Add Round 3 PQ TLS Policies #2842
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bbutch
reviewed
May 24, 2021
bbutch
reviewed
May 24, 2021
bbutch
reviewed
May 24, 2021
bbutch
reviewed
May 24, 2021
alexw91
force-pushed
the
pq_security_policies_2021
branch
from
662b645
to
e2e3690
Compare
alexw91
force-pushed
the
pq_security_policies_2021
branch
3 times, most recently
from
e4cbda5
to
110c26d
Compare
…nd integrate them into unit tests
alexw91
force-pushed
the
pq_security_policies_2021
branch
from
110c26d
to
58066b0
Compare
alexw91
changed the title
bbutch
reviewed
Jun 29, 2021
bbutch
approved these changes
Jul 1, 2021
Co-authored-by: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com>
WesleyRosenblum
approved these changes
Jul 1, 2021
This was referenced Jul 2, 2021
dougch
pushed a commit
to dougch/s2n-tls
that referenced
this pull request
Jul 12, 2021
* Add Round 3 PQ TLS Policies * Create S2N_SUPPORTED_KEM_GROUPS_COUNT and ALL_SUPPORTED_KEM_GROUPS, and integrate them into unit tests * Update PQ Security Policies to use x25519 if available * Final touches * Address CR Feedback * Update tls/s2n_tls_parameters.h Co-authored-by: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com> Co-authored-by: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolved issues:
N/A
Description of changes:
Adds 8 new Security Policies with Post Quantum Ciphers.
Each new PQ Security Policy appends Round 3 versions of Kyber, BIKE, and SIKE to an existing security policy.
TLS 1.2 Security Policies
PQ-TLS-1-1-2021-05-17is based onELBSecurityPolicy-TLS-1-1-2017-01PQ-TLS-1-0-2021-05-18is based on20190214PQ-TLS-1-0-2021-05-19is based onELBSecurityPolicy-2016-08PQ-TLS-1-0-2021-05-20is based onKMS-PQ-TLS-1-0-2020-07TLS 1.3 Security Policies
PQ-TLS-1-1-2021-05-21is based onELBSecurityPolicy-TLS-1-1-2017-01PQ-TLS-1-0-2021-05-22is based on20190214PQ-TLS-1-0-2021-05-23is based onELBSecurityPolicy-2016-08PQ-TLS-1-0-2021-05-24is based onKMS-PQ-TLS-1-0-2020-07S2N_SUPPORTED_KEM_GROUPS_COUNTwas smaller than required, resulting in KEM parsing code to write beyond the end of an array.Call-outs
There are still some missing Round 3 Known Answer Test vectors that are missing. I will add these Test Vectors in a follow up PR (Edit: Completed in #2936).
Testing:
Adds many new units tests that performs local TLS key exchanges using all PQ algorithms in all new PQ security policies. Extended many existing TLS 1.3 PQ unit tests to automatically test all supported KEM's.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.