feature: update default_pq to support secp384r1_mlkem_1024 (#5433)

johubertj · web-flow · commit 41e0c47c02ad · 2025-07-23T10:44:22.000-07:00
diff --git a/docs/usage-guide/topics/ch15-post-quantum.md b/docs/usage-guide/topics/ch15-post-quantum.md
@@ -33,15 +33,21 @@ Listening on localhost:8000
 
 Post-quantum algorithms are enabled by configuring a security policy (see [Security Policies](./ch06-security-policies.md)) that supports post-quantum algorithms. 
 
-"default_pq" is the equivalent of "default_tls13", but with PQ support. Like the other default policies, "default_pq" may change as a result of library updates. The fixed, numbered equivalent of "default_pq" is currently "20250512". For previous defaults, see the "Default Policy History" section below.
+"default_pq" is the equivalent of "default_tls13", but with PQ support. Like the other default policies, "default_pq" may change as a result of library updates. The fixed, numbered equivalent of "default_pq" is currently "20250721". For previous defaults, see the "Default Policy History" section below.
 
 Other available PQ policies are compared in the tables below.
 
-### Chart: Security Policy Version To PQ Hybrid Key Exchange Methods
+### Chart: Security Policy Version To PQ Hybrid Key Exchange Methods (ML-KEM)
 
-|        Version        | secp256r1+kyber768 | x25519+kyber768 | secp384r1+kyber768 | secp521r1+kyber1024 | secp256r1+kyber512 | x25519+kyber512 | 
+|        Version        | x25519+mlkem768 | secp256r1+mlkem768 | secp384r1+mlkem1024 |
+|-----------------------|-----------------|--------------------|---------------------|
+| default_pq / 20250721 |        X        |          X         |          X          |
+| 20250512              |        X        |          X         |                     |
+
+### Chart: Security Policy Version To PQ Hybrid Key Exchange Methods (Kyber)
+
+|        Version        | secp256r1+kyber768 | x25519+kyber768 | secp384r1+kyber768 | secp521r1+kyber1024 | secp256r1+kyber512 | x25519+kyber512 |
 |-----------------------|--------------------|-----------------|--------------------|---------------------|--------------------|-----------------|
-| default_pq / 20250512 |          X         |         X       |         X          |          X          |         X          |        X        |
 | 20240730              |          X         |         X       |         X          |          X          |         X          |        X        |
 | PQ-TLS-1-2-2023-12-15 |          X         |                 |         X          |          X          |         X          |                 |
 | PQ-TLS-1-2-2023-12-14 |          X         |                 |         X          |          X          |         X          |                 |
@@ -56,7 +62,8 @@ Other available PQ policies are compared in the tables below.
 
 |        Version        | ML-DSA | ECDSA | RSA | RSA-PSS | Legacy SHA1 |
 |-----------------------|--------|-------|-----|---------|-------------|
-| default_pq / 20250512 |   X    |   X   |  X  |    X    |             |
+| default_pq / 20250721 |   X    |   X   |  X  |    X    |             |
+| 20250512              |   X    |   X   |  X  |    X    |             |
 | 20240730              |        |   X   |  X  |    X    |             |
 | PQ-TLS-1-2-2023-12-15 |        |   X   |  X  |    X    |             |
 | PQ-TLS-1-2-2023-12-14 |        |   X   |  X  |    X    |             |
@@ -73,7 +80,8 @@ If the peer doesn't support a PQ hybrid key exchange method, s2n-tls will fall b
 
 |        Version        | secp256r1 | x25519 | secp384r1 | secp521r1 | DHE | RSA |
 |-----------------------|-----------|--------|-----------|-----------|-----|-----|
-| default_pq / 20250512 |     X     |   X    |     X     |     X     |     |     |
+| default_pq / 20250721 |     X     |   X    |     X     |     X     |     |     |
+| 20250512              |     X     |   X    |     X     |     X     |     |     |
 | 20240730              |     X     |   X    |     X     |     X     |     |     |
 | PQ-TLS-1-2-2023-12-15 |     X     |        |     X     |     X     |  X  |     |
 | PQ-TLS-1-2-2023-12-14 |     X     |        |     X     |     X     |     |     |
@@ -88,7 +96,8 @@ If the peer doesn't support a PQ hybrid key exchange method, s2n-tls will fall b
 
 |        Version        | AES-CBC | AES-GCM | CHACHAPOLY | 3DES |
 |-----------------------|---------|---------|------------|------|
-| default_pq / 20250512 |    X    |    X    |     X      |      |
+| default_pq / 20250721 |    X    |    X    |     X      |      |
+| 20250512              |    X    |    X    |     X      |      |
 | 20240730              |    X    |    X    |     X      |      |
 | PQ-TLS-1-2-2023-12-15 |    X    |    X    |            |      |
 | PQ-TLS-1-2-2023-12-14 |    X    |    X    |            |      |
@@ -104,7 +113,8 @@ If the peer doesn't support a PQ hybrid key exchange method, s2n-tls will fall b
 
 |        Version        | 1.2 | 1.3 |
 |-----------------------|-----|-----|
-| default_pq / 20250512 |  X  |  X  |
+| default_pq / 20250721 |  X  |  X  |
+| 20250512              |  X  |  X  |
 | 20240730              |  X  |  X  |
 | PQ-TLS-1-2-2023-12-15 |  X  |  X  |
 | PQ-TLS-1-2-2023-12-14 |  X  |  X  |
@@ -118,6 +128,7 @@ If the peer doesn't support a PQ hybrid key exchange method, s2n-tls will fall b
 #### Default Policy History
 |  Version   | "default_pq" |
 |------------|--------------|
+|  v1.5.23   |   20250721   |
 |  v1.5.19   |   20250512   |
 |  v1.5.0    |   20240730   |
 
diff --git a/tests/policy_snapshot/snapshots/20250721 b/tests/policy_snapshot/snapshots/20250721
@@ -0,0 +1,64 @@
+name: 20250721
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_AES_128_GCM_SHA256
+- TLS_AES_256_GCM_SHA384
+- TLS_CHACHA20_POLY1305_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+signature schemes:
+- mldsa44
+- mldsa65
+- mldsa87
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- x25519
+- secp384r1
+- secp521r1
+certificate signature schemes:
+- mldsa44
+- mldsa65
+- mldsa87
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+pq:
+- revision: 5
+- kem groups:
+-- X25519MLKEM768
+-- SecP256r1MLKEM768
+-- SecP384r1MLKEM1024
diff --git a/tests/policy_snapshot/snapshots/default_pq b/tests/policy_snapshot/snapshots/default_pq
@@ -61,3 +61,4 @@ pq:
 - kem groups:
 -- X25519MLKEM768
 -- SecP256r1MLKEM768
+-- SecP384r1MLKEM1024
diff --git a/tls/s2n_kem_preferences.c b/tls/s2n_kem_preferences.c
@@ -49,6 +49,12 @@ const struct s2n_kem_group *pq_kem_groups_ietf_2024_10[] = {
     &s2n_secp256r1_mlkem_768,
 };
 
+const struct s2n_kem_group *pq_kem_groups_ietf_2025_07[] = {
+    &s2n_x25519_mlkem_768,
+    &s2n_secp256r1_mlkem_768,
+    &s2n_secp384r1_mlkem_1024,
+};
+
 /* Includes both IETF standard KEM Groups, and earlier draft standards with Kyber. */
 const struct s2n_kem_group *pq_kem_groups_mixed_2024_10[] = {
     &s2n_x25519_mlkem_768,
@@ -103,6 +109,14 @@ const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_ietf_2024_10 = {
     .tls13_pq_hybrid_draft_revision = 5
 };
 
+const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_ietf_2025_07 = {
+    .kem_count = 0,
+    .kems = NULL,
+    .tls13_kem_group_count = s2n_array_len(pq_kem_groups_ietf_2025_07),
+    .tls13_kem_groups = pq_kem_groups_ietf_2025_07,
+    .tls13_pq_hybrid_draft_revision = 5
+};
+
 const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_mixed_2024_10 = {
     .kem_count = 0,
     .kems = NULL,
diff --git a/tls/s2n_kem_preferences.h b/tls/s2n_kem_preferences.h
@@ -48,6 +48,7 @@ extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_0_2021_05;
 extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_0_2023_01;
 extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_06;
 extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_2023_12;
+extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_ietf_2025_07;
 extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_ietf_2024_10;
 extern const struct s2n_kem_preferences kem_preferences_pq_tls_1_3_mixed_2024_10;
 extern const struct s2n_kem_preferences kem_preferences_all;
diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c
@@ -97,6 +97,18 @@ const struct s2n_security_policy security_policy_20250512 = {
     },
 };
 
+const struct s2n_security_policy security_policy_20250721 = {
+    .minimum_protocol_version = S2N_TLS12,
+    .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
+    .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2025_07,
+    .signature_preferences = &s2n_signature_preferences_20250512,
+    .certificate_signature_preferences = &s2n_certificate_signature_preferences_20250512,
+    .ecc_preferences = &s2n_ecc_preferences_20240501,
+    .rules = {
+            [S2N_PERFECT_FORWARD_SECRECY] = true,
+    },
+};
+
 const struct s2n_security_policy security_policy_20241001_pq_mixed = {
     .minimum_protocol_version = S2N_TLS12,
     .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019,
@@ -1281,7 +1293,7 @@ struct s2n_security_policy_selection security_policy_selection[] = {
     { .version = "default", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "default_fips", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
-    { .version = "default_pq", .security_policy = &security_policy_20250512, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
+    { .version = "default_pq", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20240502", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
@@ -1293,6 +1305,7 @@ struct s2n_security_policy_selection security_policy_selection[] = {
     { .version = "20240730", .security_policy = &security_policy_20240730, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20241001", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20250512", .security_policy = &security_policy_20250512, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
+    { .version = "20250721", .security_policy = &security_policy_20250721, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20241001_pq_mixed", .security_policy = &security_policy_20241001_pq_mixed, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "ELBSecurityPolicy-TLS-1-0-2015-04", .security_policy = &security_policy_elb_2015_04, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     /* Not a mistake. TLS-1-0-2015-05 and 2016-08 are equivalent */
