select security policy based on fips or tls13

aws · Sep 17, 2024 · 60f4ba4 · 60f4ba4
1 parent e4b845c
commit 60f4ba4
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/implicit_default_detection/src/main.rs b/implicit_default_detection/src/main.rs
@@ -75,7 +75,7 @@ fn main() {
 
                     let auto_gen = format!(
                         "/* AUTO-GENERATED */
-                        EXPECT_SUCCESS(s2n_config_set_cipher_preferences({}, \"20240501\"));
+                        EXPECT_SUCCESS(s2n_config_set_cipher_preferences({}, s2n_testing_old_default_security_policy()));
                         /* AUTO-GENERATED */",
                         config_name
                     );

diff --git a/tests/testlib/s2n_security_policy_testlib.c b/tests/testlib/s2n_security_policy_testlib.c
@@ -13,12 +13,13 @@
  * permissions and limitations under the License.
  */
 
+#include "crypto/s2n_fips.h"
 #include "s2n_testlib.h"
 #include "utils/s2n_safety.h"
 
 extern const struct s2n_ecc_named_curve s2n_unsupported_curve;
 
-const struct s2n_ecc_named_curve *const ecc_pref_list_for_retry[] = {
+const struct s2n_ecc_named_curve* const ecc_pref_list_for_retry[] = {
     &s2n_unsupported_curve,
 #if EVP_APIS_SUPPORTED
     &s2n_ecc_curve_x25519,
@@ -40,3 +41,14 @@ const struct s2n_security_policy security_policy_test_tls13_retry = {
     .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
     .ecc_preferences = &ecc_preferences_for_retry,
 };
+
+const char* s2n_testing_old_default_security_policy()
+{
+    if (s2n_use_default_tls13_config()) {
+        return "20240503";
+    } else if (s2n_is_in_fips_mode()) {
+        return "20240502";
+    } else {
+        return "20240501";
+    }
+}
diff --git a/tests/testlib/s2n_testlib.h b/tests/testlib/s2n_testlib.h
@@ -22,6 +22,7 @@
 
 extern const struct s2n_ecc_preferences ecc_preferences_for_retry;
 extern const struct s2n_security_policy security_policy_test_tls13_retry;
+extern const char *s2n_testing_old_default_security_policy();
 
 /* Hex methods for testing */
 S2N_RESULT s2n_stuffer_alloc_from_hex(struct s2n_stuffer *stuffer, const char *str);

diff --git a/tests/unit/s2n_timer_test.c b/tests/unit/s2n_timer_test.c
@@ -12,9 +12,11 @@
  * express or implied. See the License for the specific language governing
  * permissions and limitations under the License.
  */
+
 #include "utils/s2n_timer.h"
 
 #include "s2n_test.h"
+#include "testlib/s2n_testlib.h"
 #include "tls/s2n_config.h"
 
 int mock_clock(void *in, uint64_t *out)