Ak WIP - adding tls13 to default security policies

bindings/rust/s2n-tls-tokio/tests/common/mod.rs

@@ -5,7 +5,7 @@ use s2n_tls::{
     config,
     connection::Builder,
     error::Error,
-    security::{DEFAULT, DEFAULT_TLS13},
+    security::{self, DEFAULT_TLS13},
 };
 use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream};
 use std::time::Duration;
@@ -67,14 +67,14 @@ pub fn server_config() -> Result<config::Builder, Error> {
 
 pub fn client_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&DEFAULT)?;
+    builder.set_security_policy(&security::Policy::from_version("20240502")?)?;
     builder.trust_pem(RSA_CERT_PEM)?;
     Ok(builder)
 }
 
 pub fn server_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&DEFAULT)?;
+    builder.set_security_policy(&security::Policy::from_version("20240502")?)?;
     builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?;
     Ok(builder)
 }

bindings/rust/s2n-tls/src/testing/resumption.rs

@@ -66,11 +66,13 @@ mod tests {
     fn resume_session() -> Result<(), Box<dyn Error>> {
         let keypair = CertKeyPair::default();
 
+        let tls12_policy = security::Policy::from_version("20240502")?;
         // Initialize config for server with a ticket key
         let mut server_config_builder = Builder::new();
         server_config_builder
             .add_session_ticket_key(&KEYNAME, &KEY, SystemTime::now())?
-            .load_pem(keypair.cert(), keypair.key())?;
+            .load_pem(keypair.cert(), keypair.key())?
+            .set_security_policy(&tls12_policy)?;
         let server_config = server_config_builder.build()?;
 
         let handler = SessionTicketHandler::default();
@@ -83,7 +85,8 @@ mod tests {
             .set_session_ticket_callback(handler.clone())?
             .trust_pem(keypair.cert())?
             .set_verify_host_callback(InsecureAcceptAllCertificatesHandler {})?
-            .set_connection_initializer(handler)?;
+            .set_connection_initializer(handler)?
+            .set_security_policy(&tls12_policy)?;
         let client_config = client_config_builder.build()?;
 
         // initial handshake, no resumption

default.diff

@@ -0,0 +1,17 @@
+diff --git a/default.old b/default.new
+index 5e6a085f9..90fc3254a 100644
+--- a/default.old
++++ b/default.new
+@@ -1,9 +1,11 @@
+-name: 20240501
++name: default
+ min version: TLS1.2
+ rules:
+ - Perfect Forward Secrecy: yes
+ - FIPS 140-3 (2019): no
+ cipher suites:
++- TLS_AES_256_GCM_SHA384
++- TLS_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

default.new

@@ -0,0 +1,34 @@
+name: default
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_AES_256_GCM_SHA384
+- TLS_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- x25519
+- secp384r1
+- secp521r1

default.old

@@ -0,0 +1,32 @@
+name: 20240501
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- x25519
+- secp384r1
+- secp521r1

default_fips.diff

@@ -0,0 +1,17 @@
+diff --git a/default_fips.old b/default_fips.new
+index a06198b37..cbfab484f 100644
+--- a/default_fips.old
++++ b/default_fips.new
+@@ -1,9 +1,11 @@
+-name: 20240502
++name: default_fips
+ min version: TLS1.2
+ rules:
+ - Perfect Forward Secrecy: yes
+ - FIPS 140-3 (2019): yes
+ cipher suites:
++- TLS_AES_256_GCM_SHA384
++- TLS_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

default_fips.new

@@ -0,0 +1,48 @@
+name: default_fips
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): yes
+cipher suites:
+- TLS_AES_256_GCM_SHA384
+- TLS_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- secp384r1
+- secp521r1
+certificate signature schemes:
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224

default_fips.old

@@ -0,0 +1,46 @@
+name: 20240502
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): yes
+cipher suites:
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- secp384r1
+- secp521r1
+certificate signature schemes:
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224

docs/usage-guide/topics/ch06-security-policies.md

@@ -6,7 +6,7 @@ s2n-tls uses pre-made security policies to help avoid common misconfiguration mi
 
 ## Supported TLS Versions
 
-Currently TLS 1.2 is our default version, but we recommend TLS 1.3 where possible. To use TLS 1.3 you need a security policy that supports TLS 1.3.
+TLS 1.3 support is enabled by default.
 **Note:** s2n-tls does not support SSL2.0 for sending and receiving encrypted data, but does accept SSL2.0 hello messages.
 
 ### Chart: Security Policy Version To Protocol Version And Ciphersuites
@@ -15,9 +15,11 @@ The following chart maps the security policy version to protocol version and cip
 
 |    version    | TLS1.0 | TLS1.1 | TLS1.2 | TLS1.3 | AES-CBC | AES-GCM | CHACHAPOLY | 3DES | RC4 | DHE | ECDHE | RSA kx |
 |---------------|--------|--------|--------|--------|---------|---------|------------|------|-----|-----|-------|--------|
-|    default    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
-| default_fips  |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
+|    default    |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
+| default_fips  |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
 | default_tls13 |        |        |    X   |    X   |    X    |    X    |      X     |      |     |     |   X   |        |
+|   20240701    |        |        |    X   |    X   |    X    |    X    |      X     |      |     |     |   X   |        |
+|   20240702    |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
 |   20240501    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
 |   20240502    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
 |   20240503    |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
@@ -46,12 +48,11 @@ The following chart maps the security policy version to protocol version and cip
 The "default", "default_tls13", and "default_fips" versions are special in that they will be updated with future s2n-tls changes to keep up-to-date with current security best practices. Ciphersuites, protocol versions, and other options may be added or removed, or their internal order of preference might change. **Warning**: this means that the default policies may change as a result of library updates, which could break peers that rely on legacy options.
 
 In contrast, numbered or dated versions are fixed and will never change. The numbered equivalents of the default policies are currently:
-* "default": "20240501"
-* "default_fips": "20240502"
+* "default": "20240701"
+* "default_fips": "20240702"
 * "default_tls13": "20240503"
-For previous defaults, see the "Default Policy History" section below.
 
-"default_fips" does not currently support TLS1.3. If you need a policy that supports both FIPS and TLS1.3, choose "20230317". We plan to add TLS1.3 support to both "default" and "default_fips" in the future.
+For previous defaults versions, see the "Default Policy History" section below.
 
 "rfc9151" is derived from [Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3](https://datatracker.ietf.org/doc/html/rfc9151). This policy restricts the algorithms allowed for signatures on certificates in the certificate chain to RSA or ECDSA with sha384, which may require you to update your certificates.
 Like the default policies, this policy may also change if the source RFC definition changes.
@@ -76,6 +77,8 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 |    default    |     X     |   X   |              |    X    |
 | default_fips  |     X     |   X   |              |    X    |
 | default_tls13 |     X     |   X   |              |    X    |
+|   20240701    |     X     |   X   |              |    X    |
+|   20240701    |     X     |   X   |              |    X    |
 |   20240501    |     X     |   X   |              |    X    |
 |   20240502    |     X     |   X   |              |    X    |
 |   20240503    |     X     |   X   |              |    X    |
@@ -111,6 +114,8 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 |    default    |     X     |     X     |    X   |
 | default_fips  |     X     |     X     |        |
 | default_tls13 |     X     |     X     |    X   |
+|   20240701    |     X     |     X     |    X   |
+|   20240702    |     X     |     X     |        |
 |   20240501    |     X     |     X     |    X   |
 |   20240502    |     X     |     X     |        |
 |   20240503    |     X     |     X     |    X   |
@@ -138,5 +143,6 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 ### Default Policy History
 |  Version   | "default" | "default_fips" | "default_tls13" |
 |------------|-----------|----------------|-----------------|
+|  v1.4.TODO   | 20240701  |   20247502     |    20240503     |
 |  v1.4.16   | 20240501  |   20240502     |    20240503     |
 |   Older    | 20170210  |   20240416     |    20240417     |

policy.new

@@ -0,0 +1,15 @@
+NEW
+
+                                   protocol                        security_policy
+
+                                | tls12  tls13  |  default  default_fips  default_tls13  default_tls12
+                                |               |
+ * non_fips:                    |               |
+ *   no_call:                   |          N    |     x
+ *   s2n_enable_tls13_in_test:  |          x    |     N
+ *   s2n_disable_tls13_in_test: |   x           |                                            N
+ *                              |               |
+ * fips:                        |               |
+ *   no_call:                   |          N    |               x
+ *   s2n_enable_tls13_in_test:  |          x    |               N
+ *   s2n_disable_tls13_in_test: |   x           |                                            N

policy.old

@@ -0,0 +1,16 @@
+OLD
+
+                                   protocol                        security_policy
+
+                                | tls12  tls13  |  default  default_fips  default_tls13  default_tls12
+                                |               |
+ * non_fips:                    |               |
+ *   no_call:                   |   x           |     x
+ *   s2n_enable_tls13_in_test:  |          x    |                             x
+ *   s2n_disable_tls13_in_test: |   x           |     x
+ *                              |               |
+ * fips:                        |               |
+ *   no_call:                   |   x           |               x
+ *   s2n_enable_tls13_in_test:  |          x    |                             x
+ *   s2n_disable_tls13_in_test: |   x           |               x
+

tests/fuzz/s2n_certificate_extensions_parse_test.c

@@ -17,21 +17,20 @@
                      s2n_recv_server_sct_list s2n_server_certificate_status_recv
                      s2n_x509_validator_validate_cert_stapled_ocsp_response */
 
-#include <stdint.h>
-
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <stdint.h>
 
 #include "api/s2n.h"
+#include "s2n_test.h"
 #include "stuffer/s2n_stuffer.h"
+#include "testlib/s2n_testlib.h"
 #include "tls/extensions/s2n_extension_list.h"
 #include "tls/s2n_config.h"
 #include "tls/s2n_connection.h"
 #include "tls/s2n_tls.h"
-#include "utils/s2n_safety.h"
-#include "s2n_test.h"
-#include "testlib/s2n_testlib.h"
 #include "tls/s2n_tls13.h"
+#include "utils/s2n_safety.h"
 
 struct host_verify_data {
     const char *name;
@@ -47,12 +46,11 @@ static uint8_t verify_host_accept_everything(const char *host_name, size_t host_
 }
 
 /* This test is for TLS versions 1.3 and up only */
-static const uint8_t TLS_VERSIONS[] = {S2N_TLS13};
+static const uint8_t TLS_VERSIONS[] = { S2N_TLS13 };
 
 int s2n_fuzz_init(int *argc, char **argv[])
 {
     /* Initialize the trust store */
-    POSIX_GUARD_RESULT(s2n_config_testing_defaults_init_tls13_certs());
     POSIX_GUARD(s2n_enable_tls13_in_test());
     return S2N_SUCCESS;
 }
@@ -63,7 +61,7 @@ int s2n_fuzz_test(const uint8_t *buf, size_t len)
     S2N_FUZZ_ENSURE_MIN_LEN(len, 1);
 
     /* Setup */
-    struct s2n_stuffer fuzz_stuffer = {0};
+    struct s2n_stuffer fuzz_stuffer = { 0 };
     POSIX_GUARD(s2n_stuffer_alloc(&fuzz_stuffer, len));
     POSIX_GUARD(s2n_stuffer_write_bytes(&fuzz_stuffer, buf, len));