s2n-tls 0.3.36

A C99 implementation of the TLS/SSL protocols
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

//! Security options like cipher suites, signature algorithms, versions, etc.
//!
//! See <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html>

use crate::error::Error;
use core::fmt;
use std::ffi::{CStr, CString};

#[derive(Clone, PartialEq)]
enum Context {
    Static(&'static [u8]),
    Owned(CString),
}

#[derive(Clone, PartialEq)]
pub struct Policy(Context);

impl Policy {
    pub(crate) fn as_cstr(&self) -> &CStr {
        match &self.0 {
            Context::Static(x) => unsafe {
                // Safety: Policies are always created with null-terminated strings
                CStr::from_bytes_with_nul_unchecked(x)
            },
            Context::Owned(x) => x.as_c_str(),
        }
    }

    /// Construct a numbered security policy.
    ///
    /// Numbered security policies are stable and will not change, in comparison
    /// to default security policies: [DEFAULT] and [DEFAULT_TLS13].
    ///
    /// See the s2n-tls usage guide for details on available policies:
    /// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html>
    /// ```
    /// use s2n_tls::{config, security};
    ///
    /// let mut config = config::Builder::new();
    ///
    /// // "20240501" is a numbered security policy. More information can be found
    /// // in the linked s2n-tls usage guide.
    /// let security_policy = match security::Policy::from_version("20240501") {
    ///     Ok(policy) => policy,
    ///     Err(e) => {
    ///         eprintln!("unable to construct the policy: {}", e);
    ///         return;
    ///     }
    /// };
    /// config.set_security_policy(&security_policy);
    /// ```
    pub fn from_version(version: &str) -> Result<Policy, Error> {
        let cstr = CString::new(version).map_err(|_| Error::INVALID_INPUT)?;
        let context = Context::Owned(cstr);
        Ok(Self(context))
    }
}

impl fmt::Debug for Policy {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        f.debug_tuple("Policy").field(&self.as_cstr()).finish()
    }
}

macro_rules! policy {
    ($version:expr) => {
        Policy(Context::Static(concat!($version, "\0").as_bytes()))
    };
}

/// Default policy
///
/// # Warning
///
/// Cipher suites, curves, signature algorithms, or other security policy options
/// may be added or removed from "default" in order to keep it up to date with
/// current security best practices.
///
/// That means that updating the library may cause the policy to change. If peers
/// are expected to be reasonably modern and support standard options, then this
/// should not be a problem. But if peers rely on a deprecated option that is removed,
/// they may be unable to connect.
///
/// If you instead need a static, versioned policy, choose one according to the s2n-tls usage guide:
/// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html>
pub const DEFAULT: Policy = policy!("default");

/// Default policy supporting TLS1.3
///
/// # Warning
///
/// Cipher suites, curves, signature algorithms, or other security policy options
/// may be added or removed from "default_tls13" in order to keep it up to date with
/// current security best practices.
///
/// That means that updating the library may cause the policy to change. If peers
/// are expected to be reasonably modern and support standard options, then this
/// should not be a problem. But if peers rely on a deprecated option that is removed,
/// they may be unable to connect.
///
/// If you instead need a static, versioned policy, choose one according to the s2n-tls usage guide:
/// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html>
pub const DEFAULT_TLS13: Policy = policy!("default_tls13");

#[cfg(any(feature = "unstable-testing", test))]
pub const TESTING_TLS12: Policy = policy!("20240501");

#[cfg(feature = "pq")]
pub const TESTING_PQ: Policy = policy!("PQ-TLS-1-0-2021-05-26");

#[cfg(feature = "pq")]
pub const DEFAULT_PQ: Policy = policy!("default_pq");

pub const ALL_POLICIES: &[Policy] = &[
    DEFAULT,
    DEFAULT_TLS13,
    #[cfg(feature = "pq")]
    TESTING_PQ,
    #[cfg(feature = "pq")]
    DEFAULT_PQ,
];