Update CloudFront security policies (#2238)

- includes TLS 1.3, pss signature schemes - previous versions are now marked as legacy
aws · Aug 31, 2020 · 0e550d1 · 0e550d1
1 parent 8cb7684
commit 0e550d1
Show file tree

Hide file tree

Showing 4 changed files with 219 additions and 17 deletions.
diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c
@@ -158,12 +158,13 @@ int main(int argc, char **argv)
             "CloudFront-Upstream-TLS-1-0",
             "CloudFront-Upstream-TLS-1-1",
             "CloudFront-Upstream-TLS-1-2",
-            "CloudFront-SSL-v-3",
-            "CloudFront-TLS-1-0-2014",
-            "CloudFront-TLS-1-0-2016",
-            "CloudFront-TLS-1-1-2016",
-            "CloudFront-TLS-1-2-2018",
-            "CloudFront-TLS-1-2-2019",
+            /* CloudFront legacy viewer facing policies (max TLS 1.2)  */
+            "CloudFront-SSL-v-3-Legacy",
+            "CloudFront-TLS-1-0-2014-Legacy",
+            "CloudFront-TLS-1-0-2016-Legacy",
+            "CloudFront-TLS-1-1-2016-Legacy",
+            "CloudFront-TLS-1-2-2018-Legacy",
+            "CloudFront-TLS-1-2-2019-Legacy",
             "KMS-TLS-1-0-2018-10",
 #if !defined(S2N_NO_PQ)
             "KMS-PQ-TLS-1-0-2019-06",
@@ -207,6 +208,14 @@ int main(int argc, char **argv)
             "test_all_tls13",
             "20190801",
             "20190802",
+            /* CloudFront viewer facing */
+            "CloudFront-SSL-v-3",
+            "CloudFront-TLS-1-0-2014",
+            "CloudFront-TLS-1-0-2016",
+            "CloudFront-TLS-1-1-2016",
+            "CloudFront-TLS-1-2-2018",
+            "CloudFront-TLS-1-2-2019",
+            /* CloudFront undocumented */
             "CloudFront-TLS-1-2-2020",
         };
         for (size_t i = 0; i < s2n_array_len(tls13_security_policy_strings); i++) {

diff --git a/tls/s2n_cipher_preferences.c b/tls/s2n_cipher_preferences.c
@@ -618,11 +618,14 @@ const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream = {
     .suites = cipher_suites_cloudfront_upstream,
 };
 
+/* CloudFront viewer facing (with TLS 1.3) */
 struct s2n_cipher_suite *cipher_suites_cloudfront_ssl_v_3[] = {
+    S2N_TLS13_CLOUDFRONT_CIPHER_SUITES_20200716,
     &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha,
     &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha,
     &s2n_rsa_with_aes_128_gcm_sha256,
@@ -640,10 +643,12 @@ const struct s2n_cipher_preferences cipher_preferences_cloudfront_ssl_v_3 = {
 };
 
 struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2014[] = {
+    S2N_TLS13_CLOUDFRONT_CIPHER_SUITES_20200716,
     &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha,
     &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha,
     &s2n_rsa_with_aes_128_gcm_sha256,
@@ -660,10 +665,12 @@ const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2014 =
 };
 
 struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2016[] = {
+    S2N_TLS13_CLOUDFRONT_CIPHER_SUITES_20200716,
     &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha,
     &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha,
     &s2n_rsa_with_aes_128_gcm_sha256,
@@ -679,10 +686,12 @@ const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2016 =
 };
 
 struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_1_2016[] = {
+    S2N_TLS13_CLOUDFRONT_CIPHER_SUITES_20200716,
     &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha,
     &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha,
     &s2n_rsa_with_aes_128_gcm_sha256,
@@ -698,9 +707,11 @@ const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_1_2016 =
 };
 
 struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2018[] = {
+    S2N_TLS13_CLOUDFRONT_CIPHER_SUITES_20200716,
     &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
     &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
     &s2n_rsa_with_aes_128_gcm_sha256,
     &s2n_rsa_with_aes_256_gcm_sha384,
@@ -712,6 +723,114 @@ const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2018 =
     .suites = cipher_suites_cloudfront_tls_1_2_2018,
 };
 
+/* CloudFront viewer facing legacy TLS 1.2 policies */
+struct s2n_cipher_suite *cipher_suites_cloudfront_ssl_v_3_legacy[] = {
+    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha,
+    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha,
+    &s2n_rsa_with_aes_128_gcm_sha256,
+    &s2n_rsa_with_aes_256_gcm_sha384,
+    &s2n_rsa_with_aes_128_cbc_sha256,
+    &s2n_rsa_with_aes_256_cbc_sha,
+    &s2n_rsa_with_aes_128_cbc_sha,
+    &s2n_rsa_with_3des_ede_cbc_sha,
+    &s2n_rsa_with_rc4_128_md5
+};
+
+const struct s2n_cipher_preferences cipher_preferences_cloudfront_ssl_v_3_legacy = {
+    .count = s2n_array_len(cipher_suites_cloudfront_ssl_v_3_legacy),
+    .suites = cipher_suites_cloudfront_ssl_v_3_legacy,
+};
+
+struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2014_legacy[] = {
+    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha,
+    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha,
+    &s2n_rsa_with_aes_128_gcm_sha256,
+    &s2n_rsa_with_aes_256_gcm_sha384,
+    &s2n_rsa_with_aes_128_cbc_sha256,
+    &s2n_rsa_with_aes_256_cbc_sha,
+    &s2n_rsa_with_aes_128_cbc_sha,
+    &s2n_rsa_with_3des_ede_cbc_sha,
+};
+
+const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2014_legacy = {
+    .count = s2n_array_len(cipher_suites_cloudfront_tls_1_0_2014_legacy),
+    .suites = cipher_suites_cloudfront_tls_1_0_2014_legacy,
+};
+
+struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2016_legacy[] = {
+    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha,
+    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha,
+    &s2n_rsa_with_aes_128_gcm_sha256,
+    &s2n_rsa_with_aes_256_gcm_sha384,
+    &s2n_rsa_with_aes_128_cbc_sha256,
+    &s2n_rsa_with_aes_256_cbc_sha,
+    &s2n_rsa_with_aes_128_cbc_sha
+};
+
+const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2016_legacy = {
+    .count = s2n_array_len(cipher_suites_cloudfront_tls_1_0_2016_legacy),
+    .suites = cipher_suites_cloudfront_tls_1_0_2016_legacy,
+};
+
+struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_1_2016_legacy[] = {
+    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha,
+    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha,
+    &s2n_rsa_with_aes_128_gcm_sha256,
+    &s2n_rsa_with_aes_256_gcm_sha384,
+    &s2n_rsa_with_aes_128_cbc_sha256,
+    &s2n_rsa_with_aes_256_cbc_sha,
+    &s2n_rsa_with_aes_128_cbc_sha
+};
+
+const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_1_2016_legacy = {
+    .count = s2n_array_len(cipher_suites_cloudfront_tls_1_1_2016_legacy),
+    .suites = cipher_suites_cloudfront_tls_1_1_2016_legacy,
+};
+
+struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2018_legacy[] = {
+    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
+    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
+    &s2n_rsa_with_aes_128_gcm_sha256,
+    &s2n_rsa_with_aes_256_gcm_sha384,
+    &s2n_rsa_with_aes_128_cbc_sha256
+};
+
+const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2018_legacy = {
+    .count = s2n_array_len(cipher_suites_cloudfront_tls_1_2_2018_legacy),
+    .suites = cipher_suites_cloudfront_tls_1_2_2018_legacy,
+};
+
+struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2019_legacy[] = {
+    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
+    &s2n_ecdhe_rsa_with_aes_128_cbc_sha256
+};
+
+const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2019_legacy = {
+    .count = s2n_array_len(cipher_suites_cloudfront_tls_1_2_2019_legacy),
+    .suites = cipher_suites_cloudfront_tls_1_2_2019_legacy,
+};
+
+/* CloudFront upstream */
 struct s2n_cipher_suite *cipher_suites_cloudfront_upstream_tls10[] = {
     &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384,
     &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
@@ -794,8 +913,10 @@ const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream_tls12
 };
 
 struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2019[] = {
-    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    S2N_TLS13_CLOUDFRONT_CIPHER_SUITES_20200716,
     &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
+    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
+    &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256,
     &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
     &s2n_ecdhe_rsa_with_aes_128_cbc_sha256
 };
@@ -805,6 +926,7 @@ const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2019 =
     .suites = cipher_suites_cloudfront_tls_1_2_2019,
 };
 
+/* CloudFront undocumented policies for testing */
 struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2020[] = {
     S2N_TLS13_CLOUDFRONT_CIPHER_SUITES_20200716,
     &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,

diff --git a/tls/s2n_cipher_preferences.h b/tls/s2n_cipher_preferences.h
@@ -64,16 +64,27 @@ extern const struct s2n_cipher_preferences elb_security_policy_fs_1_2_2019_08;
 extern const struct s2n_cipher_preferences elb_security_policy_fs_1_1_2019_08;
 extern const struct s2n_cipher_preferences elb_security_policy_fs_1_2_Res_2019_08;
 
+/* CloudFront upstream */
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream;
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream_tls10;
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream_tls11;
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream_tls12;
+/* CloudFront viewer facing */
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_ssl_v_3;
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2014;
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2016;
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_1_2016;
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2018;
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2019;
+
+/* CloudFront viewer facing legacy TLS 1.2 policies */
+extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_ssl_v_3_legacy;
+extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2014_legacy;
+extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2016_legacy;
+extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_1_2016_legacy;
+extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2018_legacy;
+extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2019_legacy;
+/* CloudFront undocumented policies for testing */
 extern const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2020;
 
 extern const struct s2n_cipher_preferences cipher_preferences_kms_tls_1_0_2018_10;