tests: policy snapshot test (#5309)

Co-authored-by: Doug Chapman <54039637+dougch@users.noreply.github.com>

Author: lrstewart

.github/workflows/policy_snapshot.yml

@@ -0,0 +1,46 @@
+name: Policy Snapshot Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  merge_group:
+    types: [checks_requested]
+    branches: [main]
+
+env:
+  GENERATE_SCRIPT: ./tests/policy_snapshot/generate.sh build/bin/policy
+  COMMITTED_SNAPSHOTS: ./tests/policy_snapshot/snapshots
+  GENERATED_SNAPSHOTS: ./tests/policy_snapshot/generated
+  
+jobs:
+  snapshot:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout s2n-tls
+        uses: actions/checkout@v4
+
+      - name: build policy util
+        run: |
+          cmake -Bbuild
+          cmake --build build -j $(nproc)
+
+      - name: generate snapshots
+        run: |
+          mkdir $GENERATED_SNAPSHOTS
+          $GENERATE_SCRIPT $GENERATED_SNAPSHOTS
+      
+      - name: compare snapshots
+        run: |
+          diff -u $COMMITTED_SNAPSHOTS $GENERATED_SNAPSHOTS
+
+      - name: report failure
+        if: failure()
+        run: |
+          echo "Changes made to security policies!"
+          echo "Regenerate the snapshot files by rebuilding 'policy' and running: "
+          echo "  $GENERATE_SCRIPT $COMMITTED_SNAPSHOTS"
+          echo "and committing the results as part of your PR for review."
+          exit 1
+

tests/policy_snapshot/generate.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+set -eu
+
+SNAPSHOTS_DIR_DEFAULT="./tests/policy_snapshot/snapshots"
+SECURITY_POLICIES_C_DEFAULT="./tls/s2n_security_policies.c"
+
+function display_usage {
+    echo "Usage: $0 <policy_path> [snapshots_dir] [s2n_security_policies]"
+    echo
+    echo "Arguments:"
+    echo "  policy_path                 Path to the policy util binary"
+    echo "  snapshots_dir               Path to the snapshots directory"
+    echo "                              (default: $SNAPSHOTS_DIR_DEFAULT)"
+    echo "  s2n_security_policies       Path to the s2n_security_policies.c file"
+    echo "                              (default: $SECURITY_POLICIES_C_DEFAULT)"
+    echo
+    exit 1
+}
+
+if [ $# -lt 1 ] || [ $# -gt 3 ] || [ "$1" == "--help" ]; then
+    display_usage
+fi
+
+POLICY_BINARY="$1"
+SNAPSHOTS_DIR=${2:-$SNAPSHOTS_DIR_DEFAULT}
+SECURITY_POLICIES_C=${3:-$SECURITY_POLICIES_C_DEFAULT}
+
+echo "Using snapshots directory: $SNAPSHOTS_DIR"
+echo "Using policy binary: $POLICY_BINARY"
+echo "Using security policy file: $SECURITY_POLICIES_C"
+
+echo "Extracting security policy names..."
+POLICIES=$(grep -o '{ .version = "[^"]*"' $SECURITY_POLICIES_C \
+    | sed 's/{ .version = "\(.*\)"/\1/' | grep -v "^null$")
+
+COUNT=$(echo "$POLICIES" | wc -l)
+echo "Found $COUNT policies."
+
+rm -f $SNAPSHOTS_DIR/*
+
+for policy in $POLICIES; do
+    $POLICY_BINARY $policy > $SNAPSHOTS_DIR/$policy
+    echo "Generated snapshot for $policy..."
+done
+
+echo
+echo "Snapshots successfully generated."
+exit 0

tests/policy_snapshot/snapshots/20140601

@@ -0,0 +1,28 @@
+name: 20140601
+min version: SSLv3
+rules:
+- Perfect Forward Secrecy: no
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+- TLS_RSA_WITH_AES_128_CBC_SHA256
+- TLS_RSA_WITH_AES_128_CBC_SHA
+- TLS_RSA_WITH_3DES_EDE_CBC_SHA
+- TLS_RSA_WITH_RC4_128_SHA
+- TLS_RSA_WITH_RC4_128_MD5
+signature schemes:
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+- rsa_pkcs1_sha1
+- ecdsa_sha1
+curves:
+- secp256r1
+- secp384r1

tests/policy_snapshot/snapshots/20141001

@@ -0,0 +1,28 @@
+name: 20141001
+min version: TLS1.0
+rules:
+- Perfect Forward Secrecy: no
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+- TLS_RSA_WITH_AES_128_CBC_SHA256
+- TLS_RSA_WITH_AES_128_CBC_SHA
+- TLS_RSA_WITH_3DES_EDE_CBC_SHA
+- TLS_RSA_WITH_RC4_128_SHA
+- TLS_RSA_WITH_RC4_128_MD5
+signature schemes:
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+- rsa_pkcs1_sha1
+- ecdsa_sha1
+curves:
+- secp256r1
+- secp384r1

tests/policy_snapshot/snapshots/20150202

@@ -0,0 +1,26 @@
+name: 20150202
+min version: TLS1.0
+rules:
+- Perfect Forward Secrecy: no
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+- TLS_RSA_WITH_AES_128_CBC_SHA256
+- TLS_RSA_WITH_AES_128_CBC_SHA
+- TLS_RSA_WITH_3DES_EDE_CBC_SHA
+signature schemes:
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+- rsa_pkcs1_sha1
+- ecdsa_sha1
+curves:
+- secp256r1
+- secp384r1

tests/policy_snapshot/snapshots/20150214

@@ -0,0 +1,28 @@
+name: 20150214
+min version: TLS1.0
+rules:
+- Perfect Forward Secrecy: no
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+- TLS_RSA_WITH_AES_128_GCM_SHA256
+- TLS_RSA_WITH_AES_128_CBC_SHA256
+- TLS_RSA_WITH_AES_128_CBC_SHA
+- TLS_RSA_WITH_3DES_EDE_CBC_SHA
+signature schemes:
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+- rsa_pkcs1_sha1
+- ecdsa_sha1
+curves:
+- secp256r1
+- secp384r1

tests/policy_snapshot/snapshots/20150306

@@ -0,0 +1,30 @@
+name: 20150306
+min version: TLS1.0
+rules:
+- Perfect Forward Secrecy: no
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+- TLS_RSA_WITH_AES_128_GCM_SHA256
+- TLS_RSA_WITH_AES_128_CBC_SHA256
+- TLS_RSA_WITH_AES_128_CBC_SHA
+- TLS_RSA_WITH_3DES_EDE_CBC_SHA
+signature schemes:
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+- rsa_pkcs1_sha1
+- ecdsa_sha1
+curves:
+- secp256r1
+- secp384r1

tests/policy_snapshot/snapshots/20160411

@@ -0,0 +1,33 @@
+name: 20160411
+min version: TLS1.0
+rules:
+- Perfect Forward Secrecy: no
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+- TLS_RSA_WITH_AES_128_CBC_SHA
+- TLS_RSA_WITH_AES_128_GCM_SHA256
+- TLS_RSA_WITH_AES_256_GCM_SHA384
+- TLS_RSA_WITH_AES_128_CBC_SHA256
+- TLS_RSA_WITH_AES_256_CBC_SHA
+- TLS_RSA_WITH_AES_256_CBC_SHA256
+- TLS_RSA_WITH_3DES_EDE_CBC_SHA
+signature schemes:
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+- rsa_pkcs1_sha1
+- ecdsa_sha1
+curves:
+- secp256r1
+- secp384r1

tests/policy_snapshot/snapshots/20160804

@@ -0,0 +1,33 @@
+name: 20160804
+min version: TLS1.0
+rules:
+- Perfect Forward Secrecy: no
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+- TLS_RSA_WITH_AES_128_GCM_SHA256
+- TLS_RSA_WITH_AES_256_GCM_SHA384
+- TLS_RSA_WITH_AES_128_CBC_SHA
+- TLS_RSA_WITH_AES_128_CBC_SHA256
+- TLS_RSA_WITH_AES_256_CBC_SHA
+- TLS_RSA_WITH_AES_256_CBC_SHA256
+- TLS_RSA_WITH_3DES_EDE_CBC_SHA
+signature schemes:
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+- rsa_pkcs1_sha1
+- ecdsa_sha1
+curves:
+- secp256r1
+- secp384r1

tests/policy_snapshot/snapshots/20160824

@@ -0,0 +1,28 @@
+name: 20160824
+min version: TLS1.0
+rules:
+- Perfect Forward Secrecy: no
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+- TLS_RSA_WITH_AES_128_GCM_SHA256
+- TLS_RSA_WITH_AES_128_CBC_SHA256
+- TLS_RSA_WITH_AES_128_CBC_SHA
+signature schemes:
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224
+- rsa_pkcs1_sha1
+- ecdsa_sha1
+curves:
+- secp256r1
+- secp384r1