use testing_tls12 policy

aws · Nov 24, 2024 · ffb5388 · ffb5388
1 parent 014542a
commit ffb5388
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 13 deletions.
diff --git a/bindings/rust/integration/src/network/tls_client.rs b/bindings/rust/integration/src/network/tls_client.rs
@@ -1,7 +1,11 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-use s2n_tls::{config::Config, enums::Version, security::Policy};
+use s2n_tls::{
+    config::Config,
+    enums::Version,
+    security::{self, Policy},
+};
 use s2n_tls_tokio::{TlsConnector, TlsStream};
 use tokio::net::TcpStream;
 
@@ -14,13 +18,13 @@ use tokio::net::TcpStream;
 /// `Err``.
 async fn handshake_with_domain(
     domain: &str,
-    security_policy: &str,
+    security_policy: &Policy,
 ) -> Result<TlsStream<TcpStream>, Box<dyn std::error::Error>> {
-    tracing::info!("querying {domain} with {security_policy}");
+    tracing::info!("querying {domain} with {:?}", security_policy);
     const PORT: u16 = 443;
 
     let mut config = Config::builder();
-    config.set_security_policy(&Policy::from_version(security_policy)?)?;
+    config.set_security_policy(security_policy)?;
 
     let client = TlsConnector::new(config.build()?);
     // open the TCP stream
@@ -42,7 +46,8 @@ mod kms_pq {
     // supports ML-KEM.
     #[test_log::test(tokio::test)]
     async fn pq_handshake() -> Result<(), Box<dyn std::error::Error>> {
-        let tls = handshake_with_domain(DOMAIN, "KMS-PQ-TLS-1-0-2020-07").await?;
+        let policy = Policy::from_version("KMS-PQ-TLS-1-0-2020-07")?;
+        let tls = handshake_with_domain(DOMAIN, &policy).await?;
 
         assert_eq!(
             tls.as_ref().cipher_suite()?,
@@ -65,7 +70,8 @@ mod kms_pq {
         ];
 
         for security_policy in EARLY_DRAFT_PQ_POLICIES {
-            let tls = handshake_with_domain(DOMAIN, security_policy).await?;
+            let policy = Policy::from_version(security_policy)?;
+            let tls = handshake_with_domain(DOMAIN, &policy).await?;
 
             assert_eq!(tls.as_ref().cipher_suite()?, "ECDHE-RSA-AES256-GCM-SHA384");
             assert_eq!(tls.as_ref().kem_name(), None);
@@ -84,10 +90,10 @@ async fn tls_client() -> Result<(), Box<dyn std::error::Error>> {
     for domain in DOMAINS {
         tracing::info!("querying {domain}");
 
-        let tls12 = handshake_with_domain(domain, "20240501").await?;
+        let tls12 = handshake_with_domain(domain, &security::TESTING_TLS12).await?;
         assert_eq!(tls12.as_ref().actual_protocol_version()?, Version::TLS12);
 
-        let tls13 = handshake_with_domain(domain, "default_tls13").await?;
+        let tls13 = handshake_with_domain(domain, &security::DEFAULT_TLS13).await?;
         assert_eq!(tls13.as_ref().actual_protocol_version()?, Version::TLS13);
     }
 

diff --git a/bindings/rust/s2n-tls-tokio/Cargo.toml b/bindings/rust/s2n-tls-tokio/Cargo.toml
@@ -19,6 +19,7 @@ s2n-tls = { version = "=0.3.7", path = "../s2n-tls" }
 tokio = { version = "1", features = ["net", "time"] }
 
 [dev-dependencies]
+s2n-tls = { path = "../s2n-tls", features = ["unstable-testing"] }
 clap = { version = "3", features = ["derive"] }
 rand = { version = "0.8" }
 tokio = { version = "1", features = [ "io-std", "io-util", "macros", "net", "rt-multi-thread", "test-util", "time"] }

diff --git a/bindings/rust/s2n-tls-tokio/tests/common/mod.rs b/bindings/rust/s2n-tls-tokio/tests/common/mod.rs
@@ -5,7 +5,7 @@ use s2n_tls::{
     config,
     connection::Builder,
     error::Error,
-    security::{Policy, DEFAULT_TLS13},
+    security::{self, DEFAULT_TLS13},
 };
 use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream};
 use std::time::Duration;
@@ -61,14 +61,14 @@ pub fn server_config() -> Result<config::Builder, Error> {
 
 pub fn client_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&Policy::from_version("20240501").unwrap())?;
+    builder.set_security_policy(&security::TESTING_TLS12)?;
     builder.trust_pem(RSA_CERT_PEM)?;
     Ok(builder)
 }
 
 pub fn server_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&Policy::from_version("20240501").unwrap())?;
+    builder.set_security_policy(&security::TESTING_TLS12)?;
 
     builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?;
     Ok(builder)

diff --git a/bindings/rust/s2n-tls/src/security.rs b/bindings/rust/s2n-tls/src/security.rs
@@ -108,15 +108,15 @@ pub const DEFAULT_TLS13: Policy = policy!("default_tls13");
 #[cfg(feature = "pq")]
 pub const TESTING_PQ: Policy = policy!("PQ-TLS-1-0-2021-05-26");
 
-pub(crate) const TESTING_TLS12: Policy = policy!("20240501");
+#[cfg(any(feature = "unstable-testing", test))]
+pub const TESTING_TLS12: Policy = policy!("20240501");
 
 #[cfg(feature = "pq")]
 pub const DEFAULT_PQ: Policy = policy!("default_pq");
 
 pub const ALL_POLICIES: &[Policy] = &[
     DEFAULT,
     DEFAULT_TLS13,
-    TESTING_TLS12,
     #[cfg(feature = "pq")]
     TESTING_PQ,
     #[cfg(feature = "pq")]