Add TLS Policy Snapshot

alexw91 · alexw91 · commit 550e69e1c3b5 · 2025-06-16T16:27:44.000-07:00
diff --git a/tests/policy_snapshot/snapshots/AWS-CRT-SDK-TLSv1.3-2025-PQ-KX-Required b/tests/policy_snapshot/snapshots/AWS-CRT-SDK-TLSv1.3-2025-PQ-KX-Required
@@ -0,0 +1,32 @@
+name: AWS-CRT-SDK-TLSv1.3-2025-PQ-KX-Required
+min version: TLS1.3
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_AES_128_GCM_SHA256
+- TLS_AES_256_GCM_SHA384
+- TLS_CHACHA20_POLY1305_SHA256
+signature schemes:
+- mldsa44
+- mldsa65
+- mldsa87
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+pq:
+- revision: 5
+- kems:
+- kem groups:
+-- X25519MLKEM768
+-- SecP256r1MLKEM768
diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c
@@ -878,6 +878,9 @@ const struct s2n_security_policy security_policy_aws_crt_sdk_tls_13_06_25_pq_kx_
     .kem_preferences = &kem_preferences_pq_tls_1_3_ietf_2024_10,
     .signature_preferences = &s2n_signature_preferences_20250512,
     .ecc_preferences = &s2n_ecc_preferences_null,
+    .rules = {
+        [S2N_PERFECT_FORWARD_SECRECY] = true,
+    },
 };
 
 /* Same as security_policy_pq_tls_1_2_2023_10_07, but with TLS 1.2 Kyber removed, and added ML-KEM support */
