fix: update default security policies

[lrstewart]

Resolved issues:

Updates #3894

Description of changes:

Update our default security policies to comply with current best practices.

This gist describes the old and new policies in a potentially more readable way: https://gist.github.com/lrstewart/112309644c7ed39be9682a5dfca49f8e

Changes to "default":

• Removed 1.0 and 1.1
• Removed SHA1 cipher suites and signature schemes
• Removed RSA key exchange cipher suites
• Removed ChaChaPoly cipher suites
• Removed SHA224 signature schemes
• Added ECDSA cipher suites
• Added RSA-PSS signature schemes
• Added secp521r1 curve
• Added x25519 curve
• Fix consistency: added missing TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (only CBC case missing)

Changes to "default_fips":

• Removed DHE cipher suites
• Removed SHA224 signature schemes
• Added RSA-PSS signature schemes
• Added secp521r1 curve
• Fix consistency: added missing legacy_rsa_pkcs1_sha224 to certificate signature schemes (legacy_ecdsa_sha224 already supported). I could avoid this fix if I made a new certificate signature schemes definition, but it doesn't seem worth it for what was likely originally a mistake. We're more lenient on certificate signatures in the defaults anyway.

Changes to "default_tls13":

• Removed 1.0 and 1.1
• Removed SHA1 cipher suites and signature schemes
• Removed RSA key exchange cipher suites
• Removed SHA224 signature schemes
• Added secp521r1 curve
• Added x25519 curve
• Prefer secp256r1 over x25519
• Prefer ECDSA over RSA (only relevant if both RSA and ECDSA certs available)
• Fix consistency: added missing TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (only CBC cases missing)

Call-outs:

• This does NOT add TLS1.3 to "default" or "default_fips". That will be the next update.
• Should I remove the RSA PKCS1 signature schemes completely? I'd like to, but the current "default" ONLY supports RSA with PKCS1, so that change would not be backwards compatible. The old and new policy would have no RSA signature schemes in common.
• Should I add certificate signature algorithms to "default"? I could use that to ban SHA1 form the certificate chain. But I'm concerned that might break current customers. Certificate chains are not as flexible as other options.
• Should I remove x25519? Removing it could slow our library down with HRRs while talking to standard clients like web browsers, so I've chosen to keep it.
• Should I remove CBC mode? It's somehow still allowed by both FIPS and AWS recommendations, so I'm leaning towards continuing to leave it.
• Can "default" and "default_fips" be the same? If we both remove x25519 and start enforcing restrictions on certificate signature schemes to ban SHA1. But I really don't think we can start enforcing certificate signature schemes, so no. Maybe we could attempt it in a later update.

Testing:

Updated some tests. I added comments to explain the non-obvious ones.
I also added a new test to verify the default changes are backwards compatible.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[lrstewart]

This test is very fragile. It cheats by assuming the payloads appear in preference order instead of labeling them with the curve. I reordered the preferences, so now I have to reorder the payloads.

[lrstewart]

The tests in this file need to be updated for the same reason as s2n_connection_test.c. See #4523 (comment)

[lrstewart]

This test asserts that "S2N_SIGNATURE_RSA" is used, and that worked because default only supported S2N_SIGNATURE_RSA. However, the updated default supports both S2N_SIGNATURE_RSA and S2N_SIGNATURE_RSA_PSS_RSAE. Rather than rewrite it to assert both, I'm just going to keep it on the old default.

[jmayclin]

Since we're planning on changing these more frequently going forward, is it still necessary to have a versioned copy of each default? I guess it's not terribly expensive, but it is unfortunate that we'll be creating so many more versioned policies. 😦

[lrstewart]

I think it's fairly unavoidable. If an update breaks a customer, they need to be able to switch to a policy equivalent to the old default.

[jmayclin]

This seems like it might be infeasibly restrictive. I agree that policy[i] should always be able to negotiate with policy[i - 1], but I don't think we should commit to policy[0] being able to negotiate with policy[n]

[lrstewart]

The problem is that customers aren't guaranteed to deploy every version of s2n-tls in order. It's not that we can NEVER violate this "compatible with all previous versions" promise, but we'll need to know and acknowledge that violating it is a big deal and could break customers who update really rarely.

[jmayclin]

Should I remove the RSA PKCS1 signature schemes completely? I’d like to, but the current “default” ONLY supports RSA with PKCS1, so that change would not be backwards compatible. The old and new policy would have no RSA signature schemes in common.

Agreed that we shouldn't remove it for now to avoid the backwards incompatible change. Future item.

Should I add certificate signature algorithms to “default”? I could use that to ban SHA1 form the certificate chain. But I’m concerned that might break current customers. Certificate chains are not as flexible as other options.

I don't think we should add it to default at this point in time, but I would support adding it (and key preferences) to default_fips

Should I remove x25519? Removing it could slow our library down with HRRs while talking to standard clients like web browsers, so I’ve chosen to keep it.

Agreed

Should I remove CBC mode? It’s somehow still allowed by both FIPS and AWS recommendations, so I’m leaning towards continuing to leave it.

Agreed, I'm fine with leaving it.

Can “default” and “default_fips” be the same? If we both remove x25519 and start enforcing restrictions on certificate signature schemes to ban SHA1. But I really don’t think we can start enforcing certificate signature schemes, so no. Maybe we could attempt it in a later update.

If they happen to align that would be nice, but I don't think it should be a goal.

[lrstewart]

I don't think we should add it to default at this point in time, but I would support of adding it to default_fips

We actually already have certificate signature algorithms for default_fips. But I noticed those didn't include RSA-PSS. I updated them.

[goatgoose]

Should I remove CBC mode? It’s somehow still allowed by both FIPS and AWS recommendations, so I’m leaning towards continuing to leave it.

I feel like it could be worth removing CBC in this change. The biggest risks seem like removing versions before TLS 1.2 and removing RSA cipher suites. But assuming TLS 1.2 can be negotiated with ECDHE, are clients really going to only offer CBC cipher suites? Not sure, though, maybe it's not worth the additional risk.

[lrstewart]

I'm still not convinced that removing CBC is worth any additional risk. The main issue with CBC is just potential timing attacks that we should be patched against anyway. RSA kex isn't forward secret, and there's no way to patch that. TLS 1.0 and 1.1 are just generally insecure, and have been involved in downgrade attacks before. I just don't think CBC rises to the same level.

[goatgoose]

Should I remove CBC mode? It’s somehow still allowed by both FIPS and AWS recommendations, so I’m leaning towards continuing to leave it.

I feel like it could be worth removing CBC in this change. The biggest risks seem like removing versions before TLS 1.2 and removing RSA cipher suites. But assuming TLS 1.2 can be negotiated with ECDHE, are clients really going to only offer CBC cipher suites? Not sure, though, maybe it's not worth the additional risk.

[lrstewart]

I added ChaChaPoly back to default_tls13: https://gist.github.com/lrstewart/112309644c7ed39be9682a5dfca49f8e