Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Round 3 PQ TLS Policies #2842

Merged
merged 6 commits into from
Jul 2, 2021
Merged

Add Round 3 PQ TLS Policies #2842

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fcaa3c6
Add Round 3 PQ TLS Policies
alexw91 May 18, 2021
58066b0
Create S2N_SUPPORTED_KEM_GROUPS_COUNT and ALL_SUPPORTED_KEM_GROUPS, a…
alexw91 Jun 22, 2021
7b699dd
Update PQ Security Policies to use x25519 if available
alexw91 Jun 25, 2021
2e87130
Final touches
alexw91 Jun 29, 2021
4ed34ae
Address CR Feedback
alexw91 Jul 1, 2021
aa41f6c
Update tls/s2n_tls_parameters.h
alexw91 Jul 1, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 4 additions & 17 deletions tests/unit/s2n_client_key_share_extension_pq_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,22 +39,11 @@ int main() {
BEGIN_TEST();
/* PQ hybrid tests for s2n_client_key_share_extension */
{
const struct s2n_kem_group *all_kem_groups[] = {
&s2n_secp256r1_sike_p434_r3,
&s2n_secp256r1_bike1_l1_r2,
&s2n_secp256r1_kyber_512_r2,
#if EVP_APIS_SUPPORTED
&s2n_x25519_sike_p434_r3,
&s2n_x25519_bike1_l1_r2,
&s2n_x25519_kyber_512_r2,
#endif
};

const struct s2n_kem_preferences kem_prefs_all = {
.kem_count = 0,
.kems = NULL,
.tls13_kem_group_count = s2n_array_len(all_kem_groups),
.tls13_kem_groups = all_kem_groups,
.tls13_kem_group_count = S2N_SUPPORTED_KEM_GROUPS_COUNT,
.tls13_kem_groups = ALL_SUPPORTED_KEM_GROUPS,
};

const struct s2n_security_policy security_policy_all = {
Expand Down Expand Up @@ -83,8 +72,6 @@ int main() {
.ecc_preferences = &s2n_ecc_preferences_20200310,
};

EXPECT_EQUAL(S2N_SUPPORTED_KEM_GROUPS_COUNT, s2n_array_len(all_kem_groups));

/* Tests for s2n_client_key_share_extension.send */
{
/* Test that s2n_client_key_share_extension.send sends only ECC key shares
Expand Down Expand Up @@ -137,7 +124,7 @@ int main() {
* correctly. */
const struct s2n_kem_group *test_kem_groups[S2N_SUPPORTED_KEM_GROUPS_COUNT];
for (size_t j = 0; j < S2N_SUPPORTED_KEM_GROUPS_COUNT; j++) {
test_kem_groups[j] = all_kem_groups[(j + i) % S2N_SUPPORTED_KEM_GROUPS_COUNT];
test_kem_groups[j] = ALL_SUPPORTED_KEM_GROUPS[(j + i) % S2N_SUPPORTED_KEM_GROUPS_COUNT];
}

const struct s2n_kem_preferences test_kem_prefs = {
Expand Down Expand Up @@ -533,7 +520,7 @@ int main() {
* correctly. */
const struct s2n_kem_group *test_kem_groups[S2N_SUPPORTED_KEM_GROUPS_COUNT];
for (size_t j = 0; j < S2N_SUPPORTED_KEM_GROUPS_COUNT; j++) {
test_kem_groups[j] = all_kem_groups[(j + i) % S2N_SUPPORTED_KEM_GROUPS_COUNT];
test_kem_groups[j] = ALL_SUPPORTED_KEM_GROUPS[(j + i) % S2N_SUPPORTED_KEM_GROUPS_COUNT];
}

const struct s2n_kem_preferences test_kem_prefs = {
Expand Down
57 changes: 57 additions & 0 deletions tests/unit/s2n_kex_with_kem_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,14 +182,71 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "KMS-PQ-TLS-1-0-2020-02", &s2n_sike_p434_r3));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "KMS-PQ-TLS-1-0-2020-07", &s2n_sike_p503_r1));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "KMS-PQ-TLS-1-0-2020-07", &s2n_sike_p434_r3));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-1-2021-05-17", &s2n_sike_p503_r1));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-1-2021-05-17", &s2n_sike_p434_r3));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-18", &s2n_sike_p503_r1));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-18", &s2n_sike_p434_r3));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-19", &s2n_sike_p503_r1));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-19", &s2n_sike_p434_r3));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-20", &s2n_sike_p503_r1));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-20", &s2n_sike_p434_r3));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-1-2021-05-21", &s2n_sike_p503_r1));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-1-2021-05-21", &s2n_sike_p434_r3));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-22", &s2n_sike_p503_r1));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-22", &s2n_sike_p434_r3));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-23", &s2n_sike_p503_r1));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-23", &s2n_sike_p434_r3));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-24", &s2n_sike_p503_r1));
EXPECT_SUCCESS(do_kex_with_kem(&sike_test_suite, "PQ-TLS-1-0-2021-05-24", &s2n_sike_p434_r3));

EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "KMS-PQ-TLS-1-0-2019-06", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "KMS-PQ-TLS-1-0-2020-02", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "KMS-PQ-TLS-1-0-2020-02", &s2n_bike1_l1_r2));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "KMS-PQ-TLS-1-0-2020-07", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "KMS-PQ-TLS-1-0-2020-07", &s2n_bike1_l1_r2));

EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-1-2021-05-17", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-1-2021-05-17", &s2n_bike1_l1_r2));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-1-2021-05-17", &s2n_bike_l1_r3));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-18", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-18", &s2n_bike1_l1_r2));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-18", &s2n_bike_l1_r3));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-19", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-19", &s2n_bike1_l1_r2));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-19", &s2n_bike_l1_r3));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-20", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-20", &s2n_bike1_l1_r2));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-20", &s2n_bike_l1_r3));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-1-2021-05-21", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-1-2021-05-21", &s2n_bike1_l1_r2));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-1-2021-05-21", &s2n_bike_l1_r3));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-22", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-22", &s2n_bike1_l1_r2));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-22", &s2n_bike_l1_r3));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-23", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-23", &s2n_bike1_l1_r2));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-23", &s2n_bike_l1_r3));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-24", &s2n_bike1_l1_r1));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-24", &s2n_bike1_l1_r2));
EXPECT_SUCCESS(do_kex_with_kem(&bike_test_suite, "PQ-TLS-1-0-2021-05-24", &s2n_bike_l1_r3));

EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "KMS-PQ-TLS-1-0-2020-07", &s2n_kyber_512_r2));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-1-2021-05-17", &s2n_kyber_512_r2));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-18", &s2n_kyber_512_r2));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-19", &s2n_kyber_512_r2));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-20", &s2n_kyber_512_r2));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-1-2021-05-17", &s2n_kyber_512_r3));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-18", &s2n_kyber_512_r3));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-19", &s2n_kyber_512_r3));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-20", &s2n_kyber_512_r3));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-1-2021-05-21", &s2n_kyber_512_r2));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-22", &s2n_kyber_512_r2));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-23", &s2n_kyber_512_r2));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-24", &s2n_kyber_512_r2));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-1-2021-05-21", &s2n_kyber_512_r3));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-22", &s2n_kyber_512_r3));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-23", &s2n_kyber_512_r3));
EXPECT_SUCCESS(do_kex_with_kem(&kyber_test_suite, "PQ-TLS-1-0-2021-05-24", &s2n_kyber_512_r3));

/* Test Failure cases */
EXPECT_FAILURE_WITH_ERRNO(do_kex_with_kem(&sike_test_suite, "KMS-PQ-TLS-1-0-2019-06", &s2n_sike_p434_r3), S2N_ERR_KEM_UNSUPPORTED_PARAMS);
Expand Down
108 changes: 108 additions & 0 deletions tests/unit/s2n_security_policies_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,41 @@
#include "s2n_test.h"

#include "tls/s2n_security_policies.h"
#include "tls/s2n_kem.h"
#include "pq-crypto/s2n_pq.h"

int main(int argc, char **argv)
{
BEGIN_TEST();
EXPECT_SUCCESS(s2n_disable_tls13());

EXPECT_TRUE(s2n_array_len(ALL_SUPPORTED_KEM_GROUPS) == S2N_SUPPORTED_KEM_GROUPS_COUNT);

/* Perform basic checks on all Security Policies. */
for (size_t policy_index = 0; security_policy_selection[policy_index].version != NULL; policy_index++) {
const struct s2n_security_policy *security_policy = security_policy_selection[policy_index].security_policy;

/* TLS 1.3 + PQ checks */
if (security_policy->kem_preferences->tls13_kem_group_count > 0) {
/* Ensure that no TLS 1.3 KEM group preference lists go over max supported limit */
EXPECT_TRUE(security_policy->kem_preferences->tls13_kem_group_count <= S2N_SUPPORTED_KEM_GROUPS_COUNT);

/* Ensure all TLS 1.3 KEM groups in all policies are in the global list of all supported KEM groups */
for(int i = 0; i < security_policy->kem_preferences->tls13_kem_group_count; i++) {
const struct s2n_kem_group *kem_group = security_policy->kem_preferences->tls13_kem_groups[i];

int kem_group_is_supported = 0;
for (int j = 0; j < S2N_SUPPORTED_KEM_GROUPS_COUNT; j++) {
if (kem_group->iana_id == ALL_SUPPORTED_KEM_GROUPS[j]->iana_id) {
kem_group_is_supported = 1;
break;
}
}
EXPECT_TRUE(kem_group_is_supported);
}
}
}

const struct s2n_security_policy *security_policy = NULL;

/* Test common known good cipher suites for expected configuration */
Expand Down Expand Up @@ -130,6 +158,86 @@ int main(int argc, char **argv)
EXPECT_EQUAL(3, security_policy->kem_preferences->tls13_kem_group_count);
#endif

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-TLS-1-1-2021-05-17", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_TRUE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(7, security_policy->kem_preferences->kem_count);
EXPECT_NOT_NULL(security_policy->kem_preferences->kems);
EXPECT_EQUAL(security_policy->kem_preferences->kems, pq_kems_r3r2r1_2021_05);
EXPECT_NOT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, pq_kem_groups_r3r2);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-TLS-1-0-2021-05-18", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_TRUE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(7, security_policy->kem_preferences->kem_count);
EXPECT_NOT_NULL(security_policy->kem_preferences->kems);
EXPECT_EQUAL(security_policy->kem_preferences->kems, pq_kems_r3r2r1_2021_05);
EXPECT_NOT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, pq_kem_groups_r3r2);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-TLS-1-0-2021-05-19", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_TRUE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(7, security_policy->kem_preferences->kem_count);
EXPECT_NOT_NULL(security_policy->kem_preferences->kems);
EXPECT_EQUAL(security_policy->kem_preferences->kems, pq_kems_r3r2r1_2021_05);
EXPECT_NOT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, pq_kem_groups_r3r2);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-TLS-1-0-2021-05-20", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_TRUE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(7, security_policy->kem_preferences->kem_count);
EXPECT_NOT_NULL(security_policy->kem_preferences->kems);
EXPECT_EQUAL(security_policy->kem_preferences->kems, pq_kems_r3r2r1_2021_05);
EXPECT_NOT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, pq_kem_groups_r3r2);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-TLS-1-1-2021-05-21", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_TRUE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(7, security_policy->kem_preferences->kem_count);
EXPECT_NOT_NULL(security_policy->kem_preferences->kems);
EXPECT_EQUAL(security_policy->kem_preferences->kems, pq_kems_r3r2r1_2021_05);
EXPECT_NOT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, pq_kem_groups_r3r2);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-TLS-1-0-2021-05-22", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_TRUE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(7, security_policy->kem_preferences->kem_count);
EXPECT_NOT_NULL(security_policy->kem_preferences->kems);
EXPECT_EQUAL(security_policy->kem_preferences->kems, pq_kems_r3r2r1_2021_05);
EXPECT_NOT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, pq_kem_groups_r3r2);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-TLS-1-0-2021-05-23", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_TRUE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(7, security_policy->kem_preferences->kem_count);
EXPECT_NOT_NULL(security_policy->kem_preferences->kems);
EXPECT_EQUAL(security_policy->kem_preferences->kems, pq_kems_r3r2r1_2021_05);
EXPECT_NOT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, pq_kem_groups_r3r2);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("PQ-TLS-1-0-2021-05-24", &security_policy));
EXPECT_TRUE(s2n_ecc_is_extension_required(security_policy));
EXPECT_TRUE(s2n_pq_kem_is_extension_required(security_policy));
EXPECT_EQUAL(7, security_policy->kem_preferences->kem_count);
EXPECT_NOT_NULL(security_policy->kem_preferences->kems);
EXPECT_EQUAL(security_policy->kem_preferences->kems, pq_kems_r3r2r1_2021_05);
EXPECT_NOT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, pq_kem_groups_r3r2);

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("20141001", &security_policy));
EXPECT_FALSE(s2n_ecc_is_extension_required(security_policy));
Expand Down
24 changes: 19 additions & 5 deletions tests/unit/s2n_server_key_share_extension_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -512,6 +512,7 @@ int main(int argc, char **argv)
}

{
/* KEM groups with Test Vectors defined in /tests/unit/kats/tls13_server_hybrid_key_share_recv.kat */
const struct s2n_kem_group *test_kem_groups[] = {
&s2n_secp256r1_sike_p434_r3,
&s2n_secp256r1_bike1_l1_r2,
Expand All @@ -523,8 +524,6 @@ int main(int argc, char **argv)
#endif
};

EXPECT_EQUAL(S2N_SUPPORTED_KEM_GROUPS_COUNT, s2n_array_len(test_kem_groups));

const struct s2n_kem_preferences test_kem_prefs = {
.kem_count = 0,
.kems = NULL,
Expand All @@ -540,6 +539,21 @@ int main(int argc, char **argv)
.ecc_preferences = &s2n_ecc_preferences_20200310,
};

const struct s2n_kem_preferences test_all_supported_kem_prefs = {
.kem_count = 0,
.kems = NULL,
.tls13_kem_group_count = S2N_SUPPORTED_KEM_GROUPS_COUNT,
.tls13_kem_groups = ALL_SUPPORTED_KEM_GROUPS,
};

const struct s2n_security_policy test_all_supported_kems_security_policy = {
.minimum_protocol_version = S2N_SSLv3,
.cipher_preferences = &cipher_preferences_test_all_tls13,
.kem_preferences = &test_all_supported_kem_prefs,
.signature_preferences = &s2n_signature_preferences_20200207,
.ecc_preferences = &s2n_ecc_preferences_20200310,
};

const struct s2n_kem_group *kem_groups_sike_bike[] = {
&s2n_secp256r1_sike_p434_r3,
&s2n_secp256r1_bike1_l1_r2
Expand Down Expand Up @@ -837,7 +851,7 @@ int main(int argc, char **argv)
for (size_t i = 0; i < S2N_SUPPORTED_KEM_GROUPS_COUNT; i++) {
struct s2n_connection *conn = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
conn->security_policy_override = &test_security_policy;
conn->security_policy_override = &test_all_supported_kems_security_policy;

const struct s2n_kem_preferences *kem_pref = NULL;
EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_pref));
Expand Down Expand Up @@ -894,7 +908,7 @@ int main(int argc, char **argv)
{
struct s2n_connection *conn = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
conn->security_policy_override = &test_security_policy;
conn->security_policy_override = &test_all_supported_kems_security_policy;
conn->actual_protocol_version = S2N_TLS13;
conn->handshake.handshake_type = HELLO_RETRY_REQUEST;
conn->handshake.message_number = HELLO_RETRY_MSG_NO;
Expand Down Expand Up @@ -942,7 +956,7 @@ int main(int argc, char **argv)
{
struct s2n_connection *conn = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
conn->security_policy_override = &test_security_policy;
conn->security_policy_override = &test_all_supported_kems_security_policy;

const struct s2n_kem_preferences *kem_pref = NULL;
EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_pref));
Expand Down
Loading