From 9791237647e7c8af0bdabf7dff7127a53ccaafab Mon Sep 17 00:00:00 2001 From: Alex Weibel Date: Thu, 28 Dec 2023 15:28:12 -0800 Subject: [PATCH] Integrate with FIPS Security Rules --- tests/unit/s2n_security_rules_test.c | 2 ++ tls/s2n_kem_preferences.c | 16 ++++++++++++++++ tls/s2n_kem_preferences.h | 1 + tls/s2n_security_policies.c | 12 +++++++++--- tls/s2n_security_rules.c | 14 ++++++++++++++ 5 files changed, 42 insertions(+), 3 deletions(-) diff --git a/tests/unit/s2n_security_rules_test.c b/tests/unit/s2n_security_rules_test.c index 5c69d9f2824..60d304f4699 100644 --- a/tests/unit/s2n_security_rules_test.c +++ b/tests/unit/s2n_security_rules_test.c @@ -126,6 +126,7 @@ int main(int argc, char **argv) .signature_preferences = &valid_sig_prefs, .certificate_signature_preferences = &valid_sig_prefs, .ecc_preferences = &valid_ecc_prefs, + .kem_preferences = &kem_preferences_null, .minimum_protocol_version = VALID_VERSION, }; const struct s2n_security_policy invalid_policy = { @@ -133,6 +134,7 @@ int main(int argc, char **argv) .signature_preferences = &invalid_sig_prefs, .certificate_signature_preferences = &invalid_sig_prefs, .ecc_preferences = &invalid_ecc_prefs, + .kem_preferences = &kem_preferences_null, .minimum_protocol_version = EXAMPLE_INVALID_VERSION, }; diff --git a/tls/s2n_kem_preferences.c b/tls/s2n_kem_preferences.c index b30bb86695b..7a30d34f3ee 100644 --- a/tls/s2n_kem_preferences.c +++ b/tls/s2n_kem_preferences.c @@ -34,6 +34,13 @@ const struct s2n_kem_group *pq_kem_groups_r3_2023_06[] = { &s2n_x25519_kyber_512_r3, }; +const struct s2n_kem_group *pq_kem_groups_r3_2023_12[] = { + &s2n_secp256r1_kyber_768_r3, + &s2n_secp384r1_kyber_768_r3, + &s2n_secp521r1_kyber_1024_r3, + &s2n_secp256r1_kyber_512_r3, +}; + const struct s2n_kem_preferences kem_preferences_pq_tls_1_0_2021_05 = { .kem_count = s2n_array_len(pq_kems_r3_2021_05), .kems = pq_kems_r3_2021_05, @@ -59,6 +66,15 @@ const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_06 = { .tls13_pq_hybrid_draft_revision = 5 }; +/* Same as kem_preferences_pq_tls_1_3_2023_06, but without x25519 */ +const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_12 = { + .kem_count = 0, + .kems = NULL, + .tls13_kem_group_count = s2n_array_len(pq_kem_groups_r3_2023_12), + .tls13_kem_groups = pq_kem_groups_r3_2023_12, + .tls13_pq_hybrid_draft_revision = 5 +}; + const struct s2n_kem_preferences kem_preferences_all = { .kem_count = s2n_array_len(pq_kems_r3_2021_05), .kems = pq_kems_r3_2021_05, diff --git a/tls/s2n_kem_preferences.h b/tls/s2n_kem_preferences.h index 59536da4e24..0d10b45a08c 100644 --- a/tls/s2n_kem_preferences.h +++ b/tls/s2n_kem_preferences.h @@ -47,6 +47,7 @@ extern const struct s2n_kem_group *pq_kem_groups_r3_2023_06[]; extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_0_2021_05; extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_0_2023_01; extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_06; +extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_12; extern const struct s2n_kem_preferences kem_preferences_all; extern const struct s2n_kem_preferences kem_preferences_null; diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index 46f7dc30496..bcd6f2c52b5 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -734,7 +734,7 @@ const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10 = { const struct s2n_security_policy security_policy_pq_20231213 = { .minimum_protocol_version = S2N_TLS12, .cipher_preferences = &cipher_preferences_20231213, - .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06, + .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12, .signature_preferences = &s2n_signature_preferences_20230317, .ecc_preferences = &s2n_ecc_preferences_20201021, }; @@ -742,17 +742,23 @@ const struct s2n_security_policy security_policy_pq_20231213 = { const struct s2n_security_policy security_policy_pq_20231214 = { .minimum_protocol_version = S2N_TLS12, .cipher_preferences = &cipher_preferences_20231214, - .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06, + .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12, .signature_preferences = &s2n_signature_preferences_20230317, .ecc_preferences = &s2n_ecc_preferences_20201021, + .rules = { + [S2N_FIPS_140_3] = true, + }, }; const struct s2n_security_policy security_policy_pq_20231215 = { .minimum_protocol_version = S2N_TLS12, .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08, - .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06, + .kem_preferences = &kem_preferences_pq_tls_1_3_2023_12, .signature_preferences = &s2n_signature_preferences_20230317, .ecc_preferences = &s2n_ecc_preferences_20201021, + .rules = { + [S2N_FIPS_140_3] = true, + }, }; const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = { diff --git a/tls/s2n_security_rules.c b/tls/s2n_security_rules.c index 9d85199d51b..ebeefe99430 100644 --- a/tls/s2n_security_rules.c +++ b/tls/s2n_security_rules.c @@ -166,6 +166,20 @@ S2N_RESULT s2n_security_rule_validate_policy(const struct s2n_security_rule *rul "curve", curve->name, i + 1)); } + const struct s2n_kem_preferences *kem_prefs = policy->kem_preferences; + RESULT_ENSURE_REF(kem_prefs); + for (size_t i = 0; i < kem_prefs->tls13_kem_group_count; i++) { + const struct s2n_kem_group *kem_group = kem_prefs->tls13_kem_groups[i]; + const struct s2n_ecc_named_curve *curve = kem_group->curve; + RESULT_ENSURE_REF(curve); + bool is_valid = false; + RESULT_ENSURE_REF(rule->validate_curve); + RESULT_GUARD(rule->validate_curve(curve, &is_valid)); + RESULT_GUARD(s2n_security_rule_result_process(result, is_valid, + error_msg_format_name, rule->name, policy_name, + "curve", curve->name, i + 1)); + } + bool is_valid = false; RESULT_ENSURE_REF(rule->validate_version); RESULT_GUARD(rule->validate_version(policy->minimum_protocol_version, &is_valid));