refactor: Adds tls13 ciphersuites to default/default_fips policy (#5560)

Author: maddeleine

docs/usage-guide/topics/ch06-security-policies.md

@@ -6,7 +6,7 @@ s2n-tls uses pre-made security policies to help avoid common misconfiguration mi
 
 ## Supported TLS Versions
 
-Currently TLS 1.2 is our default version, but we recommend TLS 1.3 where possible. To use TLS 1.3 you need a security policy that supports TLS 1.3.
+The default security policy supports TLS13 and will negotiate it wherever possible.
 
 ## Deprecation of Security Policies
 
@@ -27,8 +27,8 @@ The following chart maps the security policy version to protocol version and cip
 
 |    version    | TLS1.0 | TLS1.1 | TLS1.2 | TLS1.3 | AES-CBC | AES-GCM | CHACHAPOLY | 3DES | RC4 | DHE | ECDHE | RSA kx |
 |---------------|--------|--------|--------|--------|---------|---------|------------|------|-----|-----|-------|--------|
-|    default    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
-| default_fips  |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
+|    default    |        |        |    X   |    X   |    X    |    X    |      X     |      |     |     |   X   |        |
+| default_fips  |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
 | default_tls13 |        |        |    X   |    X   |    X    |    X    |      X     |      |     |     |   X   |        |
 |   20240501    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
 |   20240502    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
@@ -65,9 +65,7 @@ matching fixed versions are:
 
 | "default" | "default_fips" | "default_tls13" | "rfc9151" |
 |-----------|----------------|-----------------|-----------|
-| 20240501  |   20240502     |    20240503     |  20251013 |
-
-"default_fips" does not currently support TLS1.3. If you need a policy that supports both FIPS and TLS1.3, choose "20230317". We plan to add TLS1.3 support to both "default" and "default_fips" in the future.
+| 20251014  |   20251015     |    20240503     |  20251013 |
 
 "rfc9151" is derived from [Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3](https://datatracker.ietf.org/doc/html/rfc9151). This policy restricts the algorithms allowed for signatures on certificates in the certificate chain to RSA or ECDSA with sha384, which may require you to update your certificates.
 Like the default policies, this policy may also change if the source RFC definition changes.
@@ -155,7 +153,7 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 
 |  Version   | "default" | "default_fips" | "default_tls13" | "rfc9151" |
 |------------|-----------|----------------|-----------------|-----------|
-|  v1.5.28   | 20240501  |   20240502     |    20240503     |  20251013 |
+|  v1.6.0    | 20251014  |   20251015     |    20240503     |  20251013 |
 |  v1.5.25   | 20240501  |   20240502     |    20240503     |  20250429 |
 |  v1.4.16   | 20240501  |   20240502     |    20240503     |    (*)    |
 |   Older    | 20170210  |   20240416     |    20240417     |    (*)    |

tests/policy_snapshot/snapshots/20251014

@@ -0,0 +1,36 @@
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_AES_128_GCM_SHA256
+- TLS_AES_256_GCM_SHA384
+- TLS_CHACHA20_POLY1305_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- x25519
+- secp384r1
+- secp521r1
+pq:
+- revision: 5
+- kem groups:
+-- X25519MLKEM768
+-- SecP256r1MLKEM768
+-- SecP384r1MLKEM1024

tests/policy_snapshot/snapshots/20251015

@@ -0,0 +1,49 @@
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): yes
+cipher suites:
+- TLS_AES_128_GCM_SHA256
+- TLS_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- secp384r1
+- secp521r1
+certificate signature schemes:
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+pq:
+- revision: 5
+- kem groups:
+-- X25519MLKEM768
+-- SecP256r1MLKEM768
+-- SecP384r1MLKEM1024

tests/policy_snapshot/snapshots/default

@@ -3,14 +3,13 @@ rules:
 - Perfect Forward Secrecy: yes
 - FIPS 140-3 (2019): no
 cipher suites:
+- TLS_AES_128_GCM_SHA256
+- TLS_AES_256_GCM_SHA384
+- TLS_CHACHA20_POLY1305_SHA256
 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 signature schemes:
 - ecdsa_sha256
 - ecdsa_sha384
@@ -29,3 +28,9 @@ curves:
 - x25519
 - secp384r1
 - secp521r1
+pq:
+- revision: 5
+- kem groups:
+-- X25519MLKEM768
+-- SecP256r1MLKEM768
+-- SecP384r1MLKEM1024

tests/policy_snapshot/snapshots/default_fips

@@ -3,14 +3,12 @@ rules:
 - Perfect Forward Secrecy: yes
 - FIPS 140-3 (2019): yes
 cipher suites:
+- TLS_AES_128_GCM_SHA256
+- TLS_AES_256_GCM_SHA384
 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 signature schemes:
 - ecdsa_sha256
 - ecdsa_sha384
@@ -43,3 +41,9 @@ certificate signature schemes:
 - ecdsa_sha384
 - ecdsa_sha512
 - legacy_ecdsa_sha224
+pq:
+- revision: 5
+- kem groups:
+-- X25519MLKEM768
+-- SecP256r1MLKEM768
+-- SecP384r1MLKEM1024

tests/unit/s2n_choose_supported_group_test.c

@@ -30,12 +30,13 @@ int main()
     BEGIN_TEST();
     EXPECT_SUCCESS(s2n_disable_tls13_in_test());
 
-    /* Tests with default KEM preferences (kem_preferences_null) */
+    /* Tests with 20240501 KEM preferences (kem_preferences_null) */
     {
         /* If the lists of mutually supported groups are empty, chosen group should be set to null */
         {
             struct s2n_connection *server_conn = NULL;
             EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
+            EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server_conn, "20240501"));
 
             const struct s2n_ecc_preferences *ecc_pref = NULL;
             EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(server_conn, &ecc_pref));
@@ -73,6 +74,7 @@ int main()
         {
             struct s2n_connection *server_conn = NULL;
             EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
+            EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server_conn, "20240501"));
 
             const struct s2n_ecc_preferences *ecc_pref = NULL;
             EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(server_conn, &ecc_pref));
@@ -111,6 +113,7 @@ int main()
         {
             struct s2n_connection *server_conn = NULL;
             EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
+            EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server_conn, "20240501"));
 
             const struct s2n_ecc_preferences *ecc_pref = NULL;
             EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(server_conn, &ecc_pref));

tests/unit/s2n_security_policies_test.c

@@ -217,9 +217,9 @@ int main(int argc, char **argv)
         EXPECT_FALSE(s2n_pq_kem_is_extension_required(security_policy));
         EXPECT_NULL(security_policy->kem_preferences->kems);
         EXPECT_EQUAL(0, security_policy->kem_preferences->kem_count);
-        EXPECT_NULL(security_policy->kem_preferences->tls13_kem_groups);
-        EXPECT_EQUAL(0, security_policy->kem_preferences->tls13_kem_group_count);
-        EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy));
+        EXPECT_EQUAL(security_policy->kem_preferences, &kem_preferences_pq_tls_1_3_ietf_2025_07);
+        EXPECT_EQUAL(3, security_policy->kem_preferences->tls13_kem_group_count);
+        EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy));
 
         security_policy = NULL;
         EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &security_policy));
@@ -309,8 +309,6 @@ int main(int argc, char **argv)
 
     {
         char tls12_only_security_policy_strings[][255] = {
-            "default",
-            "default_fips",
             "ELBSecurityPolicy-TLS-1-0-2015-04",
             "ELBSecurityPolicy-TLS-1-0-2015-05",
             "ELBSecurityPolicy-2016-08",
@@ -364,6 +362,8 @@ int main(int argc, char **argv)
         }
 
         char tls13_security_policy_strings[][255] = {
+            "default",
+            "default_fips",
             "default_tls13",
             "test_all",
             "test_all_tls13",
@@ -905,6 +905,7 @@ int main(int argc, char **argv)
             const struct s2n_security_policy *versioned_policies[] = {
                 &security_policy_20170210,
                 &security_policy_20240501,
+                &security_policy_20251014,
             };
 
             DEFER_CLEANUP(struct s2n_test_cert_chain_list cert_chains = { 0 },
@@ -958,6 +959,7 @@ int main(int argc, char **argv)
             const struct s2n_security_policy *versioned_policies[] = {
                 &security_policy_20240416,
                 &security_policy_20240502,
+                &security_policy_20251015,
             };
 
             DEFER_CLEANUP(struct s2n_test_cert_chain_list cert_chains = { 0 },

tests/unit/s2n_tls13_support_test.c

@@ -33,9 +33,9 @@ int main(int argc, char **argv)
     /* TLS 1.3 is not used by default */
     EXPECT_FALSE(s2n_use_default_tls13_config());
 
-    /* TLS1.3 is not supported or configured by default */
+    /* TLS1.3 is supported or configured by default */
     {
-        /* Client does not support or configure TLS 1.3 */
+        /* Client supports and configures TLS 1.3 */
         {
             struct s2n_connection *conn = NULL;
             EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
@@ -44,12 +44,12 @@ int main(int argc, char **argv)
 
             const struct s2n_security_policy *security_policy = NULL;
             EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
-            EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy));
+            EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy));
 
             EXPECT_SUCCESS(s2n_connection_free(conn));
         };
 
-        /* Server does not support or configure TLS 1.3 */
+        /* Server supports and configures TLS 1.3 */
         {
             struct s2n_connection *conn = NULL;
             EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
@@ -58,7 +58,7 @@ int main(int argc, char **argv)
 
             const struct s2n_security_policy *security_policy = NULL;
             EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
-            EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy));
+            EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy));
 
             EXPECT_SUCCESS(s2n_connection_free(conn));
         };

tls/s2n_cipher_preferences.c

@@ -302,6 +302,51 @@ const struct s2n_cipher_preferences cipher_preferences_20230317 = {
     .allow_chacha20_boosting = false,
 };
 
+/*
+ * TLS1.3 support.
+ */
+struct s2n_cipher_suite *cipher_suites_20251014[] = {
+    S2N_TLS13_CLOUDFRONT_CIPHER_SUITES_20200716,
+
+    /* TLS1.2 with ECDSA */
+    &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384,
+
+    /* TLS1.2 with RSA */
+    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+};
+
+const struct s2n_cipher_preferences cipher_preferences_20251014 = {
+    .count = s2n_array_len(cipher_suites_20251014),
+    .suites = cipher_suites_20251014,
+    .allow_chacha20_boosting = false,
+};
+
+/*
+ * FIPS
+ * TLS1.3 support.
+ * Same as 20251014 but without chachapoly
+ */
+struct s2n_cipher_suite *cipher_suites_20251015[] = {
+    &s2n_tls13_aes_128_gcm_sha256,
+    &s2n_tls13_aes_256_gcm_sha384,
+
+    /* TLS1.2 with ECDSA */
+    &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384,
+
+    /* TLS1.2 with RSA */
+    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+};
+
+const struct s2n_cipher_preferences cipher_preferences_20251015 = {
+    .count = s2n_array_len(cipher_suites_20251015),
+    .suites = cipher_suites_20251015,
+    .allow_chacha20_boosting = false,
+};
+
 /*
  * No TLS1.3 support.
  * FIPS compliant.

tls/s2n_cipher_preferences.h

@@ -64,6 +64,8 @@ extern const struct s2n_cipher_preferences cipher_preferences_20241009;
 extern const struct s2n_cipher_preferences cipher_preferences_20250211;
 extern const struct s2n_cipher_preferences cipher_preferences_20250429;
 extern const struct s2n_cipher_preferences cipher_preferences_20251013;
+extern const struct s2n_cipher_preferences cipher_preferences_20251014;
+extern const struct s2n_cipher_preferences cipher_preferences_20251015;
 
 extern const struct s2n_cipher_preferences cipher_preferences_default_fips;