Add new PQ TLS 1.3 policies (#4247)

aws · Oct 13, 2023 · 3526e69 · 3526e69
1 parent 92c35cb
commit 3526e69
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c
@@ -610,6 +610,10 @@ int main(int argc, char **argv)
             "PQ-TLS-1-2-2023-04-09",
             "PQ-TLS-1-2-2023-04-10",
             "PQ-TLS-1-3-2023-06-01",
+            "PQ-TLS-1-2-2023-10-07",
+            "PQ-TLS-1-2-2023-10-08",
+            "PQ-TLS-1-2-2023-10-09",
+            "PQ-TLS-1-2-2023-10-10",
         };
         for (size_t i = 0; i < s2n_array_len(tls13_security_policy_strings); i++) {
             security_policy = NULL;

diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c
@@ -615,6 +615,42 @@ const struct s2n_security_policy security_policy_pq_tls_1_3_2023_06_01 = {
     .ecc_preferences = &s2n_ecc_preferences_20201021,
 };
 
+/* Same as security_policy_pq_tls_1_2_2023_04_07, but with updated KEM prefs */
+const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_07 = {
+    .minimum_protocol_version = S2N_TLS12,
+    .cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
+    .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
+    .signature_preferences = &s2n_signature_preferences_20200207,
+    .ecc_preferences = &s2n_ecc_preferences_20200310,
+};
+
+/* Same as security_policy_pq_tls_1_2_2023_04_08, but with updated KEM prefs */
+const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_08 = {
+    .minimum_protocol_version = S2N_TLS12,
+    .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
+    .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
+    .signature_preferences = &s2n_signature_preferences_20200207,
+    .ecc_preferences = &s2n_ecc_preferences_20200310,
+};
+
+/* Same as security_policy_pq_tls_1_2_2023_04_09, but with updated KEM prefs */
+const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_09 = {
+    .minimum_protocol_version = S2N_TLS12,
+    .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
+    .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
+    .signature_preferences = &s2n_signature_preferences_20200207,
+    .ecc_preferences = &s2n_ecc_preferences_20200310,
+};
+
+/* Same as security_policy_pq_tls_1_2_2023_04_10, but with updated KEM prefs */
+const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10 = {
+    .minimum_protocol_version = S2N_TLS12,
+    .cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
+    .kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
+    .signature_preferences = &s2n_signature_preferences_20200207,
+    .ecc_preferences = &s2n_ecc_preferences_20200310,
+};
+
 const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = {
     .minimum_protocol_version = S2N_TLS12,
     .cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2018_10,
@@ -960,6 +996,10 @@ struct s2n_security_policy_selection security_policy_selection[] = {
     { .version = "PQ-TLS-1-2-2023-04-09", .security_policy = &security_policy_pq_tls_1_2_2023_04_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "PQ-TLS-1-2-2023-04-10", .security_policy = &security_policy_pq_tls_1_2_2023_04_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "PQ-TLS-1-3-2023-06-01", .security_policy = &security_policy_pq_tls_1_3_2023_06_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
+    { .version = "PQ-TLS-1-2-2023-10-07", .security_policy = &security_policy_pq_tls_1_2_2023_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
+    { .version = "PQ-TLS-1-2-2023-10-08", .security_policy = &security_policy_pq_tls_1_2_2023_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
+    { .version = "PQ-TLS-1-2-2023-10-09", .security_policy = &security_policy_pq_tls_1_2_2023_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
+    { .version = "PQ-TLS-1-2-2023-10-10", .security_policy = &security_policy_pq_tls_1_2_2023_10_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20140601", .security_policy = &security_policy_20140601, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20141001", .security_policy = &security_policy_20141001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20150202", .security_policy = &security_policy_20150202, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },

diff --git a/tls/s2n_security_policies.h b/tls/s2n_security_policies.h
@@ -151,6 +151,10 @@ extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_08;
 extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_09;
 extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_10;
 extern const struct s2n_security_policy security_policy_pq_tls_1_3_2023_06_01;
+extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_07;
+extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_08;
+extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_09;
+extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10;
 
 extern const struct s2n_security_policy security_policy_cloudfront_upstream;
 extern const struct s2n_security_policy security_policy_cloudfront_upstream_tls10;