Skip to content

Commit e33d7ef

Browse files
lrstewartboquan-fang
lrstewart
and
boquan-fang
authored
feature: new TLS1.2 + FIPS CRT security policy (#5375)
Co-authored-by: Boquan Fang <boquanfang3@gmail.com>
1 parent f053215 commit e33d7ef

File tree

4 files changed

+57
-0
lines changed

4 files changed

+57
-0
lines changed

tests/policy_snapshot/snapshots/AWS-CRT-SDK-TLSv1.2-2025

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
name: AWS-CRT-SDK-TLSv1.2-2025
2+
min version: TLS1.2
3+
rules:
4+
- Perfect Forward Secrecy: yes
5+
- FIPS 140-3 (2019): yes
6+
cipher suites:
7+
- TLS_AES_128_GCM_SHA256
8+
- TLS_AES_256_GCM_SHA384
9+
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
10+
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
11+
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
12+
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
13+
signature schemes:
14+
- ecdsa_sha256
15+
- ecdsa_sha384
16+
- ecdsa_sha512
17+
- rsa_pss_pss_sha256
18+
- rsa_pss_pss_sha384
19+
- rsa_pss_pss_sha512
20+
- rsa_pss_rsae_sha256
21+
- rsa_pss_rsae_sha384
22+
- rsa_pss_rsae_sha512
23+
- rsa_pkcs1_sha256
24+
- rsa_pkcs1_sha384
25+
- rsa_pkcs1_sha512
26+
curves:
27+
- secp256r1
28+
- secp384r1

tls/s2n_cipher_preferences.c

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1556,6 +1556,21 @@ const struct s2n_cipher_preferences cipher_preferences_aws_crt_sdk_default = {
15561556
.allow_chacha20_boosting = false,
15571557
};
15581558

1559+
struct s2n_cipher_suite *cipher_suites_aws_crt_sdk_2025[] = {
1560+
&s2n_tls13_aes_128_gcm_sha256,
1561+
&s2n_tls13_aes_256_gcm_sha384,
1562+
&s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256,
1563+
&s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
1564+
&s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384,
1565+
&s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
1566+
};
1567+
1568+
const struct s2n_cipher_preferences cipher_preferences_aws_crt_sdk_2025 = {
1569+
.count = s2n_array_len(cipher_suites_aws_crt_sdk_2025),
1570+
.suites = cipher_suites_aws_crt_sdk_2025,
1571+
.allow_chacha20_boosting = false,
1572+
};
1573+
15591574
struct s2n_cipher_suite *cipher_suites_aws_crt_sdk_tls_13[] = {
15601575
S2N_TLS13_CLOUDFRONT_CIPHER_SUITES_20200716
15611576
};

tls/s2n_cipher_preferences.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,7 @@ extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2
117117
extern const struct s2n_cipher_preferences cipher_preferences_aws_crt_sdk_ssl_v3;
118118
extern const struct s2n_cipher_preferences cipher_preferences_aws_crt_sdk_default;
119119
extern const struct s2n_cipher_preferences cipher_preferences_aws_crt_sdk_tls_13;
120+
extern const struct s2n_cipher_preferences cipher_preferences_aws_crt_sdk_2025;
120121

121122
/* AWS KMS Cipher Preferences */
122123
extern const struct s2n_cipher_preferences cipher_preferences_kms_tls_1_0_2018_10;

tls/s2n_security_policies.c

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -557,6 +557,18 @@ const struct s2n_security_policy security_policy_aws_crt_sdk_tls_12_06_23 = {
557557
.ecc_preferences = &s2n_ecc_preferences_20230623,
558558
};
559559

560+
const struct s2n_security_policy security_policy_aws_crt_sdk_tls_30_06_25 = {
561+
.minimum_protocol_version = S2N_TLS12,
562+
.cipher_preferences = &cipher_preferences_aws_crt_sdk_2025,
563+
.kem_preferences = &kem_preferences_null,
564+
.signature_preferences = &s2n_signature_preferences_20240501,
565+
.ecc_preferences = &s2n_ecc_preferences_20140601,
566+
.rules = {
567+
[S2N_PERFECT_FORWARD_SECRECY] = true,
568+
[S2N_FIPS_140_3] = true,
569+
},
570+
};
571+
560572
const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_06_23 = {
561573
.minimum_protocol_version = S2N_TLS13,
562574
.cipher_preferences = &cipher_preferences_aws_crt_sdk_tls_13,
@@ -1325,6 +1337,7 @@ struct s2n_security_policy_selection security_policy_selection[] = {
13251337
{ .version = "AWS-CRT-SDK-TLSv1.1-2023", .security_policy = &security_policy_aws_crt_sdk_tls_11_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
13261338
{ .version = "AWS-CRT-SDK-TLSv1.2-2023", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
13271339
{ .version = "AWS-CRT-SDK-TLSv1.2-2023-PQ", .security_policy = &security_policy_aws_crt_sdk_tls_12_06_23_pq, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
1340+
{ .version = "AWS-CRT-SDK-TLSv1.2-2025", .security_policy = &security_policy_aws_crt_sdk_tls_30_06_25, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
13281341
{ .version = "AWS-CRT-SDK-TLSv1.3-2023", .security_policy = &security_policy_aws_crt_sdk_tls_13_06_23, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
13291342
/* KMS TLS Policies*/
13301343
{ .version = "KMS-TLS-1-0-2018-10", .security_policy = &security_policy_kms_tls_1_0_2018_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },

0 commit comments

Comments
 (0)