Skip to content

Commit

Permalink
Add Security Policy Deprecation API
Browse files Browse the repository at this point in the history
  • Loading branch information
alexw91 committed Jan 15, 2025
1 parent fb77459 commit 7eea908
Show file tree
Hide file tree
Showing 7 changed files with 32 additions and 76 deletions.
1 change: 1 addition & 0 deletions error/s2n_errno.c
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,7 @@ static const char *no_such_error = "Internal s2n error";
ERR_ENTRY(S2N_ERR_UNSUPPORTED_EXTENSION, "Illegal use of a known, supported extension") \
ERR_ENTRY(S2N_ERR_MISSING_EXTENSION, "Mandatory extension not received") \
ERR_ENTRY(S2N_ERR_DUPLICATE_EXTENSION, "Extension block contains two or more extensions of the same type") \
ERR_ENTRY(S2N_ERR_DEPRECATED_SECURITY_POLICY, "Deprecated security policy") \
ERR_ENTRY(S2N_ERR_INVALID_SECURITY_POLICY, "Invalid security policy") \
ERR_ENTRY(S2N_ERR_INVALID_KEM_PREFERENCES, "Invalid kem preferences version") \
ERR_ENTRY(S2N_ERR_INVALID_PARSED_EXTENSIONS, "Invalid parsed extension data") \
Expand Down
1 change: 1 addition & 0 deletions error/s2n_errno.h
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,7 @@ typedef enum {
S2N_ERR_INVALID_SIGNATURE_ALGORITHMS_PREFERENCES,
S2N_ERR_RSA_PSS_NOT_SUPPORTED,
S2N_ERR_INVALID_ECC_PREFERENCES,
S2N_ERR_DEPRECATED_SECURITY_POLICY,
S2N_ERR_INVALID_SECURITY_POLICY,
S2N_ERR_INVALID_KEM_PREFERENCES,
S2N_ERR_ASYNC_ALREADY_PERFORMED,
Expand Down
35 changes: 15 additions & 20 deletions tests/unit/s2n_security_policies_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,21 @@ int main(int argc, char **argv)

const struct s2n_security_policy *security_policy = NULL;

/* Test Deprecated Security Policies */
{
/* Ensure that every policy in the deprecated list has been removed from the supported policies list */
for (size_t i = 0; i < deprecrated_security_policies_len; i++) {
EXPECT_FAILURE_WITH_ERRNO(s2n_find_security_policy_from_version(deprecated_security_policies[i], &security_policy), S2N_ERR_DEPRECATED_SECURITY_POLICY);
}

/* Ensure that each policy that's been deprecated actually returns a deprecated error when requested. */
EXPECT_FAILURE_WITH_ERRNO(s2n_find_security_policy_from_version("PQ-SIKE-TEST-TLS-1-0-2019-11", &security_policy), S2N_ERR_DEPRECATED_SECURITY_POLICY);
EXPECT_FAILURE_WITH_ERRNO(s2n_find_security_policy_from_version("PQ-SIKE-TEST-TLS-1-0-2020-02", &security_policy), S2N_ERR_DEPRECATED_SECURITY_POLICY);

/* Add list length check so that when new policies are deprecated, they are added to this test. */
EXPECT_EQUAL(deprecrated_security_policies_len, 2);
}

/* Test common known good cipher suites for expected configuration */
{
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &security_policy));
Expand Down Expand Up @@ -241,24 +256,6 @@ int main(int argc, char **argv)
EXPECT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(0, security_policy->kem_preferences->tls13_kem_group_count);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-SIKE-TEST-TLS-1-0-2019-11", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_FALSE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(0, security_policy->kem_preferences->kem_count);
EXPECT_NULL(security_policy->kem_preferences->kems);
EXPECT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(0, security_policy->kem_preferences->tls13_kem_group_count);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-SIKE-TEST-TLS-1-0-2020-02", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_FALSE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(0, security_policy->kem_preferences->kem_count);
EXPECT_NULL(security_policy->kem_preferences->kems);
EXPECT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(0, security_policy->kem_preferences->tls13_kem_group_count);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("KMS-PQ-TLS-1-0-2020-02", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
Expand Down Expand Up @@ -482,8 +479,6 @@ int main(int argc, char **argv)
"KMS-PQ-TLS-1-0-2019-06",
"KMS-PQ-TLS-1-0-2020-02",
"KMS-PQ-TLS-1-0-2020-07",
"PQ-SIKE-TEST-TLS-1-0-2019-11",
"PQ-SIKE-TEST-TLS-1-0-2020-02",
"KMS-FIPS-TLS-1-2-2018-10",
"20140601",
"20141001",
Expand Down
28 changes: 0 additions & 28 deletions tls/s2n_cipher_preferences.c
Original file line number Diff line number Diff line change
Expand Up @@ -1634,34 +1634,6 @@ const struct s2n_cipher_preferences cipher_preferences_kms_pq_tls_1_0_2020_02 =
.allow_chacha20_boosting = false,
};

struct s2n_cipher_suite *cipher_suites_pq_sike_test_tls_1_0_2019_11[] = {
&s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
&s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
&s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
&s2n_ecdhe_rsa_with_aes_256_cbc_sha,
&s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
&s2n_ecdhe_rsa_with_3des_ede_cbc_sha,
&s2n_dhe_rsa_with_aes_256_cbc_sha256,
&s2n_dhe_rsa_with_aes_128_cbc_sha256,
&s2n_dhe_rsa_with_aes_256_cbc_sha,
&s2n_dhe_rsa_with_aes_128_cbc_sha,
};

/* Previously included only SIKE round 1 (for integration tests) */
const struct s2n_cipher_preferences cipher_preferences_pq_sike_test_tls_1_0_2019_11 = {
.count = s2n_array_len(cipher_suites_pq_sike_test_tls_1_0_2019_11),
.suites = cipher_suites_pq_sike_test_tls_1_0_2019_11,
.allow_chacha20_boosting = false,
};

/* Previously included SIKE round 1 and round 2 (for integration tests). The cipher suite list
* is the same as in cipher_preferences_pq_sike_test_tls_1_0_2019_11. */
const struct s2n_cipher_preferences cipher_preferences_pq_sike_test_tls_1_0_2020_02 = {
.count = s2n_array_len(cipher_suites_pq_sike_test_tls_1_0_2019_11),
.suites = cipher_suites_pq_sike_test_tls_1_0_2019_11,
.allow_chacha20_boosting = false,
};

/* Includes Kyber PQ algorithm */
struct s2n_cipher_suite *cipher_suites_kms_pq_tls_1_0_2020_07[] = {
&s2n_ecdhe_kyber_rsa_with_aes_256_gcm_sha384,
Expand Down
2 changes: 0 additions & 2 deletions tls/s2n_cipher_preferences.h
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,6 @@ extern const struct s2n_cipher_preferences cipher_preferences_kms_fips_tls_1_2_2
extern const struct s2n_cipher_preferences cipher_preferences_kms_pq_tls_1_0_2019_06;
extern const struct s2n_cipher_preferences cipher_preferences_kms_pq_tls_1_0_2020_02;
extern const struct s2n_cipher_preferences cipher_preferences_kms_pq_tls_1_0_2020_07;
extern const struct s2n_cipher_preferences cipher_preferences_pq_sike_test_tls_1_0_2019_11;
extern const struct s2n_cipher_preferences cipher_preferences_pq_sike_test_tls_1_0_2020_02;
extern const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2020_12;
extern const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_1_2021_05_17;
extern const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05_18;
Expand Down
37 changes: 13 additions & 24 deletions tls/s2n_security_policies.c
Original file line number Diff line number Diff line change
Expand Up @@ -610,28 +610,6 @@ const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_02 = {
},
};

const struct s2n_security_policy security_policy_pq_sike_test_tls_1_0_2019_11 = {
.minimum_protocol_version = S2N_TLS10,
.cipher_preferences = &cipher_preferences_pq_sike_test_tls_1_0_2019_11,
.kem_preferences = &kem_preferences_null,
.signature_preferences = &s2n_signature_preferences_20140601,
.ecc_preferences = &s2n_ecc_preferences_20140601,
.rules = {
[S2N_PERFECT_FORWARD_SECRECY] = true,
},
};

const struct s2n_security_policy security_policy_pq_sike_test_tls_1_0_2020_02 = {
.minimum_protocol_version = S2N_TLS10,
.cipher_preferences = &cipher_preferences_pq_sike_test_tls_1_0_2020_02,
.kem_preferences = &kem_preferences_null,
.signature_preferences = &s2n_signature_preferences_20140601,
.ecc_preferences = &s2n_ecc_preferences_20140601,
.rules = {
[S2N_PERFECT_FORWARD_SECRECY] = true,
},
};

const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_07 = {
.minimum_protocol_version = S2N_TLS10,
.cipher_preferences = &cipher_preferences_kms_pq_tls_1_0_2020_07,
Expand Down Expand Up @@ -1296,8 +1274,6 @@ struct s2n_security_policy_selection security_policy_selection[] = {
{ .version = "KMS-PQ-TLS-1-0-2019-06", .security_policy = &security_policy_kms_pq_tls_1_0_2019_06, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
{ .version = "KMS-PQ-TLS-1-0-2020-02", .security_policy = &security_policy_kms_pq_tls_1_0_2020_02, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
{ .version = "KMS-PQ-TLS-1-0-2020-07", .security_policy = &security_policy_kms_pq_tls_1_0_2020_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
{ .version = "PQ-SIKE-TEST-TLS-1-0-2019-11", .security_policy = &security_policy_pq_sike_test_tls_1_0_2019_11, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
{ .version = "PQ-SIKE-TEST-TLS-1-0-2020-02", .security_policy = &security_policy_pq_sike_test_tls_1_0_2020_02, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
{ .version = "PQ-TLS-1-0-2020-12", .security_policy = &security_policy_pq_tls_1_0_2020_12, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
{ .version = "PQ-TLS-1-1-2021-05-17", .security_policy = &security_policy_pq_tls_1_1_2021_05_17, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
{ .version = "PQ-TLS-1-0-2021-05-18", .security_policy = &security_policy_pq_tls_1_0_2021_05_18, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
Expand Down Expand Up @@ -1367,6 +1343,13 @@ struct s2n_security_policy_selection security_policy_selection[] = {
{ .version = NULL, .security_policy = NULL, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }
};

const char *deprecated_security_policies[] = {
"PQ-SIKE-TEST-TLS-1-0-2019-11",
"PQ-SIKE-TEST-TLS-1-0-2020-02",
};

const size_t deprecrated_security_policies_len = s2n_array_len(deprecated_security_policies);

int s2n_find_security_policy_from_version(const char *version, const struct s2n_security_policy **security_policy)
{
POSIX_ENSURE_REF(version);
Expand All @@ -1379,6 +1362,12 @@ int s2n_find_security_policy_from_version(const char *version, const struct s2n_
}
}

for (size_t i = 0; i < deprecrated_security_policies_len; i++) {
if (!strcasecmp(version, deprecated_security_policies[i])) {
POSIX_BAIL(S2N_ERR_DEPRECATED_SECURITY_POLICY);
}
}

POSIX_BAIL(S2N_ERR_INVALID_SECURITY_POLICY);
}

Expand Down
4 changes: 2 additions & 2 deletions tls/s2n_security_policies.h
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,8 @@ struct s2n_security_policy_selection {
};

extern struct s2n_security_policy_selection security_policy_selection[];
extern const char *deprecated_security_policies[];
extern const size_t deprecrated_security_policies_len;

/* Defaults as of 05/24 */
extern const struct s2n_security_policy security_policy_20240501;
Expand Down Expand Up @@ -160,8 +162,6 @@ extern const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13;
extern const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2019_06;
extern const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_02;
extern const struct s2n_security_policy security_policy_kms_pq_tls_1_0_2020_07;
extern const struct s2n_security_policy security_policy_pq_sike_test_tls_1_0_2019_11;
extern const struct s2n_security_policy security_policy_pq_sike_test_tls_1_0_2020_02;
extern const struct s2n_security_policy security_policy_pq_tls_1_0_2020_12;
extern const struct s2n_security_policy security_policy_pq_tls_1_1_2021_05_17;
extern const struct s2n_security_policy security_policy_pq_tls_1_0_2021_05_18;
Expand Down

0 comments on commit 7eea908

Please sign in to comment.