .cipher_preferences = &cipher_preferences_20240331,
27 : : .kem_preferences = &kem_preferences_null,
28 : : .signature_preferences = &s2n_signature_preferences_20240501,
29 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
30 : : .rules = {
31 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
32 : : },
33 : : };
34 : :
35 : : /* FIPS default as of 05/24 */
36 : : const struct s2n_security_policy security_policy_20240502 = {
37 : : .minimum_protocol_version = S2N_TLS12,
38 : : .cipher_preferences = &cipher_preferences_20240331,
39 : : .kem_preferences = &kem_preferences_null,
40 : : .signature_preferences = &s2n_signature_preferences_20240501,
41 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
42 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
43 : : .rules = {
44 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
45 : : [S2N_FIPS_140_3] = true,
46 : : },
47 : : };
48 : :
49 : : /* TLS1.3 default as of 05/24 */
50 : : const struct s2n_security_policy security_policy_20240503 = {
51 : : .minimum_protocol_version = S2N_TLS12,
52 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
53 : : .kem_preferences = &kem_preferences_null,
54 : : .signature_preferences = &s2n_signature_preferences_20240501,
55 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
56 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
57 : : .rules = {
58 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
59 : : },
60 : : };
61 : :
62 : : /* PQ default as of 07/24 */
63 : : const struct s2n_security_policy security_policy_20240730 = {
64 : : .minimum_protocol_version = S2N_TLS12,
65 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
66 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
67 : : .signature_preferences = &s2n_signature_preferences_20240501,
68 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
69 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
70 : : .rules = {
71 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
72 : : },
73 : : };
74 : :
75 : : const struct s2n_security_policy security_policy_20241001 = {
76 : : .minimum_protocol_version = S2N_TLS12,
77 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
78 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
79 : : .signature_preferences = &s2n_signature_preferences_20240501,
80 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
81 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
82 : : .rules = {
83 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
84 : : },
85 : : };
86 : :
87 : : /* 20241001, but with ML-DSA added */
88 : : const struct s2n_security_policy security_policy_20250512 = {
89 : : .minimum_protocol_version = S2N_TLS12,
90 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
91 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
92 : : .signature_preferences = &s2n_signature_preferences_20250512,
93 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
94 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
95 : : .rules = {
96 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
97 : : },
98 : : };
99 : :
100 : : const struct s2n_security_policy security_policy_20250721 = {
101 : : .minimum_protocol_version = S2N_TLS12,
102 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
103 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
104 : : .signature_preferences = &s2n_signature_preferences_20250512,
105 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
106 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
107 : : .rules = {
108 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
109 : : },
110 : : };
111 : :
112 : : const struct s2n_security_policy security_policy_20241001_pq_mixed = {
113 : : .minimum_protocol_version = S2N_TLS12,
114 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
115 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
116 : : .signature_preferences = &s2n_signature_preferences_20240501,
117 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
118 : : .ecc_preferences = &s2n_ecc_preferences_20240501,
119 : : .rules = {
120 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
121 : : },
122 : : };
123 : :
124 : : const struct s2n_security_policy security_policy_20240603 = {
125 : : .minimum_protocol_version = S2N_TLS12,
126 : : .cipher_preferences = &cipher_preferences_20240603,
127 : : .kem_preferences = &kem_preferences_null,
128 : : .signature_preferences = &s2n_signature_preferences_20240501,
129 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
130 : : .ecc_preferences = &s2n_ecc_preferences_20240603,
131 : : };
132 : :
133 : : const struct s2n_security_policy security_policy_20170210 = {
134 : : .minimum_protocol_version = S2N_TLS10,
135 : : .cipher_preferences = &cipher_preferences_20170210,
136 : : .kem_preferences = &kem_preferences_null,
137 : : .signature_preferences = &s2n_signature_preferences_20140601,
138 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
139 : : };
140 : :
141 : : const struct s2n_security_policy security_policy_20240417 = {
142 : : .minimum_protocol_version = S2N_TLS10,
143 : : .cipher_preferences = &cipher_preferences_20210831,
144 : : .kem_preferences = &kem_preferences_null,
145 : : .signature_preferences = &s2n_signature_preferences_20200207,
146 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
147 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
148 : : };
149 : :
150 : : /*
151 : : * This security policy is derived from the following specification:
152 : : * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
153 : : *
154 : : * Supports TLS1.2
155 : : */
156 : : const struct s2n_security_policy security_policy_20240416 = {
157 : : .minimum_protocol_version = S2N_TLS12,
158 : : .cipher_preferences = &cipher_preferences_default_fips,
159 : : .kem_preferences = &kem_preferences_null,
160 : : .signature_preferences = &s2n_signature_preferences_default_fips,
161 : : .certificate_signature_preferences = &s2n_signature_preferences_default_fips,
162 : : .ecc_preferences = &s2n_ecc_preferences_default_fips,
163 : : .rules = {
164 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
165 : : [S2N_FIPS_140_3] = true,
166 : : },
167 : : };
168 : :
169 : : const struct s2n_security_policy security_policy_20230317 = {
170 : : .minimum_protocol_version = S2N_TLS12,
171 : : .cipher_preferences = &cipher_preferences_20230317,
172 : : .kem_preferences = &kem_preferences_null,
173 : : .signature_preferences = &s2n_signature_preferences_20230317,
174 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
175 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
176 : : .rules = {
177 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
178 : : [S2N_FIPS_140_3] = true,
179 : : },
180 : : };
181 : :
182 : : const struct s2n_security_policy security_policy_20240331 = {
183 : : .minimum_protocol_version = S2N_TLS12,
184 : : .cipher_preferences = &cipher_preferences_20240331,
185 : : .kem_preferences = &kem_preferences_null,
186 : : .signature_preferences = &s2n_signature_preferences_20230317,
187 : : .certificate_signature_preferences = &s2n_signature_preferences_20230317,
188 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
189 : : .rules = {
190 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
191 : : [S2N_FIPS_140_3] = true,
192 : : },
193 : : };
194 : :
195 : : const struct s2n_security_policy security_policy_20190801 = {
196 : : .minimum_protocol_version = S2N_TLS10,
197 : : .cipher_preferences = &cipher_preferences_20190801,
198 : : .kem_preferences = &kem_preferences_null,
199 : : /* The discrepancy in the date exists because the signature preferences
200 : : * were named when cipher preferences and signature preferences were
201 : : * tracked separately, and we chose to keep the cipher preference
202 : : * name because customers use it.
203 : : */
204 : : .signature_preferences = &s2n_signature_preferences_20200207,
205 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
206 : : };
207 : :
208 : : const struct s2n_security_policy security_policy_20190802 = {
209 : : .minimum_protocol_version = S2N_TLS10,
210 : : .cipher_preferences = &cipher_preferences_20190801,
211 : : .kem_preferences = &kem_preferences_null,
212 : : /* The discrepancy in the date exists because the signature preferences
213 : : * were named when cipher preferences and signature preferences were
214 : : * tracked separately, and we chose to keep the cipher preference
215 : : * name because customers use it.
216 : : */
217 : : .signature_preferences = &s2n_signature_preferences_20200207,
218 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
219 : : };
220 : :
221 : : const struct s2n_security_policy security_policy_20170405 = {
222 : : .minimum_protocol_version = S2N_TLS10,
223 : : .cipher_preferences = &cipher_preferences_20170405,
224 : : .kem_preferences = &kem_preferences_null,
225 : : .signature_preferences = &s2n_signature_preferences_20140601,
226 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
227 : : };
228 : :
229 : : const struct s2n_security_policy security_policy_20170405_gcm = {
230 : : .minimum_protocol_version = S2N_TLS10,
231 : : .cipher_preferences = &cipher_preferences_20170405_gcm,
232 : : .kem_preferences = &kem_preferences_null,
233 : : .signature_preferences = &s2n_signature_preferences_20140601,
234 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
235 : : };
236 : :
237 : : const struct s2n_security_policy security_policy_elb_2015_04 = {
238 : : .minimum_protocol_version = S2N_TLS10,
239 : : .cipher_preferences = &elb_security_policy_2015_04,
240 : : .kem_preferences = &kem_preferences_null,
241 : : .signature_preferences = &s2n_signature_preferences_20140601,
242 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
243 : : };
244 : :
245 : : const struct s2n_security_policy security_policy_elb_2016_08 = {
246 : : .minimum_protocol_version = S2N_TLS10,
247 : : .cipher_preferences = &elb_security_policy_2016_08,
248 : : .kem_preferences = &kem_preferences_null,
249 : : .signature_preferences = &s2n_signature_preferences_20140601,
250 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
251 : : };
252 : :
253 : : const struct s2n_security_policy security_policy_elb_tls_1_1_2017_01 = {
254 : : .minimum_protocol_version = S2N_TLS11,
255 : : .cipher_preferences = &elb_security_policy_tls_1_1_2017_01,
256 : : .kem_preferences = &kem_preferences_null,
257 : : .signature_preferences = &s2n_signature_preferences_20140601,
258 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
259 : : };
260 : :
261 : : const struct s2n_security_policy security_policy_elb_tls_1_2_2017_01 = {
262 : : .minimum_protocol_version = S2N_TLS12,
263 : : .cipher_preferences = &elb_security_policy_tls_1_2_2017_01,
264 : : .kem_preferences = &kem_preferences_null,
265 : : .signature_preferences = &s2n_signature_preferences_20140601,
266 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
267 : : };
268 : :
269 : : const struct s2n_security_policy security_policy_elb_tls_1_2_ext_2018_06 = {
270 : : .minimum_protocol_version = S2N_TLS12,
271 : : .cipher_preferences = &elb_security_policy_tls_1_2_ext_2018_06,
272 : : .kem_preferences = &kem_preferences_null,
273 : : .signature_preferences = &s2n_signature_preferences_20140601,
274 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
275 : : };
276 : :
277 : : const struct s2n_security_policy security_policy_elb_fs_2018_06 = {
278 : : .minimum_protocol_version = S2N_TLS10,
279 : : .cipher_preferences = &elb_security_policy_fs_2018_06,
280 : : .kem_preferences = &kem_preferences_null,
281 : : .signature_preferences = &s2n_signature_preferences_20140601,
282 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
283 : : .rules = {
284 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
285 : : },
286 : : };
287 : :
288 : : const struct s2n_security_policy security_policy_elb_fs_1_2_2019_08 = {
289 : : .minimum_protocol_version = S2N_TLS12,
290 : : .cipher_preferences = &elb_security_policy_fs_1_2_2019_08,
291 : : .kem_preferences = &kem_preferences_null,
292 : : .signature_preferences = &s2n_signature_preferences_20140601,
293 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
294 : : .rules = {
295 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
296 : : },
297 : : };
298 : :
299 : : const struct s2n_security_policy security_policy_elb_fs_1_1_2019_08 = {
300 : : .minimum_protocol_version = S2N_TLS11,
301 : : .cipher_preferences = &elb_security_policy_fs_1_1_2019_08,
302 : : .kem_preferences = &kem_preferences_null,
303 : : .signature_preferences = &s2n_signature_preferences_20140601,
304 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
305 : : .rules = {
306 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
307 : : },
308 : : };
309 : :
310 : : const struct s2n_security_policy security_policy_elb_fs_1_2_Res_2019_08 = {
311 : : .minimum_protocol_version = S2N_TLS12,
312 : : .cipher_preferences = &elb_security_policy_fs_1_2_Res_2019_08,
313 : : .kem_preferences = &kem_preferences_null,
314 : : .signature_preferences = &s2n_signature_preferences_20140601,
315 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
316 : : .rules = {
317 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
318 : : },
319 : : };
320 : :
321 : : /* CloudFront upstream */
322 : : const struct s2n_security_policy security_policy_cloudfront_upstream = {
323 : : .minimum_protocol_version = S2N_SSLv3,
324 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream,
325 : : .kem_preferences = &kem_preferences_null,
326 : : .signature_preferences = &s2n_signature_preferences_20140601,
327 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
328 : : };
329 : :
330 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls10 = {
331 : : .minimum_protocol_version = S2N_TLS10,
332 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls10,
333 : : .kem_preferences = &kem_preferences_null,
334 : : .signature_preferences = &s2n_signature_preferences_20140601,
335 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
336 : : };
337 : :
338 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls11 = {
339 : : .minimum_protocol_version = S2N_TLS11,
340 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls11,
341 : : .kem_preferences = &kem_preferences_null,
342 : : .signature_preferences = &s2n_signature_preferences_20140601,
343 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
344 : : };
345 : :
346 : : const struct s2n_security_policy security_policy_cloudfront_upstream_tls12 = {
347 : : .minimum_protocol_version = S2N_TLS12,
348 : : .cipher_preferences = &cipher_preferences_cloudfront_upstream_tls12,
349 : : .kem_preferences = &kem_preferences_null,
350 : : .signature_preferences = &s2n_signature_preferences_20140601,
351 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
352 : : };
353 : :
354 : : /* CloudFront viewer facing */
355 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3 = {
356 : : .minimum_protocol_version = S2N_SSLv3,
357 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3,
358 : : .kem_preferences = &kem_preferences_null,
359 : : .signature_preferences = &s2n_signature_preferences_20200207,
360 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
361 : : };
362 : :
363 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014 = {
364 : : .minimum_protocol_version = S2N_TLS10,
365 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014,
366 : : .kem_preferences = &kem_preferences_null,
367 : : .signature_preferences = &s2n_signature_preferences_20200207,
368 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
369 : : };
370 : :
371 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016 = {
372 : : .minimum_protocol_version = S2N_TLS10,
373 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
374 : : .kem_preferences = &kem_preferences_null,
375 : : .signature_preferences = &s2n_signature_preferences_20200207,
376 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
377 : : };
378 : :
379 : : /* Same as security_policy_cloudfront_tls_1_0_2016, but with TLS 1.2 as minimum */
380 : : const struct s2n_security_policy security_policy_20241106 = {
381 : : .minimum_protocol_version = S2N_TLS12,
382 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016,
383 : : .kem_preferences = &kem_preferences_null,
384 : : .signature_preferences = &s2n_signature_preferences_20200207,
385 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
386 : : };
387 : :
388 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016 = {
389 : : .minimum_protocol_version = S2N_TLS11,
390 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016,
391 : : .kem_preferences = &kem_preferences_null,
392 : : .signature_preferences = &s2n_signature_preferences_20200207,
393 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
394 : : };
395 : :
396 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2017 = {
397 : : .minimum_protocol_version = S2N_TLS12,
398 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2017,
399 : : .kem_preferences = &kem_preferences_null,
400 : : .signature_preferences = &s2n_signature_preferences_20200207,
401 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
402 : : };
403 : :
404 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018 = {
405 : : .minimum_protocol_version = S2N_TLS12,
406 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018,
407 : : .kem_preferences = &kem_preferences_null,
408 : : .signature_preferences = &s2n_signature_preferences_20200207,
409 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
410 : : };
411 : :
412 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019 = {
413 : : .minimum_protocol_version = S2N_TLS12,
414 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
415 : : .kem_preferences = &kem_preferences_null,
416 : : .signature_preferences = &s2n_signature_preferences_20200207,
417 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
418 : : .rules = {
419 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
420 : : },
421 : : };
422 : :
423 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021 = {
424 : : .minimum_protocol_version = S2N_TLS12,
425 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021,
426 : : .kem_preferences = &kem_preferences_null,
427 : : .signature_preferences = &s2n_signature_preferences_20200207,
428 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
429 : : .rules = {
430 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
431 : : },
432 : : };
433 : :
434 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2021_chacha20_boosted = {
435 : : .minimum_protocol_version = S2N_TLS12,
436 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2021_chacha20_boosted,
437 : : .kem_preferences = &kem_preferences_null,
438 : : .signature_preferences = &s2n_signature_preferences_20200207,
439 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
440 : : .rules = {
441 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
442 : : },
443 : : };
444 : :
445 : : /* CloudFront viewer facing legacy TLS 1.2 policies */
446 : : const struct s2n_security_policy security_policy_cloudfront_ssl_v_3_legacy = {
447 : : .minimum_protocol_version = S2N_SSLv3,
448 : : .cipher_preferences = &cipher_preferences_cloudfront_ssl_v_3_legacy,
449 : : .kem_preferences = &kem_preferences_null,
450 : : .signature_preferences = &s2n_signature_preferences_20140601,
451 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
452 : : };
453 : :
454 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2014_legacy = {
455 : : .minimum_protocol_version = S2N_TLS10,
456 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2014_legacy,
457 : : .kem_preferences = &kem_preferences_null,
458 : : .signature_preferences = &s2n_signature_preferences_20140601,
459 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
460 : : };
461 : :
462 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_0_2016_legacy = {
463 : : .minimum_protocol_version = S2N_TLS10,
464 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_0_2016_legacy,
465 : : .kem_preferences = &kem_preferences_null,
466 : : .signature_preferences = &s2n_signature_preferences_20140601,
467 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
468 : : };
469 : :
470 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_1_2016_legacy = {
471 : : .minimum_protocol_version = S2N_TLS11,
472 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_1_2016_legacy,
473 : : .kem_preferences = &kem_preferences_null,
474 : : .signature_preferences = &s2n_signature_preferences_20140601,
475 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
476 : : };
477 : :
478 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2018_legacy = {
479 : : .minimum_protocol_version = S2N_TLS12,
480 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2018_legacy,
481 : : .kem_preferences = &kem_preferences_null,
482 : : .signature_preferences = &s2n_signature_preferences_20140601,
483 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
484 : : };
485 : :
486 : : const struct s2n_security_policy security_policy_cloudfront_tls_1_2_2019_legacy = {
487 : : .minimum_protocol_version = S2N_TLS12,
488 : : .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019_legacy,
489 : : .kem_preferences = &kem_preferences_null,
490 : : .signature_preferences = &s2n_signature_preferences_20140601,
491 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
492 : : .rules = {
493 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
494 : : },
495 : : };
496 : :
497 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3 = {
498 : : .minimum_protocol_version = S2N_SSLv3,
499 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
500 : : .kem_preferences = &kem_preferences_null,
501 : : .signature_preferences = &s2n_signature_preferences_20200207,
502 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
503 : : };
504 : :
505 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10 = {
506 : : .minimum_protocol_version = S2N_TLS10,
507 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
508 : : .kem_preferences = &kem_preferences_null,
509 : : .signature_preferences = &s2n_signature_preferences_20200207,
510 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
511 : : };
512 : :
513 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11 = {
514 : : .minimum_protocol_version = S2N_TLS11,
515 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
516 : : .kem_preferences = &kem_preferences_null,
517 : : .signature_preferences = &s2n_signature_preferences_20200207,
518 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
519 : : };
520 : :
521 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12 = {
522 : : .minimum_protocol_version = S2N_TLS12,
523 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
524 : : .kem_preferences = &kem_preferences_null,
525 : : .signature_preferences = &s2n_signature_preferences_20200207,
526 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
527 : : };
528 : :
529 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13 = {
530 : : .minimum_protocol_version = S2N_TLS13,
531 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
532 : : .kem_preferences = &kem_preferences_null,
533 : : .signature_preferences = &s2n_signature_preferences_20200207,
534 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
535 : : .rules = {
536 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
537 : : },
538 : : };
539 : :
540 : : const struct s2n_security_policy security_policy_aws_crt_sdk_ssl_v3_06_23 = {
541 : : .minimum_protocol_version = S2N_SSLv3,
542 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_ssl_v3,
543 : : .kem_preferences = &kem_preferences_null,
544 : : .signature_preferences = &s2n_signature_preferences_20200207,
545 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
546 : : };
547 : :
548 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_06_23 = {
549 : : .minimum_protocol_version = S2N_TLS10,
550 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
551 : : .kem_preferences = &kem_preferences_null,
552 : : .signature_preferences = &s2n_signature_preferences_20200207,
553 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
554 : : };
555 : :
556 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_11_06_23 = {
557 : : .minimum_protocol_version = S2N_TLS11,
558 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
559 : : .kem_preferences = &kem_preferences_null,
560 : : .signature_preferences = &s2n_signature_preferences_20200207,
561 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
562 : : };
563 : :
564 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23 = {
565 : : .minimum_protocol_version = S2N_TLS12,
566 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
567 : : .kem_preferences = &kem_preferences_null,
568 : : .signature_preferences = &s2n_signature_preferences_20200207,
569 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
570 : : };
571 : :
572 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_30_06_25 = {
573 : : .minimum_protocol_version = S2N_TLS12,
574 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_2025,
575 : : .kem_preferences = &kem_preferences_null,
576 : : .signature_preferences = &s2n_signature_preferences_20240501,
577 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
578 : : .rules = {
579 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
580 : : [S2N_FIPS_140_3] = true,
581 : : },
582 : : };
583 : :
584 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_06_23 = {
585 : : .minimum_protocol_version = S2N_TLS13,
586 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
587 : : .kem_preferences = &kem_preferences_null,
588 : : .signature_preferences = &s2n_signature_preferences_20200207,
589 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
590 : : .rules = {
591 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
592 : : },
593 : : };
594 : :
595 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2018_10 = {
596 : : .minimum_protocol_version = S2N_TLS10,
597 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2018_10,
598 : : .kem_preferences = &kem_preferences_null,
599 : : .signature_preferences = &s2n_signature_preferences_20140601,
600 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
601 : : .rules = {
602 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
603 : : },
604 : : };
605 : :
606 : : const struct s2n_security_policy security_policy_kms_tls_1_0_2021_08 = {
607 : : .minimum_protocol_version = S2N_TLS10,
608 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
609 : : .kem_preferences = &kem_preferences_null,
610 : : .signature_preferences = &s2n_signature_preferences_20200207,
611 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
612 : : .rules = {
613 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
614 : : },
615 : : };
616 : :
617 : : const struct s2n_security_policy security_policy_kms_tls_1_2_2023_06 = {
618 : : .minimum_protocol_version = S2N_TLS12,
619 : : .cipher_preferences = &cipher_preferences_kms_tls_1_0_2021_08,
620 : : .kem_preferences = &kem_preferences_null,
621 : : .signature_preferences = &s2n_signature_preferences_20200207,
622 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
623 : : .rules = {
624 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
625 : : },
626 : : };
627 : :
628 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2019_06 = {
629 : : .minimum_protocol_version = S2N_TLS10,
630 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2019_06,
631 : : .kem_preferences = &kem_preferences_null,
632 : : .signature_preferences = &s2n_signature_preferences_20140601,
633 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
634 : : .rules = {
635 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
636 : : },
637 : : };
638 : :
639 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_02 = {
640 : : .minimum_protocol_version = S2N_TLS10,
641 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_02,
642 : : .kem_preferences = &kem_preferences_null,
643 : : .signature_preferences = &s2n_signature_preferences_20140601,
644 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
645 : : .rules = {
646 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
647 : : },
648 : : };
649 : :
650 : : const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_07 = {
651 : : .minimum_protocol_version = S2N_TLS10,
652 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_07,
653 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
654 : : .signature_preferences = &s2n_signature_preferences_20140601,
655 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
656 : : .rules = {
657 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
658 : : },
659 : : };
660 : :
661 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2020_12 = {
662 : : .minimum_protocol_version = S2N_TLS10,
663 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2020_12,
664 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
665 : : .signature_preferences = &s2n_signature_preferences_20200207,
666 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
667 : : .rules = {
668 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
669 : : },
670 : : };
671 : :
672 : : const struct s2n_security_policy security_policy_pq_tls_1_1_2021_05_17 = {
673 : : .minimum_protocol_version = S2N_TLS11,
674 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_17,
675 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
676 : : .signature_preferences = &s2n_signature_preferences_20140601,
677 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
678 : : };
679 : :
680 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_18 = {
681 : : .minimum_protocol_version = S2N_TLS10,
682 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_18,
683 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
684 : : .signature_preferences = &s2n_signature_preferences_20140601,
685 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
686 : : };
687 : :
688 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_19 = {
689 : : .minimum_protocol_version = S2N_TLS10,
690 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_19,
691 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
692 : : .signature_preferences = &s2n_signature_preferences_20140601,
693 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
694 : : };
695 : :
696 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_20 = {
697 : : .minimum_protocol_version = S2N_TLS10,
698 : : /* Yes, this is the same cipher_preferences as kms_pq_tls_1_0_2020_07. The difference between these policies is
699 : : * the ecc_preferences, with this one adding support for x25519. */
700 : : .cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_07,
701 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
702 : : .signature_preferences = &s2n_signature_preferences_20140601,
703 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
704 : : .rules = {
705 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
706 : : },
707 : : };
708 : :
709 : : const struct s2n_security_policy security_policy_pq_tls_1_1_2021_05_21 = {
710 : : .minimum_protocol_version = S2N_TLS11,
711 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
712 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
713 : : .signature_preferences = &s2n_signature_preferences_20200207,
714 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
715 : : };
716 : :
717 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_22 = {
718 : : .minimum_protocol_version = S2N_TLS10,
719 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
720 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
721 : : .signature_preferences = &s2n_signature_preferences_20200207,
722 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
723 : : };
724 : :
725 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_23 = {
726 : : .minimum_protocol_version = S2N_TLS10,
727 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_23,
728 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
729 : : .signature_preferences = &s2n_signature_preferences_20200207,
730 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
731 : : };
732 : :
733 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_24 = {
734 : : .minimum_protocol_version = S2N_TLS10,
735 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
736 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
737 : : .signature_preferences = &s2n_signature_preferences_20200207,
738 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
739 : : .rules = {
740 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
741 : : },
742 : : };
743 : :
744 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_25 = {
745 : : .minimum_protocol_version = S2N_TLS10,
746 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_25,
747 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
748 : : .signature_preferences = &s2n_signature_preferences_20140601,
749 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
750 : : };
751 : :
752 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_26 = {
753 : : .minimum_protocol_version = S2N_TLS10,
754 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
755 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
756 : : .signature_preferences = &s2n_signature_preferences_20200207,
757 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
758 : : };
759 : :
760 : : const struct s2n_security_policy security_policy_pq_tls_1_0_2023_01_24 = {
761 : : .minimum_protocol_version = S2N_TLS10,
762 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
763 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2023_01,
764 : : .signature_preferences = &s2n_signature_preferences_20200207,
765 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
766 : : .rules = {
767 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
768 : : },
769 : : };
770 : :
771 : : /* Same as security_policy_pq_tls_1_1_2021_05_21, but with TLS 1.2 as minimum */
772 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_07 = {
773 : : .minimum_protocol_version = S2N_TLS12,
774 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
775 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
776 : : .signature_preferences = &s2n_signature_preferences_20200207,
777 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
778 : : };
779 : :
780 : : /* Same as security_policy_pq_tls_1_0_2021_05_22, but with TLS 1.2 as minimum */
781 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_08 = {
782 : : .minimum_protocol_version = S2N_TLS12,
783 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
784 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
785 : : .signature_preferences = &s2n_signature_preferences_20200207,
786 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
787 : : };
788 : :
789 : : /* Same as security_policy_pq_tls_1_0_2021_05_24, but with TLS 1.2 as minimum */
790 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_09 = {
791 : : .minimum_protocol_version = S2N_TLS12,
792 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
793 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
794 : : .signature_preferences = &s2n_signature_preferences_20200207,
795 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
796 : : .rules = {
797 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
798 : : },
799 : : };
800 : :
801 : : /* Same as security_policy_pq_tls_1_0_2021_05_26, but with TLS 1.2 as minimum */
802 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_10 = {
803 : : .minimum_protocol_version = S2N_TLS12,
804 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
805 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
806 : : .signature_preferences = &s2n_signature_preferences_20200207,
807 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
808 : : };
809 : :
810 : : const struct s2n_security_policy security_policy_pq_tls_1_3_2023_06_01 = {
811 : : .minimum_protocol_version = S2N_TLS12,
812 : : .cipher_preferences = &cipher_preferences_pq_tls_1_3_2023_06_01,
813 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
814 : : .signature_preferences = &s2n_signature_preferences_20200207,
815 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
816 : : };
817 : :
818 : : /* Same as security_policy_pq_tls_1_2_2023_04_07, but with updated KEM prefs */
819 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_07 = {
820 : : .minimum_protocol_version = S2N_TLS12,
821 : : .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
822 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
823 : : .signature_preferences = &s2n_signature_preferences_20200207,
824 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
825 : : };
826 : :
827 : : /* Same as security_policy_pq_tls_1_2_2023_04_08, but with updated KEM prefs */
828 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_08 = {
829 : : .minimum_protocol_version = S2N_TLS12,
830 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
831 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
832 : : .signature_preferences = &s2n_signature_preferences_20200207,
833 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
834 : : };
835 : :
836 : : /* Same as security_policy_pq_tls_1_2_2023_04_09, but with updated KEM prefs */
837 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_09 = {
838 : : .minimum_protocol_version = S2N_TLS12,
839 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
840 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
841 : : .signature_preferences = &s2n_signature_preferences_20200207,
842 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
843 : : .rules = {
844 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
845 : : },
846 : : };
847 : :
848 : : /* Same as security_policy_pq_tls_1_2_2023_04_10, but with updated KEM prefs */
849 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10 = {
850 : : .minimum_protocol_version = S2N_TLS12,
851 : : .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
852 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
853 : : .signature_preferences = &s2n_signature_preferences_20200207,
854 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
855 : : };
856 : :
857 : : /* General purpose "mostly" FIPS + PQ policy (with the exception of supporting RSA Key Exchange for backwards compatibility). */
858 : : const struct s2n_security_policy security_policy_pq_20231213 = {
859 : : .minimum_protocol_version = S2N_TLS12,
860 : : .cipher_preferences = &cipher_preferences_20231213,
861 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
862 : : .signature_preferences = &s2n_signature_preferences_20230317,
863 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
864 : : };
865 : :
866 : : /* General purpose FIPS + PQ policy that meets all current FIPS requirements. */
867 : : const struct s2n_security_policy security_policy_pq_20231214 = {
868 : : .minimum_protocol_version = S2N_TLS12,
869 : : .cipher_preferences = &cipher_preferences_20231214,
870 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
871 : : .signature_preferences = &s2n_signature_preferences_20230317,
872 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
873 : : .rules = {
874 : : [S2N_FIPS_140_3] = true,
875 : : },
876 : : };
877 : :
878 : : /* FIPS + PQ Policy that uses KMS's FIPS cipher preference list and meets all current FIPS requirements. */
879 : : const struct s2n_security_policy security_policy_pq_20231215 = {
880 : : .minimum_protocol_version = S2N_TLS12,
881 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
882 : : .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
883 : : .signature_preferences = &s2n_signature_preferences_20230317,
884 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
885 : : .rules = {
886 : : [S2N_FIPS_140_3] = true,
887 : : },
888 : : };
889 : :
890 : : /* Same as security_policy_aws_crt_sdk_tls_10_06_23 but with (IETF-standardized) ML-KEM Support */
891 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_10_07_25_pq = {
892 : : .minimum_protocol_version = S2N_TLS10,
893 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
894 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
895 : : .signature_preferences = &s2n_signature_preferences_20200207,
896 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
897 : : };
898 : :
899 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with (IETF-standardized) ML-KEM Support */
900 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_07_25_pq = {
901 : : .minimum_protocol_version = S2N_TLS12,
902 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
903 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
904 : : .signature_preferences = &s2n_signature_preferences_20200207,
905 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
906 : : };
907 : :
908 : : /* Same as security_policy_aws_crt_sdk_tls_13_06_23 but with (IETF-standardized) ML-KEM Support */
909 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_07_25_pq = {
910 : : .minimum_protocol_version = S2N_TLS13,
911 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
912 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
913 : : .signature_preferences = &s2n_signature_preferences_20200207,
914 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
915 : : };
916 : :
917 : : /* Same as security_policy_aws_crt_sdk_tls_12_06_23 but with ML-KEM Support */
918 : : const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23_pq = {
919 : : .minimum_protocol_version = S2N_TLS12,
920 : : .cipher_preferences = &cipher_preferences_aws_crt_sdk_default,
921 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
922 : : .signature_preferences = &s2n_signature_preferences_20200207,
923 : : .ecc_preferences = &s2n_ecc_preferences_20230623,
924 : : };
925 : :
926 : : /* Same as security_policy_pq_tls_1_2_2023_10_07, but with TLS 1.2 Kyber removed, and added ML-KEM support */
927 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_07 = {
928 : : .minimum_protocol_version = S2N_TLS12,
929 : : .cipher_preferences = &elb_security_policy_tls13_1_2_Ext2_2021_06,
930 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
931 : : .signature_preferences = &s2n_signature_preferences_20200207,
932 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
933 : : };
934 : :
935 : : /* Same as security_policy_pq_tls_1_2_2023_10_08, but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
936 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08 = {
937 : : .minimum_protocol_version = S2N_TLS12,
938 : : .cipher_preferences = &cipher_preferences_20241008,
939 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
940 : : .signature_preferences = &s2n_signature_preferences_20200207,
941 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
942 : : };
943 : :
944 : : /* Same as security_policy_pq_tls_1_2_2023_10_10, but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
945 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_08_gcm = {
946 : : .minimum_protocol_version = S2N_TLS12,
947 : : .cipher_preferences = &cipher_preferences_20241008_gcm,
948 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
949 : : .signature_preferences = &s2n_signature_preferences_20200207,
950 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
951 : : };
952 : :
953 : : /* Same as security_policy_pq_tls_1_2_2023_10_09 but with 3DES and Kyber (for TLS 1.2) removed, and added ML-KEM support */
954 : : const struct s2n_security_policy security_policy_pq_tls_1_2_2024_10_09 = {
955 : : .minimum_protocol_version = S2N_TLS12,
956 : : .cipher_preferences = &cipher_preferences_20241009,
957 : : .kem_preferences = &kem_preferences_pq_tls_1_3_mixed_2024_10,
958 : : .signature_preferences = &s2n_signature_preferences_20200207,
959 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
960 : : .rules = {
961 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
962 : : },
963 : : };
964 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = {
965 : : .minimum_protocol_version = S2N_TLS12,
966 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2018_10,
967 : : .kem_preferences = &kem_preferences_null,
968 : : .signature_preferences = &s2n_signature_preferences_20140601,
969 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
970 : : .rules = {
971 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
972 : : },
973 : : };
974 : :
975 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2021_08 = {
976 : : .minimum_protocol_version = S2N_TLS12,
977 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
978 : : .kem_preferences = &kem_preferences_null,
979 : : .signature_preferences = &s2n_signature_preferences_20200207,
980 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
981 : : .rules = {
982 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
983 : : },
984 : : };
985 : :
986 : : /* Same as security_policy_pq_20231215, but with only ML-KEM Support */
987 : : const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2024_10 = {
988 : : .minimum_protocol_version = S2N_TLS12,
989 : : .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
990 : : .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
991 : : .signature_preferences = &s2n_signature_preferences_20230317,
992 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
993 : : .rules = {
994 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
995 : : [S2N_FIPS_140_3] = true,
996 : : },
997 : : };
998 : :
999 : : const struct s2n_security_policy security_policy_20140601 = {
1000 : : .minimum_protocol_version = S2N_SSLv3,
1001 : : .cipher_preferences = &cipher_preferences_20140601,
1002 : : .kem_preferences = &kem_preferences_null,
1003 : : .signature_preferences = &s2n_signature_preferences_20140601,
1004 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1005 : : };
1006 : :
1007 : : const struct s2n_security_policy security_policy_20141001 = {
1008 : : .minimum_protocol_version = S2N_TLS10,
1009 : : .cipher_preferences = &cipher_preferences_20141001,
1010 : : .kem_preferences = &kem_preferences_null,
1011 : : .signature_preferences = &s2n_signature_preferences_20140601,
1012 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1013 : : };
1014 : :
1015 : : const struct s2n_security_policy security_policy_20150202 = {
1016 : : .minimum_protocol_version = S2N_TLS10,
1017 : : .cipher_preferences = &cipher_preferences_20150202,
1018 : : .kem_preferences = &kem_preferences_null,
1019 : : .signature_preferences = &s2n_signature_preferences_20140601,
1020 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1021 : : };
1022 : :
1023 : : const struct s2n_security_policy security_policy_20150214 = {
1024 : : .minimum_protocol_version = S2N_TLS10,
1025 : : .cipher_preferences = &cipher_preferences_20150214,
1026 : : .kem_preferences = &kem_preferences_null,
1027 : : .signature_preferences = &s2n_signature_preferences_20140601,
1028 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1029 : : };
1030 : :
1031 : : const struct s2n_security_policy security_policy_20160411 = {
1032 : : .minimum_protocol_version = S2N_TLS10,
1033 : : .cipher_preferences = &cipher_preferences_20160411,
1034 : : .kem_preferences = &kem_preferences_null,
1035 : : .signature_preferences = &s2n_signature_preferences_20140601,
1036 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1037 : : };
1038 : :
1039 : : const struct s2n_security_policy security_policy_20150306 = {
1040 : : .minimum_protocol_version = S2N_TLS10,
1041 : : .cipher_preferences = &cipher_preferences_20150306,
1042 : : .kem_preferences = &kem_preferences_null,
1043 : : .signature_preferences = &s2n_signature_preferences_20140601,
1044 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1045 : : };
1046 : :
1047 : : const struct s2n_security_policy security_policy_20160804 = {
1048 : : .minimum_protocol_version = S2N_TLS10,
1049 : : .cipher_preferences = &cipher_preferences_20160804,
1050 : : .kem_preferences = &kem_preferences_null,
1051 : : .signature_preferences = &s2n_signature_preferences_20140601,
1052 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1053 : : };
1054 : :
1055 : : const struct s2n_security_policy security_policy_20160824 = {
1056 : : .minimum_protocol_version = S2N_TLS10,
1057 : : .cipher_preferences = &cipher_preferences_20160824,
1058 : : .kem_preferences = &kem_preferences_null,
1059 : : .signature_preferences = &s2n_signature_preferences_20140601,
1060 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1061 : : };
1062 : :
1063 : : const struct s2n_security_policy security_policy_20190122 = {
1064 : : .minimum_protocol_version = S2N_TLS10,
1065 : : .cipher_preferences = &cipher_preferences_20190122,
1066 : : .kem_preferences = &kem_preferences_null,
1067 : : .signature_preferences = &s2n_signature_preferences_20140601,
1068 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1069 : : };
1070 : :
1071 : : const struct s2n_security_policy security_policy_20190121 = {
1072 : : .minimum_protocol_version = S2N_TLS10,
1073 : : .cipher_preferences = &cipher_preferences_20190121,
1074 : : .kem_preferences = &kem_preferences_null,
1075 : : .signature_preferences = &s2n_signature_preferences_20140601,
1076 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1077 : : };
1078 : :
1079 : : const struct s2n_security_policy security_policy_20190120 = {
1080 : : .minimum_protocol_version = S2N_TLS10,
1081 : : .cipher_preferences = &cipher_preferences_20190120,
1082 : : .kem_preferences = &kem_preferences_null,
1083 : : .signature_preferences = &s2n_signature_preferences_20140601,
1084 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1085 : : };
1086 : :
1087 : : const struct s2n_security_policy security_policy_20190214 = {
1088 : : .minimum_protocol_version = S2N_TLS10,
1089 : : .cipher_preferences = &cipher_preferences_20190214,
1090 : : .kem_preferences = &kem_preferences_null,
1091 : : .signature_preferences = &s2n_signature_preferences_20140601,
1092 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1093 : : };
1094 : :
1095 : : const struct s2n_security_policy security_policy_20190214_gcm = {
1096 : : .minimum_protocol_version = S2N_TLS10,
1097 : : .cipher_preferences = &cipher_preferences_20190214_gcm,
1098 : : .kem_preferences = &kem_preferences_null,
1099 : : .signature_preferences = &s2n_signature_preferences_20140601,
1100 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1101 : : };
1102 : :
1103 : : const struct s2n_security_policy security_policy_20210825 = {
1104 : : .minimum_protocol_version = S2N_TLS10,
1105 : : .cipher_preferences = &cipher_preferences_20210825,
1106 : : .kem_preferences = &kem_preferences_null,
1107 : : .signature_preferences = &s2n_signature_preferences_20200207,
1108 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1109 : : };
1110 : :
1111 : : const struct s2n_security_policy security_policy_20210825_gcm = {
1112 : : .minimum_protocol_version = S2N_TLS10,
1113 : : .cipher_preferences = &cipher_preferences_20210825_gcm,
1114 : : .kem_preferences = &kem_preferences_null,
1115 : : .signature_preferences = &s2n_signature_preferences_20200207,
1116 : : .ecc_preferences = &s2n_ecc_preferences_20200310,
1117 : : };
1118 : :
1119 : : const struct s2n_security_policy security_policy_20170328 = {
1120 : : .minimum_protocol_version = S2N_TLS10,
1121 : : .cipher_preferences = &cipher_preferences_20170328,
1122 : : .kem_preferences = &kem_preferences_null,
1123 : : .signature_preferences = &s2n_signature_preferences_20140601,
1124 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1125 : : };
1126 : :
1127 : : const struct s2n_security_policy security_policy_20170328_gcm = {
1128 : : .minimum_protocol_version = S2N_TLS10,
1129 : : .cipher_preferences = &cipher_preferences_20170328_gcm,
1130 : : .kem_preferences = &kem_preferences_null,
1131 : : .signature_preferences = &s2n_signature_preferences_20140601,
1132 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1133 : : };
1134 : :
1135 : : const struct s2n_security_policy security_policy_20170718 = {
1136 : : .minimum_protocol_version = S2N_TLS10,
1137 : : .cipher_preferences = &cipher_preferences_20170718,
1138 : : .kem_preferences = &kem_preferences_null,
1139 : : .signature_preferences = &s2n_signature_preferences_20140601,
1140 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1141 : : };
1142 : :
1143 : : const struct s2n_security_policy security_policy_20170718_gcm = {
1144 : : .minimum_protocol_version = S2N_TLS10,
1145 : : .cipher_preferences = &cipher_preferences_20170718_gcm,
1146 : : .kem_preferences = &kem_preferences_null,
1147 : : .signature_preferences = &s2n_signature_preferences_20140601,
1148 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1149 : : };
1150 : :
1151 : : const struct s2n_security_policy security_policy_20201021 = {
1152 : : .minimum_protocol_version = S2N_TLS10,
1153 : : .cipher_preferences = &cipher_preferences_20190122,
1154 : : .kem_preferences = &kem_preferences_null,
1155 : : .signature_preferences = &s2n_signature_preferences_20201021,
1156 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1157 : : };
1158 : :
1159 : : const struct s2n_security_policy security_policy_20210816 = {
1160 : : .minimum_protocol_version = S2N_TLS12,
1161 : : .cipher_preferences = &cipher_preferences_20210816,
1162 : : .kem_preferences = &kem_preferences_null,
1163 : : .signature_preferences = &s2n_signature_preferences_20210816,
1164 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1165 : : .rules = {
1166 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1167 : : [S2N_FIPS_140_3] = true,
1168 : : },
1169 : : };
1170 : :
1171 : : const struct s2n_security_policy security_policy_20210816_gcm = {
1172 : : .minimum_protocol_version = S2N_TLS12,
1173 : : .cipher_preferences = &cipher_preferences_20210816_gcm,
1174 : : .kem_preferences = &kem_preferences_null,
1175 : : .signature_preferences = &s2n_signature_preferences_20210816,
1176 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1177 : : .rules = {
1178 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1179 : : [S2N_FIPS_140_3] = true,
1180 : : },
1181 : : };
1182 : :
1183 : : /*
1184 : : * This security policy is derived from the following specification:
1185 : : * https://datatracker.ietf.org/doc/html/rfc9151
1186 : : */
1187 : : const struct s2n_security_policy security_policy_20250429 = {
1188 : : .minimum_protocol_version = S2N_TLS12,
1189 : : .cipher_preferences = &cipher_preferences_20250429,
1190 : : .kem_preferences = &kem_preferences_null,
1191 : : .signature_preferences = &s2n_signature_preferences_20250429,
1192 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250429,
1193 : : .certificate_key_preferences = &s2n_certificate_key_preferences_20250429,
1194 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1195 : : .certificate_preferences_apply_locally = true,
1196 : : };
1197 : :
1198 : : /*
1199 : : * This security policy is a mix of default_tls13 (20240503) and rfc9151, with
1200 : : * a primary requirement that AES-256 is the ciphersuite chosen. Other
1201 : : * requirements are generally picked to raise minimum thresholds (e.g.,
1202 : : * requiring TLS 1.3) where possible without losing compatibility with modern
1203 : : * default_tls13 clients or servers.
1204 : : */
1205 : : const struct s2n_security_policy security_policy_20250211 = {
1206 : : .minimum_protocol_version = S2N_TLS13,
1207 : : .cipher_preferences = &cipher_preferences_20250211,
1208 : : .kem_preferences = &kem_preferences_null,
1209 : : .signature_preferences = &s2n_signature_preferences_20250429,
1210 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1211 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1212 : : .rules = {
1213 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1214 : : },
1215 : : };
1216 : :
1217 : : /*
1218 : : * This is essentially identical to 20250211, but fixes a bug which required
1219 : : * P-384 keys on certificates, which invalidated the compatibility promise for
1220 : : * that policy.
1221 : : */
1222 : : const struct s2n_security_policy security_policy_20250414 = {
1223 : : .minimum_protocol_version = S2N_TLS13,
1224 : : .cipher_preferences = &cipher_preferences_20250211,
1225 : : .kem_preferences = &kem_preferences_null,
1226 : : .signature_preferences = &s2n_signature_preferences_20240501,
1227 : : .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
1228 : : .ecc_preferences = &s2n_ecc_preferences_20210816,
1229 : : .rules = {
1230 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1231 : : [S2N_FIPS_140_3] = true,
1232 : : },
1233 : : };
1234 : :
1235 : : const struct s2n_security_policy security_policy_test_all = {
1236 : : .minimum_protocol_version = S2N_SSLv3,
1237 : : .cipher_preferences = &cipher_preferences_test_all,
1238 : : .kem_preferences = &kem_preferences_all,
1239 : : .signature_preferences = &s2n_signature_preferences_all,
1240 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1241 : : };
1242 : :
1243 : : const struct s2n_security_policy security_policy_test_all_tls12 = {
1244 : : .minimum_protocol_version = S2N_SSLv3,
1245 : : .cipher_preferences = &cipher_preferences_test_all_tls12,
1246 : : .kem_preferences = &kem_preferences_pq_tls_1_0_2021_05,
1247 : : .signature_preferences = &s2n_signature_preferences_20201021,
1248 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1249 : : };
1250 : :
1251 : : const struct s2n_security_policy security_policy_test_all_fips = {
1252 : : .minimum_protocol_version = S2N_TLS12,
1253 : : .cipher_preferences = &cipher_preferences_test_all_fips,
1254 : : .kem_preferences = &kem_preferences_null,
1255 : : .signature_preferences = &s2n_signature_preferences_test_all_fips,
1256 : : .ecc_preferences = &s2n_ecc_preferences_20201021,
1257 : : .rules = {
1258 : : [S2N_FIPS_140_3] = true,
1259 : : },
1260 : : };
1261 : :
1262 : : const struct s2n_security_policy security_policy_test_all_ecdsa = {
1263 : : .minimum_protocol_version = S2N_TLS10,
1264 : : .cipher_preferences = &cipher_preferences_test_all_ecdsa,
1265 : : .kem_preferences = &kem_preferences_null,
1266 : : .signature_preferences = &s2n_signature_preferences_20201021,
1267 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1268 : : .rules = {
1269 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1270 : : },
1271 : : };
1272 : :
1273 : : const struct s2n_security_policy security_policy_test_all_rsa_kex = {
1274 : : .minimum_protocol_version = S2N_TLS10,
1275 : : .cipher_preferences = &cipher_preferences_test_all_rsa_kex,
1276 : : .kem_preferences = &kem_preferences_null,
1277 : : .signature_preferences = &s2n_signature_preferences_20140601,
1278 : : .ecc_preferences = &s2n_ecc_preferences_20140601,
1279 : : };
1280 : :
1281 : : const struct s2n_security_policy security_policy_test_all_tls13 = {
1282 : : .minimum_protocol_version = S2N_SSLv3,
1283 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1284 : : .kem_preferences = &kem_preferences_null,
1285 : : .signature_preferences = &s2n_signature_preferences_all,
1286 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1287 : : .rules = {
1288 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1289 : : },
1290 : : };
1291 : :
1292 : : const struct s2n_security_policy security_policy_20200207 = {
1293 : : .minimum_protocol_version = S2N_SSLv3,
1294 : : .cipher_preferences = &cipher_preferences_test_all_tls13,
1295 : : .kem_preferences = &kem_preferences_null,
1296 : : .signature_preferences = &s2n_signature_preferences_20201021,
1297 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1298 : : .rules = {
1299 : : [S2N_PERFECT_FORWARD_SECRECY] = true,
1300 : : },
1301 : : };
1302 : :
1303 : : const struct s2n_security_policy security_policy_test_ecdsa_priority = {
1304 : : .minimum_protocol_version = S2N_SSLv3,
1305 : : .cipher_preferences = &cipher_preferences_test_ecdsa_priority,
1306 : : .kem_preferences = &kem_preferences_null,
1307 : : .signature_preferences = &s2n_signature_preferences_20201021,
1308 : : .ecc_preferences = &s2n_ecc_preferences_test_all,
1309 : : };
1310 : :
1311 : : const struct s2n_security_policy security_policy_null = {
1312 : : .minimum_protocol_version = S2N_TLS10,
1313 : : .cipher_preferences = &cipher_preferences_null,
1314 : : .kem_preferences = &kem_preferences_null,
1315 : : .signature_preferences = &s2n_signature_preferences_null,
1316 : : .ecc_preferences = &s2n_ecc_preferences_null,
1317 : : };
1318 : :
1319 : : struct s2n_security_policy_selection security_policy_selection[] = {
1320 : : /* If changing named policies, please update the usage guide's docs on the corresponding policy.
1321 : : * You likely also want to update the compatibility unit tests in (tests/unit/s2n_security_rules_test.c).
1322 : : */
1323 : : { .version = "default", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1324 : : { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1325 : : { .version = "default_fips", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1326 : : { .version = "default_pq", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1327 : : { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1328 : : { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1329 : : { .version = "20240502", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1330 : : { .version = "20240503", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1331 : : { .version = "20230317", .security_policy = &security_policy_20230317, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1332 : : { .version = "20240331", .security_policy = &security_policy_20240331, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1333 : : { .version = "20240417", .security_policy = &security_policy_20240417, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1334 : : { .version = "20240416", .security_policy = &security_policy_20240416, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1335 : : { .version = "20240730", .security_policy = &security_policy_20240730, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1336 : : { .version = "20241001", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1337 : : { .version = "20250512", .security_policy = &security_policy_20250512, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1338 : : { .version = "20250721", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1339 : : { .version = "20241001_pq_mixed", .security_policy = &security_policy_20241001_pq_mixed, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1340 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-04", .security_policy = &security_policy_elb_2015_04, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1341 : : /* Not a mistake. TLS-1-0-2015-05 and 2016-08 are equivalent */
1342 : : { .version = "ELBSecurityPolicy-TLS-1-0-2015-05", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1343 : : { .version = "ELBSecurityPolicy-2016-08", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1344 : : { .version = "ELBSecurityPolicy-TLS-1-1-2017-01", .security_policy = &security_policy_elb_tls_1_1_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1345 : : { .version = "ELBSecurityPolicy-TLS-1-2-2017-01", .security_policy = &security_policy_elb_tls_1_2_2017_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1346 : : { .version = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", .security_policy = &security_policy_elb_tls_1_2_ext_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1347 : : { .version = "ELBSecurityPolicy-FS-2018-06", .security_policy = &security_policy_elb_fs_2018_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1348 : : { .version = "ELBSecurityPolicy-FS-1-2-2019-08", .security_policy = &security_policy_elb_fs_1_2_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1349 : : { .version = "ELBSecurityPolicy-FS-1-1-2019-08", .security_policy = &security_policy_elb_fs_1_1_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1350 : : { .version = "ELBSecurityPolicy-FS-1-2-Res-2019-08", .security_policy = &security_policy_elb_fs_1_2_Res_2019_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1351 : : { .version = "CloudFront-Upstream", .security_policy = &security_policy_cloudfront_upstream, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1352 : : { .version = "CloudFront-Upstream-TLS-1-0", .security_policy = &security_policy_cloudfront_upstream_tls10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1353 : : { .version = "CloudFront-Upstream-TLS-1-1", .security_policy = &security_policy_cloudfront_upstream_tls11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1354 : : { .version = "CloudFront-Upstream-TLS-1-2", .security_policy = &security_policy_cloudfront_upstream_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1355 : : /* CloudFront Viewer Facing */
1356 : : { .version = "CloudFront-SSL-v-3", .security_policy = &security_policy_cloudfront_ssl_v_3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1357 : : { .version = "CloudFront-TLS-1-0-2014", .security_policy = &security_policy_cloudfront_tls_1_0_2014, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1358 : : { .version = "CloudFront-TLS-1-0-2016", .security_policy = &security_policy_cloudfront_tls_1_0_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1359 : : { .version = "CloudFront-TLS-1-1-2016", .security_policy = &security_policy_cloudfront_tls_1_1_2016, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1360 : : { .version = "CloudFront-TLS-1-2-2017", .security_policy = &security_policy_cloudfront_tls_1_2_2017, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1361 : : { .version = "CloudFront-TLS-1-2-2018", .security_policy = &security_policy_cloudfront_tls_1_2_2018, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1362 : : { .version = "CloudFront-TLS-1-2-2019", .security_policy = &security_policy_cloudfront_tls_1_2_2019, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1363 : : { .version = "CloudFront-TLS-1-2-2021", .security_policy = &security_policy_cloudfront_tls_1_2_2021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1364 : : { .version = "CloudFront-TLS-1-2-2021-Chacha20-Boosted", .security_policy = &security_policy_cloudfront_tls_1_2_2021_chacha20_boosted, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1365 : : /* CloudFront Legacy (TLS 1.2) policies */
1366 : : { .version = "CloudFront-SSL-v-3-Legacy", .security_policy = &security_policy_cloudfront_ssl_v_3_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1367 : : { .version = "CloudFront-TLS-1-0-2014-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2014_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1368 : : { .version = "CloudFront-TLS-1-0-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_0_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1369 : : { .version = "CloudFront-TLS-1-1-2016-Legacy", .security_policy = &security_policy_cloudfront_tls_1_1_2016_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1370 : : { .version = "CloudFront-TLS-1-2-2018-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2018_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1371 : : { .version = "CloudFront-TLS-1-2-2019-Legacy", .security_policy = &security_policy_cloudfront_tls_1_2_2019_legacy, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1372 : : /* CRT allows users to choose the minimal TLS protocol they want to negotiate with. This translates to 5 different security policies in s2n */
1373 : : { .version = "AWS-CRT-SDK-SSLv3.0", .security_policy = &security_policy_aws_crt_sdk_ssl_v3, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1374 : : { .version = "AWS-CRT-SDK-TLSv1.0", .security_policy = &security_policy_aws_crt_sdk_tls_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1375 : : { .version = "AWS-CRT-SDK-TLSv1.1", .security_policy = &security_policy_aws_crt_sdk_tls_11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1376 : : { .version = "AWS-CRT-SDK-TLSv1.2", .security_policy = &security_policy_aws_crt_sdk_tls_12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1377 : : { .version = "AWS-CRT-SDK-TLSv1.3", .security_policy = &security_policy_aws_crt_sdk_tls_13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1378 : : { .version = "AWS-CRT-SDK-SSLv3.0-2023", .security_policy = &security_policy_aws_crt_sdk_ssl_v3_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1379 : : { .version = "AWS-CRT-SDK-TLSv1.0-2023", .security_policy = &security_policy_aws_crt_sdk_tls_10_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1380 : : { .version = "AWS-CRT-SDK-TLSv1.0-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_10_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1381 : : { .version = "AWS-CRT-SDK-TLSv1.1-2023", .security_policy = &security_policy_aws_crt_sdk_tls_11_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1382 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1383 : : { .version = "AWS-CRT-SDK-TLSv1.2-2023-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1384 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025", .security_policy = &security_policy_aws_crt_sdk_tls_30_06_25, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1385 : : { .version = "AWS-CRT-SDK-TLSv1.2-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1386 : : { .version = "AWS-CRT-SDK-TLSv1.3-2023", .security_policy = &security_policy_aws_crt_sdk_tls_13_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1387 : : { .version = "AWS-CRT-SDK-TLSv1.3-2025-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_13_07_25_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1388 : : /* KMS TLS Policies*/
1389 : : { .version = "KMS-TLS-1-0-2018-10", .security_policy = &security_policy_kms_tls_1_0_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1390 : : { .version = "KMS-TLS-1-0-2021-08", .security_policy = &security_policy_kms_tls_1_0_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1391 : : { .version = "KMS-TLS-1-2-2023-06", .security_policy = &security_policy_kms_tls_1_2_2023_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1392 : : { .version = "KMS-FIPS-TLS-1-2-2018-10", .security_policy = &security_policy_kms_fips_tls_1_2_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1393 : : { .version = "KMS-FIPS-TLS-1-2-2021-08", .security_policy = &security_policy_kms_fips_tls_1_2_2021_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1394 : : { .version = "KMS-FIPS-TLS-1-2-2024-10", .security_policy = &security_policy_kms_fips_tls_1_2_2024_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1395 : : { .version = "PQ-TLS-1-0-2023-01-24", .security_policy = &security_policy_pq_tls_1_0_2023_01_24, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1396 : : { .version = "PQ-TLS-1-2-2023-04-07", .security_policy = &security_policy_pq_tls_1_2_2023_04_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1397 : : { .version = "PQ-TLS-1-2-2023-04-08", .security_policy = &security_policy_pq_tls_1_2_2023_04_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1398 : : { .version = "PQ-TLS-1-2-2023-04-09", .security_policy = &security_policy_pq_tls_1_2_2023_04_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1399 : : { .version = "PQ-TLS-1-2-2023-04-10", .security_policy = &security_policy_pq_tls_1_2_2023_04_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1400 : : { .version = "PQ-TLS-1-3-2023-06-01", .security_policy = &security_policy_pq_tls_1_3_2023_06_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1401 : : { .version = "PQ-TLS-1-2-2023-10-07", .security_policy = &security_policy_pq_tls_1_2_2023_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1402 : : { .version = "PQ-TLS-1-2-2023-10-08", .security_policy = &security_policy_pq_tls_1_2_2023_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1403 : : { .version = "PQ-TLS-1-2-2023-10-09", .security_policy = &security_policy_pq_tls_1_2_2023_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1404 : : { .version = "PQ-TLS-1-2-2023-10-10", .security_policy = &security_policy_pq_tls_1_2_2023_10_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1405 : : { .version = "PQ-TLS-1-2-2023-12-13", .security_policy = &security_policy_pq_20231213, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1406 : : { .version = "PQ-TLS-1-2-2023-12-14", .security_policy = &security_policy_pq_20231214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1407 : : { .version = "PQ-TLS-1-2-2023-12-15", .security_policy = &security_policy_pq_20231215, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1408 : : { .version = "PQ-TLS-1-2-2024-10-07", .security_policy = &security_policy_pq_tls_1_2_2024_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1409 : : { .version = "PQ-TLS-1-2-2024-10-08", .security_policy = &security_policy_pq_tls_1_2_2024_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1410 : : { .version = "PQ-TLS-1-2-2024-10-08_gcm", .security_policy = &security_policy_pq_tls_1_2_2024_10_08_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1411 : : { .version = "PQ-TLS-1-2-2024-10-09", .security_policy = &security_policy_pq_tls_1_2_2024_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1412 : : { .version = "20140601", .security_policy = &security_policy_20140601, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1413 : : { .version = "20141001", .security_policy = &security_policy_20141001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1414 : : { .version = "20150202", .security_policy = &security_policy_20150202, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1415 : : { .version = "20150214", .security_policy = &security_policy_20150214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1416 : : { .version = "20150306", .security_policy = &security_policy_20150306, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1417 : : { .version = "20160411", .security_policy = &security_policy_20160411, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1418 : : { .version = "20160804", .security_policy = &security_policy_20160804, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1419 : : { .version = "20160824", .security_policy = &security_policy_20160824, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1420 : : { .version = "20170210", .security_policy = &security_policy_20170210, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1421 : : { .version = "20170328", .security_policy = &security_policy_20170328, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1422 : : { .version = "20170328_gcm", .security_policy = &security_policy_20170328_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1423 : : { .version = "20190214", .security_policy = &security_policy_20190214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1424 : : { .version = "20190214_gcm", .security_policy = &security_policy_20190214_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1425 : : { .version = "20210825", .security_policy = &security_policy_20210825, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1426 : : { .version = "20210825_gcm", .security_policy = &security_policy_20210825_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1427 : : { .version = "20170405", .security_policy = &security_policy_20170405, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1428 : : { .version = "20170405_gcm", .security_policy = &security_policy_20170405_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1429 : : { .version = "20170718", .security_policy = &security_policy_20170718, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1430 : : { .version = "20170718_gcm", .security_policy = &security_policy_20170718_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1431 : : { .version = "20190120", .security_policy = &security_policy_20190120, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1432 : : { .version = "20190121", .security_policy = &security_policy_20190121, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1433 : : { .version = "20190122", .security_policy = &security_policy_20190122, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1434 : : { .version = "20190801", .security_policy = &security_policy_20190801, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1435 : : { .version = "20190802", .security_policy = &security_policy_20190802, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1436 : : { .version = "20200207", .security_policy = &security_policy_20200207, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1437 : : { .version = "20201021", .security_policy = &security_policy_20201021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1438 : : { .version = "20210816", .security_policy = &security_policy_20210816, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1439 : : { .version = "20210816_GCM", .security_policy = &security_policy_20210816_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1440 : : { .version = "20240603", .security_policy = &security_policy_20240603, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1441 : : { .version = "20250211", .security_policy = &security_policy_20250211, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1442 : : { .version = "20250414", .security_policy = &security_policy_20250414, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1443 : : { .version = "20250429", .security_policy = &security_policy_20250429, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1444 : : /* If changing this, please update the usage guide's docs on the corresponding policy. */
1445 : : { .version = "rfc9151", .security_policy = &security_policy_20250429, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1446 : : { .version = "test_all", .security_policy = &security_policy_test_all, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1447 : : { .version = "test_all_fips", .security_policy = &security_policy_test_all_fips, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1448 : : { .version = "test_all_ecdsa", .security_policy = &security_policy_test_all_ecdsa, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1449 : : { .version = "test_all_rsa_kex", .security_policy = &security_policy_test_all_rsa_kex, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1450 : : { .version = "test_ecdsa_priority", .security_policy = &security_policy_test_ecdsa_priority, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1451 : : { .version = "test_all_tls12", .security_policy = &security_policy_test_all_tls12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1452 : : { .version = "test_all_tls13", .security_policy = &security_policy_test_all_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1453 : : { .version = "null", .security_policy = &security_policy_null, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1454 : : { .version = NULL, .security_policy = NULL, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }
1455 : : };
1456 : :
1457 : : const char *deprecated_security_policies[] = {
1458 : : "KMS-PQ-TLS-1-0-2019-06",
1459 : : "KMS-PQ-TLS-1-0-2020-02",
1460 : : "KMS-PQ-TLS-1-0-2020-07",
1461 : : "PQ-TLS-1-0-2020-12",
1462 : : "PQ-TLS-1-1-2021-05-17",
1463 : : "PQ-TLS-1-0-2021-05-18",
1464 : : "PQ-TLS-1-0-2021-05-19",
1465 : : "PQ-TLS-1-0-2021-05-20",
1466 : : "PQ-TLS-1-1-2021-05-21",
1467 : : "PQ-TLS-1-0-2021-05-22",
1468 : : "PQ-TLS-1-0-2021-05-23",
1469 : : "PQ-TLS-1-0-2021-05-24",
1470 : : "PQ-TLS-1-0-2021-05-25",
1471 : : "PQ-TLS-1-0-2021-05-26",
1472 : : "PQ-SIKE-TEST-TLS-1-0-2019-11",
1473 : : "PQ-SIKE-TEST-TLS-1-0-2020-02",
1474 : : };
1475 : : const size_t deprecated_security_policies_len = s2n_array_len(deprecated_security_policies);
1476 : :
1477 : : int s2n_find_security_policy_from_version(const char *version, const struct s2n_security_policy **security_policy)
1478 : 5876 : {
1479 [ + + ][ + - ]: 5876 : POSIX_ENSURE_REF(version);
1480 [ - + ][ # # ]: 5874 : POSIX_ENSURE_REF(security_policy);
1481 : :
1482 [ + + ]: 62908 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1483 [ + + ]: 62887 : if (!strcasecmp(version, security_policy_selection[i].version)) {
1484 : 5853 : *security_policy = security_policy_selection[i].security_policy;
1485 : 5853 : return 0;
1486 : 5853 : }
1487 : 62887 : }
1488 : :
1489 [ + + ]: 218 : for (size_t i = 0; i < deprecated_security_policies_len; i++) {
1490 [ + + ]: 215 : if (!strcasecmp(version, deprecated_security_policies[i])) {
1491 [ + - ]: 18 : POSIX_BAIL(S2N_ERR_DEPRECATED_SECURITY_POLICY);
1492 : 18 : }
1493 : 215 : }
1494 : :
1495 [ + - ]: 3 : POSIX_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
1496 : 3 : }
1497 : :
1498 : : int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *version)
1499 : 4535 : {
1500 : 4535 : const struct s2n_security_policy *security_policy = NULL;
1501 [ + + ]: 4535 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1502 [ - + ][ # # ]: 4533 : POSIX_ENSURE_REF(security_policy);
1503 [ - + ][ # # ]: 4533 : POSIX_ENSURE_REF(security_policy->cipher_preferences);
1504 [ - + ][ # # ]: 4533 : POSIX_ENSURE_REF(security_policy->kem_preferences);
1505 [ - + ][ # # ]: 4533 : POSIX_ENSURE_REF(security_policy->signature_preferences);
1506 [ - + ][ # # ]: 4533 : POSIX_ENSURE_REF(security_policy->ecc_preferences);
1507 : :
1508 : : /* If the security policy's minimum version is higher than what libcrypto supports, return an error. */
1509 [ # # ][ - + ]: 4533 : POSIX_ENSURE((security_policy->minimum_protocol_version <= s2n_get_highest_fully_supported_tls_version()), S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED);
1510 : :
1511 : : /* If the config contains certificates violating the security policy cert preferences, return an error. */
1512 [ + + ]: 4533 : POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy));
1513 : 4532 : config->security_policy = security_policy;
1514 : 4532 : return 0;
1515 : 4533 : }
1516 : :
1517 : : int s2n_connection_set_cipher_preferences(struct s2n_connection *conn, const char *version)
1518 : 1213 : {
1519 [ - + ][ # # ]: 1213 : POSIX_ENSURE_REF(conn);
1520 : 1213 : const struct s2n_security_policy *security_policy = NULL;
1521 [ + + ]: 1213 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1522 [ # # ][ - + ]: 1211 : POSIX_ENSURE_REF(security_policy);
1523 [ - + ][ # # ]: 1211 : POSIX_ENSURE_REF(security_policy->cipher_preferences);
1524 [ - + ][ # # ]: 1211 : POSIX_ENSURE_REF(security_policy->kem_preferences);
1525 [ # # ][ - + ]: 1211 : POSIX_ENSURE_REF(security_policy->signature_preferences);
1526 [ - + ][ # # ]: 1211 : POSIX_ENSURE_REF(security_policy->ecc_preferences);
1527 : :
1528 : : /* If the security policy's minimum version is higher than what libcrypto supports, return an error. */
1529 [ - + ][ # # ]: 1211 : POSIX_ENSURE((security_policy->minimum_protocol_version <= s2n_get_highest_fully_supported_tls_version()), S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED);
1530 : :
1531 : : /* If the certificates loaded in the config are incompatible with the security
1532 : : * policy's certificate preferences, return an error. */
1533 [ + + ]: 1211 : POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(conn->config, security_policy));
1534 : :
1535 : 1210 : conn->security_policy_override = security_policy;
1536 : 1210 : return 0;
1537 : 1211 : }
1538 : :
1539 : : int s2n_security_policies_init()
1540 : 545 : {
1541 [ + + ]: 68670 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1542 : 68125 : const struct s2n_security_policy *security_policy = security_policy_selection[i].security_policy;
1543 [ - + ][ # # ]: 68125 : POSIX_ENSURE_REF(security_policy);
1544 : 68125 : const struct s2n_cipher_preferences *cipher_preference = security_policy->cipher_preferences;
1545 [ - + ][ # # ]: 68125 : POSIX_ENSURE_REF(cipher_preference);
1546 : 68125 : const struct s2n_kem_preferences *kem_preference = security_policy->kem_preferences;
1547 [ - + ][ # # ]: 68125 : POSIX_ENSURE_REF(kem_preference);
1548 : 68125 : const struct s2n_ecc_preferences *ecc_preference = security_policy->ecc_preferences;
1549 [ - + ][ # # ]: 68125 : POSIX_ENSURE_REF(ecc_preference);
1550 [ - + ]: 68125 : POSIX_GUARD(s2n_check_ecc_preferences_curves_list(ecc_preference));
1551 : :
1552 : 68125 : const struct s2n_signature_preferences *certificate_signature_preference = security_policy->certificate_signature_preferences;
1553 [ + + ]: 68125 : if (certificate_signature_preference != NULL) {
1554 [ - + ]: 10355 : POSIX_GUARD_RESULT(s2n_validate_certificate_signature_preferences(certificate_signature_preference));
1555 : 10355 : }
1556 : :
1557 [ + + ]: 68125 : if (security_policy != &security_policy_null) {
1558 : : /* All policies must have at least one ecc curve configured. */
1559 [ - + ][ # # ]: 67580 : S2N_ERROR_IF(ecc_preference->count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
1560 : 67580 : }
1561 : :
1562 [ + + ]: 1098720 : for (int j = 0; j < cipher_preference->count; j++) {
1563 : 1030595 : struct s2n_cipher_suite *cipher = cipher_preference->suites[j];
1564 [ - + ][ # # ]: 1030595 : POSIX_ENSURE_REF(cipher);
1565 : :
1566 : 1030595 : const uint8_t *iana = cipher->iana_value;
1567 : :
1568 [ + + ]: 1030595 : if (cipher->minimum_required_tls_version >= S2N_TLS13) {
1569 : 104095 : security_policy_selection[i].supports_tls13 = 1;
1570 : 104095 : }
1571 : :
1572 : : /* Sanity check that valid tls13 has minimum tls version set correctly */
1573 [ - + ][ # # ]: 1030595 : S2N_ERROR_IF(s2n_is_valid_tls13_cipher(iana) ^ (cipher->minimum_required_tls_version >= S2N_TLS13),
1574 : 1030595 : S2N_ERR_INVALID_SECURITY_POLICY);
1575 : :
1576 [ + + ]: 1030595 : if (s2n_cipher_suite_requires_ecc_extension(cipher)) {
1577 : 689970 : security_policy_selection[i].ecc_extension_required = 1;
1578 : 689970 : }
1579 : :
1580 [ - + ][ # # ]: 1030595 : if (s2n_cipher_suite_requires_pq_extension(cipher) && kem_preference->kem_count > 0) {
1581 : 0 : security_policy_selection[i].pq_kem_extension_required = 1;
1582 : 0 : }
1583 : 1030595 : }
1584 : :
1585 [ - + ]: 68125 : POSIX_GUARD(s2n_validate_kem_preferences(kem_preference, security_policy_selection[i].pq_kem_extension_required));
1586 : :
1587 : : /* Validate that security rules are correctly applied.
1588 : : * This should be checked by a unit test, but outside of unit tests we
1589 : : * check again here to cover the case where the unit tests are not run.
1590 : : */
1591 [ - + ]: 68125 : if (!s2n_in_unit_test()) {
1592 : 0 : struct s2n_security_rule_result result = { 0 };
1593 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_security_policy_validate_security_rules(security_policy, &result));
1594 [ # # ][ # # ]: 0 : POSIX_ENSURE(!result.found_error, S2N_ERR_INVALID_SECURITY_POLICY);
1595 : 0 : }
1596 : 68125 : }
1597 : 545 : return 0;
1598 : 545 : }
1599 : :
1600 : : bool s2n_ecc_is_extension_required(const struct s2n_security_policy *security_policy)
1601 : 14714 : {
1602 [ + + ]: 14714 : if (security_policy == NULL) {
1603 : 1 : return false;
1604 : 1 : }
1605 : :
1606 [ + + ]: 890143 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1607 [ + + ]: 884740 : if (security_policy_selection[i].security_policy == security_policy) {
1608 : 9310 : return 1 == security_policy_selection[i].ecc_extension_required;
1609 : 9310 : }
1610 : 884740 : }
1611 : :
1612 : : /* If cipher preference is not in the official list, compute the result */
1613 : 5403 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1614 [ - + ]: 5403 : if (cipher_preferences == NULL) {
1615 : 0 : return false;
1616 : 0 : }
1617 [ + + ]: 138631 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1618 [ + + ]: 136167 : if (s2n_cipher_suite_requires_ecc_extension(cipher_preferences->suites[i])) {
1619 : 2939 : return true;
1620 : 2939 : }
1621 : 136167 : }
1622 : :
1623 : 2464 : return false;
1624 : 5403 : }
1625 : :
1626 : : bool s2n_pq_kem_is_extension_required(const struct s2n_security_policy *security_policy)
1627 : 7361 : {
1628 [ + + ]: 7361 : if (security_policy == NULL) {
1629 : 1 : return false;
1630 : 1 : }
1631 : :
1632 [ + + ]: 445360 : for (int i = 0; security_policy_selection[i].version != NULL; i++) {
1633 [ + + ]: 442658 : if (security_policy_selection[i].security_policy == security_policy) {
1634 : 4658 : return 1 == security_policy_selection[i].pq_kem_extension_required;
1635 : 4658 : }
1636 : 442658 : }
1637 : :
1638 : : /* Preferences with no KEMs for the TLS 1.2 PQ KEM extension do not require that extension. */
1639 [ + - ][ + + ]: 2702 : if (security_policy->kem_preferences && security_policy->kem_preferences->kem_count == 0) {
1640 : 2701 : return false;
1641 : 2701 : }
1642 : :
1643 : : /* If cipher preference is not in the official list, compute the result */
1644 : 1 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1645 [ - + ]: 1 : if (cipher_preferences == NULL) {
1646 : 0 : return false;
1647 : 0 : }
1648 [ + + ]: 2 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1649 [ - + ]: 1 : if (s2n_cipher_suite_requires_pq_extension(cipher_preferences->suites[i])) {
1650 : 0 : return true;
1651 : 0 : }
1652 : 1 : }
1653 : 1 : return false;
1654 : 1 : }
1655 : :
1656 : : /* Checks whether cipher preference supports TLS 1.3 based on whether it is configured
1657 : : * with TLS 1.3 ciphers. Returns true or false.
1658 : : */
1659 : : bool s2n_security_policy_supports_tls13(const struct s2n_security_policy *security_policy)
1660 : 14870 : {
1661 [ + + ]: 14870 : if (security_policy == NULL) {
1662 : 1 : return false;
1663 : 1 : }
1664 : :
1665 [ + + ]: 758165 : for (uint8_t i = 0; security_policy_selection[i].version != NULL; i++) {
1666 [ + + ]: 753412 : if (security_policy_selection[i].security_policy == security_policy) {
1667 : 10116 : return security_policy_selection[i].supports_tls13 == 1;
1668 : 10116 : }
1669 : 753412 : }
1670 : :
1671 : : /* if cipher preference is not in the official list, compute the result */
1672 : 4753 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1673 [ - + ]: 4753 : if (cipher_preferences == NULL) {
1674 : 0 : return false;
1675 : 0 : }
1676 : :
1677 [ + + ]: 106671 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1678 [ + + ]: 103326 : if (cipher_preferences->suites[i]->minimum_required_tls_version >= S2N_TLS13) {
1679 : 1408 : return true;
1680 : 1408 : }
1681 : 103326 : }
1682 : :
1683 : 3345 : return false;
1684 : 4753 : }
1685 : :
1686 : : int s2n_connection_is_valid_for_cipher_preferences(struct s2n_connection *conn, const char *version)
1687 : 7 : {
1688 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(conn);
1689 [ - + ][ # # ]: 7 : POSIX_ENSURE_REF(version);
1690 [ # # ][ - + ]: 7 : POSIX_ENSURE_REF(conn->secure);
1691 [ # # ][ - + ]: 7 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
1692 : :
1693 : 7 : const struct s2n_security_policy *security_policy = NULL;
1694 [ + + ]: 7 : POSIX_GUARD(s2n_find_security_policy_from_version(version, &security_policy));
1695 [ - + ][ # # ]: 6 : POSIX_ENSURE_REF(security_policy);
1696 : :
1697 : : /* make sure we dont use a tls version lower than that configured by the version */
1698 [ + + ]: 6 : if (s2n_connection_get_actual_protocol_version(conn) < security_policy->minimum_protocol_version) {
1699 : 2 : return 0;
1700 : 2 : }
1701 : :
1702 : 4 : struct s2n_cipher_suite *cipher = conn->secure->cipher_suite;
1703 [ - + ][ # # ]: 4 : POSIX_ENSURE_REF(cipher);
1704 [ + + ]: 9 : for (int i = 0; i < security_policy->cipher_preferences->count; ++i) {
1705 [ + + ]: 8 : if (s2n_constant_time_equals(security_policy->cipher_preferences->suites[i]->iana_value, cipher->iana_value, S2N_TLS_CIPHER_SUITE_LEN)) {
1706 : 3 : return 1;
1707 : 3 : }
1708 : 8 : }
1709 : :
1710 : 1 : return 0;
1711 : 4 : }
1712 : :
1713 : : int s2n_validate_kem_preferences(const struct s2n_kem_preferences *kem_preferences, bool pq_kem_extension_required)
1714 : 68133 : {
1715 [ + + ][ + - ]: 68133 : POSIX_ENSURE_REF(kem_preferences);
1716 : :
1717 : : /* Basic sanity checks to assert that the count is 0 if and only if the associated list is NULL */
1718 [ + + ][ + - ]: 68132 : POSIX_ENSURE(S2N_IFF(kem_preferences->tls13_kem_group_count == 0, kem_preferences->tls13_kem_groups == NULL),
1719 : 68130 : S2N_ERR_INVALID_SECURITY_POLICY);
1720 [ + - ][ + + ]: 68130 : POSIX_ENSURE(S2N_IFF(kem_preferences->kem_count == 0, kem_preferences->kems == NULL),
1721 : 68128 : S2N_ERR_INVALID_SECURITY_POLICY);
1722 [ - + ][ # # ]: 68128 : POSIX_ENSURE(kem_preferences->tls13_kem_group_count <= S2N_KEM_GROUPS_COUNT, S2N_ERR_ARRAY_INDEX_OOB);
1723 : :
1724 : : /* The PQ KEM extension is applicable only to TLS 1.2 */
1725 [ + + ]: 68128 : if (pq_kem_extension_required) {
1726 [ + - ][ + - ]: 1 : POSIX_ENSURE(kem_preferences->kem_count > 0, S2N_ERR_INVALID_SECURITY_POLICY);
1727 [ # # ][ # # ]: 0 : POSIX_ENSURE(kem_preferences->kems != NULL, S2N_ERR_INVALID_SECURITY_POLICY);
1728 : 68127 : } else {
1729 [ - + ][ # # ]: 68127 : POSIX_ENSURE(kem_preferences->kem_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
1730 [ - + ][ # # ]: 68127 : POSIX_ENSURE(kem_preferences->kems == NULL, S2N_ERR_INVALID_SECURITY_POLICY);
1731 : 68127 : }
1732 : :
1733 : 68127 : return S2N_SUCCESS;
1734 : 68128 : }
1735 : :
1736 : : S2N_RESULT s2n_validate_certificate_signature_preferences(const struct s2n_signature_preferences *certificate_signature_preferences)
1737 : 10358 : {
1738 [ - + ][ # # ]: 10358 : RESULT_ENSURE_REF(certificate_signature_preferences);
1739 : :
1740 : 10358 : size_t rsa_pss_scheme_count = 0;
1741 : :
1742 [ + + ]: 141167 : for (size_t i = 0; i < certificate_signature_preferences->count; i++) {
1743 [ + + ]: 130809 : if (certificate_signature_preferences->signature_schemes[i]->libcrypto_nid == NID_rsassaPss) {
1744 : 52328 : rsa_pss_scheme_count++;
1745 : 52328 : }
1746 : 130809 : }
1747 : :
1748 : : /*
1749 : : * https://github.com/aws/s2n-tls/issues/3435
1750 : : *
1751 : : * The Openssl function used to parse signatures off certificates does not differentiate between any rsa pss
1752 : : * signature schemes. Therefore a security policy with a certificate signatures preference list must include
1753 : : * all rsa_pss signature schemes. */
1754 [ + - ][ + + ]: 10358 : RESULT_ENSURE(rsa_pss_scheme_count == NUM_RSA_PSS_SCHEMES || rsa_pss_scheme_count == 0, S2N_ERR_INVALID_SECURITY_POLICY);
[ + + ]
1755 : 10357 : return S2N_RESULT_OK;
1756 : 10358 : }
1757 : :
1758 : : S2N_RESULT s2n_security_policy_get_version(const struct s2n_security_policy *security_policy, const char **version)
1759 : 72 : {
1760 [ # # ][ - + ]: 72 : RESULT_ENSURE_REF(version);
1761 : 72 : *version = NULL;
1762 [ + + ]: 4821 : for (uint8_t i = 0; security_policy_selection[i].version != NULL; i++) {
1763 [ + + ]: 4806 : if (security_policy_selection[i].security_policy == security_policy) {
1764 : 57 : *version = security_policy_selection[i].version;
1765 : 57 : return S2N_RESULT_OK;
1766 : 57 : }
1767 : 4806 : }
1768 [ + - ]: 15 : RESULT_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
1769 : 15 : }
1770 : :
1771 : : S2N_RESULT s2n_security_policy_validate_cert_signature(const struct s2n_security_policy *security_policy,
1772 : : const struct s2n_cert_info *info, s2n_error error)
1773 : 423 : {
1774 [ - + ][ # # ]: 423 : RESULT_ENSURE_REF(info);
1775 [ # # ][ - + ]: 423 : RESULT_ENSURE_REF(security_policy);
1776 : 423 : const struct s2n_signature_preferences *sig_preferences = security_policy->certificate_signature_preferences;
1777 : :
1778 [ + + ]: 423 : if (sig_preferences != NULL) {
1779 [ + + ]: 1309 : for (size_t i = 0; i < sig_preferences->count; i++) {
1780 [ + + ]: 1298 : if (sig_preferences->signature_schemes[i]->libcrypto_nid == info->signature_nid) {
1781 : 243 : return S2N_RESULT_OK;
1782 : 243 : }
1783 : 1298 : }
1784 : :
1785 [ + - ]: 11 : RESULT_BAIL(error);
1786 : 11 : }
1787 : 169 : return S2N_RESULT_OK;
1788 : 423 : }
1789 : :
1790 : : S2N_RESULT s2n_security_policy_validate_cert_key(const struct s2n_security_policy *security_policy,
1791 : : const struct s2n_cert_info *info, s2n_error error)
1792 : 799 : {
1793 [ - + ][ # # ]: 799 : RESULT_ENSURE_REF(info);
1794 [ - + ][ # # ]: 799 : RESULT_ENSURE_REF(security_policy);
1795 : 799 : const struct s2n_certificate_key_preferences *key_preferences = security_policy->certificate_key_preferences;
1796 : :
1797 [ + + ]: 799 : if (key_preferences != NULL) {
1798 [ + + ]: 114 : for (size_t i = 0; i < key_preferences->count; i++) {
1799 [ + + ]: 105 : if (key_preferences->certificate_keys[i]->public_key_libcrypto_nid == info->public_key_nid
1800 [ + + ]: 105 : && key_preferences->certificate_keys[i]->bits == info->public_key_bits) {
1801 : 77 : return S2N_RESULT_OK;
1802 : 77 : }
1803 : 105 : }
1804 [ + - ]: 9 : RESULT_BAIL(error);
1805 : 9 : }
1806 : 713 : return S2N_RESULT_OK;
1807 : 799 : }
1808 : :
1809 : : S2N_RESULT s2n_security_policy_validate_certificate_chain(
1810 : : const struct s2n_security_policy *security_policy,
1811 : : const struct s2n_cert_chain_and_key *cert_key_pair)
1812 : 984 : {
1813 [ # # ][ - + ]: 984 : RESULT_ENSURE_REF(security_policy);
1814 [ # # ][ - + ]: 984 : RESULT_ENSURE_REF(cert_key_pair);
1815 [ # # ][ - + ]: 984 : RESULT_ENSURE_REF(cert_key_pair->cert_chain);
1816 : :
1817 [ + + ]: 984 : if (!security_policy->certificate_preferences_apply_locally) {
1818 : 951 : return S2N_RESULT_OK;
1819 : 951 : }
1820 : :
1821 : 33 : struct s2n_cert *current = cert_key_pair->cert_chain->head;
1822 [ + + ]: 96 : while (current != NULL) {
1823 [ + + ]: 78 : RESULT_GUARD(s2n_security_policy_validate_cert_key(security_policy, ¤t->info,
1824 : 72 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
1825 [ + + ]: 72 : RESULT_GUARD(s2n_security_policy_validate_cert_signature(security_policy, ¤t->info,
1826 : 63 : S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT));
1827 : 63 : current = current->next;
1828 : 63 : }
1829 : 18 : return S2N_RESULT_OK;
1830 : 33 : }
|
