bin: tool to print security policies (#4524)

aws · May 1, 2024 · 1ed5624 · 1ed5624
1 parent 8604442
commit 1ed5624
Show file tree

Hide file tree

Showing 12 changed files with 209 additions and 11 deletions.
diff --git a/.gitignore b/.gitignore
@@ -24,6 +24,7 @@ tests/fuzz/fuzz-*.log
 tests/benchmark/*_benchmark
 bin/s2nc
 bin/s2nd
+bin/policy
 util-linux-*
 Python-*
 clang-*

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -526,11 +526,14 @@ if (BUILD_TESTING)
     target_link_libraries(s2nc ${PROJECT_NAME})
     target_compile_options(s2nc PRIVATE -std=gnu99)
 
-
     add_executable(s2nd "bin/s2nd.c" "bin/echo.c" "bin/https.c" "bin/common.c")
     target_link_libraries(s2nd ${PROJECT_NAME})
     target_compile_options(s2nd PRIVATE -std=gnu99)
 
+    add_executable(policy "bin/policy.c")
+    target_link_libraries(policy ${PROJECT_NAME})
+    target_compile_options(policy PRIVATE -std=gnu99)
+
     if(S2N_LTO)
         target_compile_options(s2nc PRIVATE -flto)
         target_compile_options(s2nd PRIVATE -flto)

diff --git a/bin/Makefile b/bin/Makefile
@@ -14,23 +14,28 @@
 #
 
 .PHONY : all
-all: s2nc s2nd
+all: s2nc s2nd policy
 include ../s2n.mk
 
 LDFLAGS += -L../lib/ -L${LIBCRYPTO_ROOT}/lib ../lib/libs2n.a ${CRYPTO_LIBS} ${LIBS}
-CRUFT += s2nc s2nd
+CRUFT += s2nc s2nd policy
 
 s2nc: s2nc.c echo.c
 	${CC} ${CFLAGS} s2nc.c echo.c common.c -o s2nc ${LDFLAGS}
 
 s2nd: s2nd.c echo.c
 	${CC} ${CFLAGS} s2nd.c echo.c https.c common.c -o s2nd ${LDFLAGS}
+
+policy: policy.c
+	${CC} ${CFLAGS} policy.c -o policy ${LDFLAGS}
 
 $(bindir):
 	@mkdir -p $(bindir)
 
-install: s2nc s2nd $(bindir)
+install: s2nc s2nd policy $(bindir)
 	@cp s2n? $(bindir)
+	@cp policy $(bindir)
 
 uninstall:
 	@rm -f $(bindir)/s2n?
+	@rm -f $(bindir)/policy
diff --git a/bin/policy.c b/bin/policy.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "api/s2n.h"
+#include "tls/s2n_security_policies.h"
+#include "tls/s2n_security_rules.h"
+
+#define BOOL_STR(b) ((b) ? "yes" : "no")
+
+extern const struct s2n_security_rule security_rule_definitions[S2N_SECURITY_RULES_COUNT];
+
+const char *version_strs[] = {
+    [S2N_SSLv2] = "SSLv2",
+    [S2N_SSLv3] = "SSLv3",
+    [S2N_TLS10] = "TLS1.0",
+    [S2N_TLS11] = "TLS1.1",
+    [S2N_TLS12] = "TLS1.2",
+    [S2N_TLS13] = "TLS1.3",
+};
+
+static int usage()
+{
+    printf("policy <version>\n"
+           "example: policy default_tls13\n\n");
+    return 0;
+}
+
+int main(int argc, char *const *argv)
+{
+    if (argc != 2) {
+        usage();
+        exit(1);
+    }
+
+    const char *policy_name = argv[1];
+    const struct s2n_security_policy *policy = NULL;
+    if (s2n_find_security_policy_from_version(policy_name, &policy) != S2N_SUCCESS) {
+        usage();
+        exit(1);
+    }
+
+    printf("name: %s\n", policy_name);
+
+    const char *version_str = version_strs[policy->minimum_protocol_version];
+    printf("min version: %s\n", version_str ? version_str : "None");
+
+    printf("rules:\n");
+    for (size_t i = 0; i < S2N_SECURITY_RULES_COUNT; i++) {
+        printf("- %s: %s\n", security_rule_definitions[i].name, BOOL_STR(policy->rules[i]));
+    }
+
+    printf("cipher suites:\n");
+    if (policy->cipher_preferences->allow_chacha20_boosting) {
+        printf("- chacha20 boosting enabled\n");
+    }
+    for (size_t i = 0; i < policy->cipher_preferences->count; i++) {
+        printf("- %s\n", policy->cipher_preferences->suites[i]->iana_name);
+    }
+
+    printf("signature schemes:\n");
+    for (size_t i = 0; i < policy->signature_preferences->count; i++) {
+        printf("- %s\n", policy->signature_preferences->signature_schemes[i]->iana_name);
+    }
+
+    printf("curves:\n");
+    for (size_t i = 0; i < policy->ecc_preferences->count; i++) {
+        printf("- %s\n", policy->ecc_preferences->ecc_curves[i]->name);
+    }
+
+    if (policy->certificate_signature_preferences) {
+        if (policy->certificate_preferences_apply_locally) {
+            printf("certificate preferences apply locally\n");
+        }
+        printf("certificate signature schemes:\n");
+        for (size_t i = 0; i < policy->certificate_signature_preferences->count; i++) {
+            printf("- %s\n", policy->certificate_signature_preferences->signature_schemes[i]->iana_name);
+        }
+    }
+
+    if (policy->certificate_key_preferences) {
+        printf("certificate keys:\n");
+        for (size_t i = 0; i < policy->certificate_key_preferences->count; i++) {
+            printf("- %s\n", policy->certificate_key_preferences->certificate_keys[i]->name);
+        }
+    }
+
+    if (policy->kem_preferences && policy->kem_preferences != &kem_preferences_null) {
+        printf("pq:\n");
+        printf("- revision: %i\n", policy->kem_preferences->tls13_pq_hybrid_draft_revision);
+        printf("- kems:\n");
+        for (size_t i = 0; i < policy->kem_preferences->kem_count; i++) {
+            printf("-- %s\n", policy->kem_preferences->kems[i]->name);
+        }
+        printf("- kem groups:\n");
+        for (size_t i = 0; i < policy->kem_preferences->tls13_kem_group_count; i++) {
+            printf("-- %s\n", policy->kem_preferences->tls13_kem_groups[i]->name);
+        }
+    }
+
+    return 0;
+}
diff --git a/tls/s2n_certificate_keys.c b/tls/s2n_certificate_keys.c
@@ -19,55 +19,66 @@
 
 const struct s2n_certificate_key s2n_rsa_rsae_1024 = {
     .public_key_libcrypto_nid = NID_rsaEncryption,
+    .name = "rsa_1024",
     .bits = 1024,
 };
 
 const struct s2n_certificate_key s2n_rsa_rsae_2048 = {
     .public_key_libcrypto_nid = NID_rsaEncryption,
+    .name = "rsa_2048",
     .bits = 2048,
 };
 
 const struct s2n_certificate_key s2n_rsa_rsae_3072 = {
     .public_key_libcrypto_nid = NID_rsaEncryption,
+    .name = "rsa_3072",
     .bits = 3072,
 };
 
 const struct s2n_certificate_key s2n_rsa_rsae_4096 = {
     .public_key_libcrypto_nid = NID_rsaEncryption,
+    .name = "rsa_4096",
     .bits = 4096,
 };
 
 const struct s2n_certificate_key s2n_rsa_pss_1024 = {
     .public_key_libcrypto_nid = NID_rsassaPss,
+    .name = "rsa_pss_1024",
     .bits = 1024,
 };
 
 const struct s2n_certificate_key s2n_rsa_pss_2048 = {
     .public_key_libcrypto_nid = NID_rsassaPss,
+    .name = "rsa_pss_2048",
     .bits = 2048,
 };
 
 const struct s2n_certificate_key s2n_rsa_pss_3072 = {
     .public_key_libcrypto_nid = NID_rsassaPss,
+    .name = "rsa_pss_3072",
     .bits = 3072,
 };
 
 const struct s2n_certificate_key s2n_rsa_pss_4096 = {
     .public_key_libcrypto_nid = NID_rsassaPss,
+    .name = "rsa_pss_4096",
     .bits = 4096,
 };
 
 const struct s2n_certificate_key s2n_ec_p256 = {
     .public_key_libcrypto_nid = NID_X9_62_prime256v1,
+    .name = "ecdsa_p256",
     .bits = 256,
 };
 
 const struct s2n_certificate_key s2n_ec_p384 = {
     .public_key_libcrypto_nid = NID_secp384r1,
+    .name = "ecdsa_p384",
     .bits = 384,
 };
 
 const struct s2n_certificate_key s2n_ec_p521 = {
     .public_key_libcrypto_nid = NID_secp521r1,
+    .name = "ecdsa_p521",
     .bits = 521,
 };
diff --git a/tls/s2n_certificate_keys.h b/tls/s2n_certificate_keys.h
@@ -18,6 +18,7 @@
 #include <stdint.h>
 
 struct s2n_certificate_key {
+    const char *name;
     uint16_t public_key_libcrypto_nid;
 
     /* modulus for RSA key, size for EC key */