Skip to content

Commit

Permalink
Integrate with FIPS Security Rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@alexw91
alexw91 committed Jan 2, 2024
1 parent b72a39f commit eb42fb6
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 3 deletions.
2 changes: 2 additions & 0 deletions tests/unit/s2n_security_rules_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,13 +126,15 @@ int main(int argc, char **argv)
.signature_preferences = &valid_sig_prefs,
.certificate_signature_preferences = &valid_sig_prefs,
.ecc_preferences = &valid_ecc_prefs,
.kem_preferences = &kem_preferences_null,
.minimum_protocol_version = VALID_VERSION,
};
const struct s2n_security_policy invalid_policy = {
.cipher_preferences = &invalid_cipher_prefs,
.signature_preferences = &invalid_sig_prefs,
.certificate_signature_preferences = &invalid_sig_prefs,
.ecc_preferences = &invalid_ecc_prefs,
.kem_preferences = &kem_preferences_null,
.minimum_protocol_version = EXAMPLE_INVALID_VERSION,
};

Expand Down
16 changes: 16 additions & 0 deletions tls/s2n_kem_preferences.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,13 @@ const struct s2n_kem_group *pq_kem_groups_r3_2023_06[] = {
&s2n_x25519_kyber_512_r3,
};

const struct s2n_kem_group *pq_kem_groups_r3_2023_12[] = {
&s2n_secp256r1_kyber_768_r3,
&s2n_secp384r1_kyber_768_r3,
&s2n_secp521r1_kyber_1024_r3,
&s2n_secp256r1_kyber_512_r3,
};

const struct s2n_kem_preferences kem_preferences_pq_tls_1_0_2021_05 = {
.kem_count = s2n_array_len(pq_kems_r3_2021_05),
.kems = pq_kems_r3_2021_05,
Expand All @@ -59,6 +66,15 @@ const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_06 = {
.tls13_pq_hybrid_draft_revision = 5
};

/* Same as kem_preferences_pq_tls_1_3_2023_06, but without x25519 */
const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_12 = {
.kem_count = 0,
.kems = NULL,
.tls13_kem_group_count = s2n_array_len(pq_kem_groups_r3_2023_12),
.tls13_kem_groups = pq_kem_groups_r3_2023_12,
.tls13_pq_hybrid_draft_revision = 5
};

const struct s2n_kem_preferences kem_preferences_all = {
.kem_count = s2n_array_len(pq_kems_r3_2021_05),
.kems = pq_kems_r3_2021_05,
Expand Down
1 change: 1 addition & 0 deletions tls/s2n_kem_preferences.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ extern const struct s2n_kem_group *pq_kem_groups_r3_2023_06[];
extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_0_2021_05;
extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_0_2023_01;
extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_06;
extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_12;
extern const struct s2n_kem_preferences kem_preferences_all;
extern const struct s2n_kem_preferences kem_preferences_null;

Expand Down
12 changes: 9 additions & 3 deletions tls/s2n_security_policies.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -734,25 +734,31 @@ const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10 = {
const struct s2n_security_policy security_policy_pq_20231213 = {
.minimum_protocol_version = S2N_TLS12,
.cipher_preferences = &cipher_preferences_20231213,
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
.signature_preferences = &s2n_signature_preferences_20230317,
.ecc_preferences = &s2n_ecc_preferences_20201021,
};

const struct s2n_security_policy security_policy_pq_20231214 = {
.minimum_protocol_version = S2N_TLS12,
.cipher_preferences = &cipher_preferences_20231214,
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
.signature_preferences = &s2n_signature_preferences_20230317,
.ecc_preferences = &s2n_ecc_preferences_20201021,
.rules = {
[S2N_FIPS_140_3] = true,
},
};

const struct s2n_security_policy security_policy_pq_20231215 = {
.minimum_protocol_version = S2N_TLS12,
.cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2021_08,
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_12,
.signature_preferences = &s2n_signature_preferences_20230317,
.ecc_preferences = &s2n_ecc_preferences_20201021,
.rules = {
[S2N_FIPS_140_3] = true,
},
};

const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = {
Expand Down
14 changes: 14 additions & 0 deletions tls/s2n_security_rules.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,20 @@ S2N_RESULT s2n_security_rule_validate_policy(const struct s2n_security_rule *rul
"curve", curve->name, i + 1));
}

const struct s2n_kem_preferences *kem_prefs = policy->kem_preferences;
RESULT_ENSURE_REF(kem_prefs);
for (size_t i = 0; i < kem_prefs->tls13_kem_group_count; i++) {
const struct s2n_kem_group *kem_group = kem_prefs->tls13_kem_groups[i];
const struct s2n_ecc_named_curve *curve = kem_group->curve;
RESULT_ENSURE_REF(curve);
bool is_valid = false;
RESULT_ENSURE_REF(rule->validate_curve);
RESULT_GUARD(rule->validate_curve(curve, &is_valid));
RESULT_GUARD(s2n_security_rule_result_process(result, is_valid,
error_msg_format_name, rule->name, policy_name,
"curve", curve->name, i + 1));
}

bool is_valid = false;
RESULT_ENSURE_REF(rule->validate_version);
RESULT_GUARD(rule->validate_version(policy->minimum_protocol_version, &is_valid));
Expand Down

0 comments on commit eb42fb6

Please sign in to comment.