pin rust test to tls12 policy

aws · Nov 21, 2024 · 0fce290 · 0fce290
1 parent b87bf15
commit 0fce290
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/bindings/rust/s2n-tls-tokio/tests/common/mod.rs b/bindings/rust/s2n-tls-tokio/tests/common/mod.rs
@@ -4,8 +4,10 @@
 use s2n_tls::{
     config,
     connection::Builder,
+    enums::FipsMode,
     error::Error,
-    security::{DEFAULT, DEFAULT_TLS13},
+    init::fips_mode,
+    security::{Policy, DEFAULT_TLS13},
 };
 use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream};
 use std::time::Duration;
@@ -61,14 +63,24 @@ pub fn server_config() -> Result<config::Builder, Error> {
 
 pub fn client_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&DEFAULT)?;
+    if matches!(fips_mode().unwrap(), FipsMode::Enabled) {
+        builder.set_security_policy(&Policy::from_version("20240502").unwrap())?;
+    } else {
+        builder.set_security_policy(&Policy::from_version("20240501").unwrap())?;
+    }
     builder.trust_pem(RSA_CERT_PEM)?;
     Ok(builder)
 }
 
 pub fn server_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&DEFAULT)?;
+
+    if matches!(fips_mode().unwrap(), FipsMode::Enabled) {
+        builder.set_security_policy(&Policy::from_version("20240502").unwrap())?;
+    } else {
+        builder.set_security_policy(&Policy::from_version("20240501").unwrap())?;
+    }
+
     builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?;
     Ok(builder)
 }

diff --git a/bindings/rust/s2n-tls/src/testing/resumption.rs b/bindings/rust/s2n-tls/src/testing/resumption.rs
@@ -7,6 +7,7 @@ mod tests {
         callbacks::{SessionTicket, SessionTicketCallback},
         config::ConnectionInitializer,
         connection::{self, Connection},
+        security::Policy,
         testing::*,
     };
     use futures_test::task::noop_waker;
@@ -66,10 +67,12 @@ mod tests {
     fn resume_session() -> Result<(), Box<dyn Error>> {
         let keypair = CertKeyPair::default();
 
+        let tls12_policy = Policy::from_version("20240501")?;
         // Initialize config for server with a ticket key
         let mut server_config_builder = Builder::new();
         server_config_builder
             .add_session_ticket_key(&KEYNAME, &KEY, SystemTime::now())?
+            .set_security_policy(&tls12_policy)?
             .load_pem(keypair.cert(), keypair.key())?;
         let server_config = server_config_builder.build()?;
 
@@ -83,6 +86,7 @@ mod tests {
             .set_session_ticket_callback(handler.clone())?
             .trust_pem(keypair.cert())?
             .set_verify_host_callback(InsecureAcceptAllCertificatesHandler {})?
+            .set_security_policy(&tls12_policy)?
             .set_connection_initializer(handler)?;
         let client_config = client_config_builder.build()?;