From 668eb66bfdbdc8bb9c39cd5a47e6bbac6803e5a6 Mon Sep 17 00:00:00 2001 From: Alex Weibel Date: Wed, 13 Dec 2023 16:11:52 -0800 Subject: [PATCH] Add new PQ TLS Policies --- tls/s2n_cipher_preferences.c | 40 ++++++++++++++++++++++++++++++++++++ tls/s2n_cipher_preferences.h | 3 +++ tls/s2n_security_policies.c | 27 ++++++++++++++++++++++++ 3 files changed, 70 insertions(+) diff --git a/tls/s2n_cipher_preferences.c b/tls/s2n_cipher_preferences.c index cd3406d2a92..3552c72aaa8 100644 --- a/tls/s2n_cipher_preferences.c +++ b/tls/s2n_cipher_preferences.c @@ -1891,6 +1891,46 @@ const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_3_2023_06_01 = { .allow_chacha20_boosting = false, }; +struct s2n_cipher_suite *cipher_suites_20231213[] = { + &s2n_tls13_aes_128_gcm_sha256, + &s2n_tls13_aes_256_gcm_sha384, + &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, + &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, + &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, + &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, + &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, + &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, + &s2n_rsa_with_aes_128_gcm_sha256, + &s2n_rsa_with_aes_256_gcm_sha384, + &s2n_rsa_with_aes_128_cbc_sha256, + &s2n_rsa_with_aes_256_cbc_sha256, +}; + +const struct s2n_cipher_preferences cipher_preferences_20231213 = { + .count = s2n_array_len(cipher_suites_20231213), + .suites = cipher_suites_20231213, +}; + +struct s2n_cipher_suite *cipher_suites_20231214[] = { + &s2n_tls13_aes_128_gcm_sha256, + &s2n_tls13_aes_256_gcm_sha384, + &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, + &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, + &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, + &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, + &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, + &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, +}; + +const struct s2n_cipher_preferences cipher_preferences_20231214 = { + .count = s2n_array_len(cipher_suites_20231214), + .suites = cipher_suites_20231214, +}; + struct s2n_cipher_suite *cipher_suites_kms_fips_tls_1_2_2018_10[] = { &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, diff --git a/tls/s2n_cipher_preferences.h b/tls/s2n_cipher_preferences.h index a9f1830c821..dc68e1fbb8c 100644 --- a/tls/s2n_cipher_preferences.h +++ b/tls/s2n_cipher_preferences.h @@ -55,6 +55,9 @@ extern const struct s2n_cipher_preferences cipher_preferences_20210816_gcm; extern const struct s2n_cipher_preferences cipher_preferences_20210825; extern const struct s2n_cipher_preferences cipher_preferences_20210825_gcm; extern const struct s2n_cipher_preferences cipher_preferences_20210831; +extern const struct s2n_cipher_preferences cipher_preferences_20231213; +extern const struct s2n_cipher_preferences cipher_preferences_20231214; + extern const struct s2n_cipher_preferences cipher_preferences_default_fips; extern const struct s2n_cipher_preferences cipher_preferences_test_all; diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index 2b53f6bd9e9..46f7dc30496 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -731,6 +731,30 @@ const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10 = { .ecc_preferences = &s2n_ecc_preferences_20200310, }; +const struct s2n_security_policy security_policy_pq_20231213 = { + .minimum_protocol_version = S2N_TLS12, + .cipher_preferences = &cipher_preferences_20231213, + .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06, + .signature_preferences = &s2n_signature_preferences_20230317, + .ecc_preferences = &s2n_ecc_preferences_20201021, +}; + +const struct s2n_security_policy security_policy_pq_20231214 = { + .minimum_protocol_version = S2N_TLS12, + .cipher_preferences = &cipher_preferences_20231214, + .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06, + .signature_preferences = &s2n_signature_preferences_20230317, + .ecc_preferences = &s2n_ecc_preferences_20201021, +}; + +const struct s2n_security_policy security_policy_pq_20231215 = { + .minimum_protocol_version = S2N_TLS12, + .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08, + .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06, + .signature_preferences = &s2n_signature_preferences_20230317, + .ecc_preferences = &s2n_ecc_preferences_20201021, +}; + const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = { .minimum_protocol_version = S2N_TLS12, .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2018_10, @@ -1103,6 +1127,9 @@ struct s2n_security_policy_selection security_policy_selection[] = { { .version = "PQ-TLS-1-2-2023-10-08", .security_policy = &security_policy_pq_tls_1_2_2023_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "PQ-TLS-1-2-2023-10-09", .security_policy = &security_policy_pq_tls_1_2_2023_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "PQ-TLS-1-2-2023-10-10", .security_policy = &security_policy_pq_tls_1_2_2023_10_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "PQ-TLS-1-2-2023-12-13", .security_policy = &security_policy_pq_20231213, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "PQ-TLS-1-2-2023-12-14", .security_policy = &security_policy_pq_20231214, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "PQ-TLS-1-2-2023-12-15", .security_policy = &security_policy_pq_20231215, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20140601", .security_policy = &security_policy_20140601, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20141001", .security_policy = &security_policy_20141001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20150202", .security_policy = &security_policy_20150202, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },