aws · toidiu · Nov 27, 2024 · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024
diff --git a/bindings/rust/integration/src/network/tls_client.rs b/bindings/rust/integration/src/network/tls_client.rs
@@ -1,7 +1,11 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-use s2n_tls::{config::Config, enums::Version, security::Policy};
+use s2n_tls::{
+    config::Config,
+    enums::Version,
+    security::{self, Policy},
+};
 use s2n_tls_tokio::{TlsConnector, TlsStream};
 use tokio::net::TcpStream;
 
@@ -14,13 +18,13 @@ use tokio::net::TcpStream;
 /// `Err``.
 async fn handshake_with_domain(
     domain: &str,
-    security_policy: &str,
+    security_policy: &Policy,
 ) -> Result<TlsStream<TcpStream>, Box<dyn std::error::Error>> {
-    tracing::info!("querying {domain} with {security_policy}");
+    tracing::info!("querying {domain} with {:?}", security_policy);
     const PORT: u16 = 443;
 
     let mut config = Config::builder();
-    config.set_security_policy(&Policy::from_version(security_policy)?)?;
+    config.set_security_policy(security_policy)?;
 
     let client = TlsConnector::new(config.build()?);
     // open the TCP stream
@@ -42,7 +46,8 @@ mod kms_pq {
     // supports ML-KEM.
     #[test_log::test(tokio::test)]
     async fn pq_handshake() -> Result<(), Box<dyn std::error::Error>> {
-        let tls = handshake_with_domain(DOMAIN, "KMS-PQ-TLS-1-0-2020-07").await?;
+        let policy = Policy::from_version("KMS-PQ-TLS-1-0-2020-07")?;
+        let tls = handshake_with_domain(DOMAIN, &policy).await?;
 
         assert_eq!(
             tls.as_ref().cipher_suite()?,
@@ -65,7 +70,8 @@ mod kms_pq {
         ];
 
         for security_policy in EARLY_DRAFT_PQ_POLICIES {
-            let tls = handshake_with_domain(DOMAIN, security_policy).await?;
+            let policy = Policy::from_version(security_policy)?;
+            let tls = handshake_with_domain(DOMAIN, &policy).await?;
 
             assert_eq!(tls.as_ref().cipher_suite()?, "ECDHE-RSA-AES256-GCM-SHA384");
             assert_eq!(tls.as_ref().kem_name(), None);
@@ -84,10 +90,10 @@ async fn tls_client() -> Result<(), Box<dyn std::error::Error>> {
     for domain in DOMAINS {
         tracing::info!("querying {domain}");
 
-        let tls12 = handshake_with_domain(domain, "default").await?;
+        let tls12 = handshake_with_domain(domain, &security::TESTING_TLS12).await?;
         assert_eq!(tls12.as_ref().actual_protocol_version()?, Version::TLS12);
 
-        let tls13 = handshake_with_domain(domain, "default_tls13").await?;
+        let tls13 = handshake_with_domain(domain, &security::DEFAULT_TLS13).await?;
         assert_eq!(tls13.as_ref().actual_protocol_version()?, Version::TLS13);
     }
 

diff --git a/bindings/rust/s2n-tls-tokio/Cargo.toml b/bindings/rust/s2n-tls-tokio/Cargo.toml
@@ -19,6 +19,7 @@ s2n-tls = { version = "=0.3.7", path = "../s2n-tls" }
 tokio = { version = "1", features = ["net", "time"] }
 
 [dev-dependencies]
+s2n-tls = { path = "../s2n-tls", features = ["unstable-testing"] }
 clap = { version = "3", features = ["derive"] }
 rand = { version = "0.8" }
 tokio = { version = "1", features = [ "io-std", "io-util", "macros", "net", "rt-multi-thread", "test-util", "time"] }

diff --git a/bindings/rust/s2n-tls-tokio/tests/common/mod.rs b/bindings/rust/s2n-tls-tokio/tests/common/mod.rs
@@ -5,7 +5,7 @@ use s2n_tls::{
     config,
     connection::Builder,
     error::Error,
-    security::{DEFAULT, DEFAULT_TLS13},
+    security::{DEFAULT_TLS13, TESTING_TLS12},
 };
 use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream};
 use std::time::Duration;
@@ -61,14 +61,15 @@ pub fn server_config() -> Result<config::Builder, Error> {
 
 pub fn client_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&DEFAULT)?;
+    builder.set_security_policy(&TESTING_TLS12)?;
     builder.trust_pem(RSA_CERT_PEM)?;
     Ok(builder)
 }
 
 pub fn server_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&DEFAULT)?;
+    builder.set_security_policy(&TESTING_TLS12)?;
+
     builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?;
     Ok(builder)
 }

diff --git a/bindings/rust/s2n-tls/src/security.rs b/bindings/rust/s2n-tls/src/security.rs
@@ -105,6 +105,9 @@ pub const DEFAULT: Policy = policy!("default");
 /// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html>
 pub const DEFAULT_TLS13: Policy = policy!("default_tls13");
 
+#[cfg(any(feature = "unstable-testing", test))]
+pub const TESTING_TLS12: Policy = policy!("20240501");
+
 #[cfg(feature = "pq")]
 pub const TESTING_PQ: Policy = policy!("PQ-TLS-1-0-2021-05-26");
 

diff --git a/bindings/rust/s2n-tls/src/testing/resumption.rs b/bindings/rust/s2n-tls/src/testing/resumption.rs
@@ -63,13 +63,14 @@ mod tests {
     }
 
     #[test]
-    fn resume_session() -> Result<(), Box<dyn Error>> {
+    fn resume_tls12_session() -> Result<(), Box<dyn Error>> {
         let keypair = CertKeyPair::default();
 
         // Initialize config for server with a ticket key
         let mut server_config_builder = Builder::new();
         server_config_builder
             .add_session_ticket_key(&KEYNAME, &KEY, SystemTime::now())?
+            .set_security_policy(&security::TESTING_TLS12)?
             .load_pem(keypair.cert(), keypair.key())?;
         let server_config = server_config_builder.build()?;
 
@@ -83,6 +84,7 @@ mod tests {
             .set_session_ticket_callback(handler.clone())?
             .trust_pem(keypair.cert())?
             .set_verify_host_callback(InsecureAcceptAllCertificatesHandler {})?
+            .set_security_policy(&security::TESTING_TLS12)?
             .set_connection_initializer(handler)?;
         let client_config = client_config_builder.build()?;
 

diff --git a/tests/unit/s2n_client_supported_groups_extension_test.c b/tests/unit/s2n_client_supported_groups_extension_test.c
@@ -260,12 +260,24 @@ int main()
 
             for (size_t i = 0; i < NUM_MISMATCH_PQ_TEST_POLICY_OVERRIDES; i++) {
                 EXPECT_SUCCESS(s2n_enable_tls13_in_test());
+
+                DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(),
+                        s2n_config_ptr_free);
+                EXPECT_NOT_NULL(config);
+                /* These tests explicitly set security_policy_override to test ECC
+                 * selection logic and expect a s2n_config that does support x25519 and
+                 * TLS 1.3, but does not support PQ.
+                 */
+                EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240503"));
+
                 struct s2n_connection *client_conn = NULL;
                 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
+                EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
                 client_conn->security_policy_override = test_policy_overrides[i][0];
 
                 struct s2n_connection *server_conn = NULL;
                 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_CLIENT));
+                EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config));
                 server_conn->security_policy_override = test_policy_overrides[i][1];
 
                 const struct s2n_ecc_preferences *server_ecc_pref = NULL;

diff --git a/tests/unit/s2n_self_talk_ktls_test.c b/tests/unit/s2n_self_talk_ktls_test.c
@@ -131,7 +131,8 @@ int main(int argc, char **argv)
     DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
     EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
     EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
-    EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
+    /* Configure a TLS 1.2 policy */
+    EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
     EXPECT_SUCCESS(s2n_config_ktls_enable_unsafe_tls13(config));
 
     /* Even if we detected ktls support at compile time, enabling ktls

diff --git a/tests/unit/s2n_server_key_share_extension_test.c b/tests/unit/s2n_server_key_share_extension_test.c
@@ -251,6 +251,7 @@ int main(int argc, char **argv)
                 struct s2n_connection *client_conn = NULL;
 
                 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
+                EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client_conn, "20240503"));
 
                 const struct s2n_ecc_preferences *ecc_pref = NULL;
                 EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(client_conn, &ecc_pref));