fix: update default security policies (#4523)

Author: lrstewart

bindings/rust/bench/src/harness.rs

@@ -292,6 +292,7 @@ where
             self.client.handshake()?;
             self.server.handshake()?;
         }
+        assert!(self.handshake_completed());
         Ok(())
     }
 

bindings/rust/bench/src/s2n_tls.rs

@@ -74,7 +74,7 @@ impl crate::harness::TlsBenchConfig for S2NConfig {
         let security_policy = match (crypto_config.cipher_suite, crypto_config.kx_group) {
             (CipherSuite::AES_128_GCM_SHA256, KXGroup::Secp256R1) => "20230317",
             (CipherSuite::AES_256_GCM_SHA384, KXGroup::Secp256R1) => "20190802",
-            (CipherSuite::AES_128_GCM_SHA256, KXGroup::X25519) => "default_tls13",
+            (CipherSuite::AES_128_GCM_SHA256, KXGroup::X25519) => "20240417",
             (CipherSuite::AES_256_GCM_SHA384, KXGroup::X25519) => "20190801",
         };
 

docs/usage-guide/topics/ch06-security-policies.md

@@ -15,11 +15,14 @@ The following chart maps the security policy version to protocol version and cip
 
 |    version    | TLS1.0 | TLS1.1 | TLS1.2 | TLS1.3 | AES-CBC | AES-GCM | CHACHAPOLY | 3DES | RC4 | DHE | ECDHE | RSA kx |
 |---------------|--------|--------|--------|--------|---------|---------|------------|------|-----|-----|-------|--------|
+|    default    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
+| default_fips  |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
+| default_tls13 |        |        |    X   |    X   |    X    |    X    |      X     |      |     |     |   X   |        |
+|   20240501    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
+|   20240502    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
+|   20240503    |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
 |   20230317    |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
 |   20240331    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
-|    default    |    X   |    X   |    X   |        |    X    |    X    |      X     |      |     |     |   X   |    X   |
-| default_tls13 |    X   |    X   |    X   |    X   |    X    |    X    |      X     |      |     |     |   X   |    X   |
-| default_fips  |        |        |    X   |        |    X    |    X    |            |      |     |  X  |   X   |        |
 |   20190214    |    X   |    X   |    X   |        |    X    |    X    |            |   X  |     |  X  |   X   |    X   |
 |   20170718    |    X   |    X   |    X   |        |    X    |    X    |            |      |     |     |   X   |    X   |
 |   20170405    |    X   |    X   |    X   |        |    X    |    X    |            |   X  |     |     |   X   |    X   |
@@ -43,13 +46,10 @@ The following chart maps the security policy version to protocol version and cip
 The "default", "default_tls13", and "default_fips" versions are special in that they will be updated with future s2n-tls changes to keep up-to-date with current security best practices. Ciphersuites, protocol versions, and other options may be added or removed, or their internal order of preference might change. **Warning**: this means that the default policies may change as a result of library updates, which could break peers that rely on legacy options.
 
 In contrast, numbered or dated versions are fixed and will never change. The numbered equivalents of the default policies are currently:
-* "default": "20170210"
-* "default_tls13": "20240417"
-* "default_fips": "20240416"
-
-"20230317" offers more limited but more secure options than the default policies. Consider it if you don't need or want to support less secure legacy options like TLS1.1 or SHA1. It is also FIPS compliant and supports TLS1.3. If you need a version of this policy that doesn't support TLS1.3, choose "20240331" instead.
-
-"20160411" follows the same general preference order as "default". The main difference is it has a CBC cipher suite at the top. This is to accommodate certain Java clients that have poor GCM implementations. Users of s2n-tls who have found GCM to be hurting performance for their clients should consider this version.
+* "default": "20240501"
+* "default_fips": "20240502"
+* "default_tls13": "20240503"
+For previous defaults, see the "Default Policy History" section below.
 
 "rfc9151" is derived from [Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3](https://datatracker.ietf.org/doc/html/rfc9151). This policy restricts the algorithms allowed for signatures on certificates in the certificate chain to RSA or ECDSA with sha384, which may require you to update your certificates.
 Like the default policies, this policy may also change if the source RFC definition changes.
@@ -71,10 +71,13 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 
 |    version    | RSA PKCS1 | ECDSA | SHA-1 Legacy | RSA PSS |
 |---------------|-----------|-------|--------------|---------|
+|    default    |     X     |   X   |              |    X    |
+| default_fips  |     X     |   X   |              |    X    |
+| default_tls13 |     X     |   X   |              |    X    |
+|   20240501    |     X     |   X   |              |    X    |
+|   20240502    |     X     |   X   |              |    X    |
+|   20240503    |     X     |   X   |              |    X    |
 |   20230317    |     X     |   X   |              |    X    |
-|    default    |     X     |       |       X      |         |
-| default_tls13 |     X     |   X   |       X      |    X    |
-| default_fips  |     X     |   X   |              |         |
 |   20190214    |     X     |   X   |       X      |         |
 |   20170718    |     X     |       |       X      |         |
 |   20170405    |     X     |       |       X      |         |
@@ -103,10 +106,13 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 
 |    version    | secp256r1 | secp384r1 | x25519 |
 |---------------|-----------|-----------|--------|
-|   20230317    |     X     |     X     |        |
-|    default    |     X     |     X     |        |
-| default_tls13 |     X     |     X     |    X   |
+|    default    |     X     |     X     |    X   |
 | default_fips  |     X     |     X     |        |
+| default_tls13 |     X     |     X     |    X   |
+|   20240501    |     X     |     X     |    X   |
+|   20240502    |     X     |     X     |        |
+|   20240503    |     X     |     X     |    X   |
+|   20230317    |     X     |     X     |        |
 |   20190214    |     X     |     X     |        |
 |   20170718    |     X     |     X     |        |
 |   20170405    |     X     |     X     |        |
@@ -126,3 +132,9 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 |   20190802    |     X     |     X     |        |
 |   20200207    |     X     |     X     |    X   |
 |    rfc9151    |           |     X     |        |
+
+### Default Policy History
+|  Version   | "default" | "default_fips" | "default_tls13" |
+|------------|-----------|----------------|-----------------|
+|  v1.4.16   | 20240501  |   20240502     |    20240503     |
+|   Older    | 20170210  |   20240416     |    20240417     |

tests/unit/s2n_client_hello_test.c

@@ -314,6 +314,7 @@ int main(int argc, char **argv)
             struct s2n_connection *conn = NULL;
             EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
             struct s2n_stuffer *hello_stuffer = &conn->handshake.io;
+            conn->actual_protocol_version = i;
 
             conn->session_id_len = S2N_TLS_SESSION_ID_MAX_LEN;
             EXPECT_MEMCPY_SUCCESS(conn->session_id, test_session_id, S2N_TLS_SESSION_ID_MAX_LEN);
@@ -831,8 +832,9 @@ int main(int argc, char **argv)
          *
          * Our test SSLv2 ClientHello advertises TLS1.2.
          * So the security policy only needs to support TLS1.2.
+         * (and at least one of the ciphers in the hard coded sslv2 client hello)
          */
-        EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
+        EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20170210"));
 
         /* Send the client hello message */
         EXPECT_EQUAL(write(io_pair.client, sslv2_client_hello_header, sslv2_client_hello_header_len), sslv2_client_hello_header_len);

tests/unit/s2n_config_test.c

@@ -156,19 +156,11 @@ int main(int argc, char **argv)
             struct s2n_config *config = NULL;
             EXPECT_NOT_NULL(config = s2n_config_new());
             EXPECT_EQUAL(config->security_policy, default_security_policy);
-            EXPECT_EQUAL(config->security_policy->cipher_preferences, &cipher_preferences_20170210);
-            EXPECT_EQUAL(config->security_policy->kem_preferences, &kem_preferences_null);
-            EXPECT_EQUAL(config->security_policy->signature_preferences, &s2n_signature_preferences_20140601);
-            EXPECT_EQUAL(config->security_policy->ecc_preferences, &s2n_ecc_preferences_20140601);
             EXPECT_SUCCESS(s2n_config_free(config));
 
             EXPECT_SUCCESS(s2n_enable_tls13_in_test());
             EXPECT_NOT_NULL(config = s2n_config_new());
             EXPECT_EQUAL(config->security_policy, tls13_security_policy);
-            EXPECT_EQUAL(config->security_policy->cipher_preferences, &cipher_preferences_20210831);
-            EXPECT_EQUAL(config->security_policy->kem_preferences, &kem_preferences_null);
-            EXPECT_EQUAL(config->security_policy->signature_preferences, &s2n_signature_preferences_20200207);
-            EXPECT_EQUAL(config->security_policy->ecc_preferences, &s2n_ecc_preferences_20200310);
             EXPECT_SUCCESS(s2n_config_free(config));
             EXPECT_SUCCESS(s2n_disable_tls13_in_test());
         }

tests/unit/s2n_connection_test.c

@@ -371,7 +371,7 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
             EXPECT_SUCCESS(s2n_config_set_client_auth_type(config, S2N_CERT_AUTH_REQUIRED));
             EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, rsa_chain_and_key));
-            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20170210"));
 
             struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT);
             EXPECT_NOT_NULL(client_conn);

tests/unit/s2n_handshake_test.c

@@ -261,6 +261,7 @@ int main(int argc, char **argv)
             }
 
             EXPECT_NOT_NULL(client_config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20170210"));
             EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
 
             EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
@@ -457,7 +458,7 @@ int main(int argc, char **argv)
 
                 DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
                 EXPECT_NOT_NULL(config);
-                EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
+                EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20170210"));
                 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
                 EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
                 EXPECT_SUCCESS(s2n_config_disable_x509_verification(config));