in tls/s2n_security_rules.c [109:199]
S2N_RESULT s2n_security_rule_validate_policy(const struct s2n_security_rule *rule,
const struct s2n_security_policy *policy, struct s2n_security_rule_result *result)
{
RESULT_ENSURE_REF(rule);
RESULT_ENSURE_REF(policy);
RESULT_ENSURE_REF(result);
const char *policy_name = NULL;
s2n_result_ignore(s2n_security_policy_get_version(policy, &policy_name));
if (policy_name == NULL) {
policy_name = "unnamed";
}
const char *error_msg_format_name = "%s: policy %s: %s: %s (#%i)";
const char *error_msg_format_basic = "%s: policy %s: %s: %i";
const struct s2n_cipher_preferences *cipher_prefs = policy->cipher_preferences;
RESULT_ENSURE_REF(cipher_prefs);
for (size_t i = 0; i < cipher_prefs->count; i++) {
const struct s2n_cipher_suite *cipher_suite = cipher_prefs->suites[i];
RESULT_ENSURE_REF(cipher_suite);
bool is_valid = false;
RESULT_ENSURE_REF(rule->validate_cipher_suite);
RESULT_GUARD(rule->validate_cipher_suite(cipher_suite, &is_valid));
RESULT_GUARD(s2n_security_rule_result_process(result, is_valid,
error_msg_format_name, rule->name, policy_name,
"cipher suite", cipher_suite->iana_name, i + 1));
}
const struct s2n_signature_preferences *sig_prefs = policy->signature_preferences;
RESULT_ENSURE_REF(sig_prefs);
for (size_t i = 0; i < sig_prefs->count; i++) {
const struct s2n_signature_scheme *sig_scheme = sig_prefs->signature_schemes[i];
RESULT_ENSURE_REF(sig_scheme);
bool is_valid = false;
RESULT_ENSURE_REF(rule->validate_sig_scheme);
RESULT_GUARD(rule->validate_sig_scheme(sig_scheme, &is_valid));
RESULT_GUARD(s2n_security_rule_result_process(result, is_valid,
error_msg_format_name, rule->name, policy_name,
"signature scheme", sig_scheme->iana_name));
}
const struct s2n_signature_preferences *cert_sig_prefs = policy->certificate_signature_preferences;
if (cert_sig_prefs) {
for (size_t i = 0; i < cert_sig_prefs->count; i++) {
const struct s2n_signature_scheme *sig_scheme = cert_sig_prefs->signature_schemes[i];
RESULT_ENSURE_REF(sig_scheme);
bool is_valid = false;
RESULT_ENSURE_REF(rule->validate_cert_sig_scheme);
RESULT_GUARD(rule->validate_cert_sig_scheme(sig_scheme, &is_valid));
RESULT_GUARD(s2n_security_rule_result_process(result, is_valid,
error_msg_format_name, rule->name, policy_name,
"certificate signature scheme", sig_scheme->iana_name));
}
}
const struct s2n_ecc_preferences *ecc_prefs = policy->ecc_preferences;
RESULT_ENSURE_REF(ecc_prefs);
for (size_t i = 0; i < ecc_prefs->count; i++) {
const struct s2n_ecc_named_curve *curve = ecc_prefs->ecc_curves[i];
RESULT_ENSURE_REF(curve);
bool is_valid = false;
RESULT_ENSURE_REF(rule->validate_curve);
RESULT_GUARD(rule->validate_curve(curve, &is_valid));
RESULT_GUARD(s2n_security_rule_result_process(result, is_valid,
error_msg_format_name, rule->name, policy_name,
"curve", curve->name, i + 1));
}
const struct s2n_kem_preferences *kem_prefs = policy->kem_preferences;
RESULT_ENSURE_REF(kem_prefs);
for (size_t i = 0; i < kem_prefs->tls13_kem_group_count; i++) {
const struct s2n_kem_group *kem_group = kem_prefs->tls13_kem_groups[i];
RESULT_ENSURE_REF(kem_group);
bool is_valid = false;
RESULT_ENSURE_REF(rule->validate_hybrid_group);
RESULT_GUARD(rule->validate_hybrid_group(kem_group, &is_valid));
RESULT_GUARD(s2n_security_rule_result_process(result, is_valid,
error_msg_format_name, rule->name, policy_name,
"kem_group", kem_group->name, i + 1));
}
bool is_valid = false;
RESULT_ENSURE_REF(rule->validate_version);
RESULT_GUARD(rule->validate_version(policy->minimum_protocol_version, &is_valid));
RESULT_GUARD(s2n_security_rule_result_process(result, is_valid,
error_msg_format_basic, rule->name, policy_name,
"min version", policy->minimum_protocol_version));
return S2N_RESULT_OK;
}