feat: output utility for security policy

[jouho]

Release Summary:

Resolved issues:

Description of changes:

Adds three new utility functions for outputting security policy information:

1. s2n_security_policy_write_length(): Get the exact buffer size needed
2. s2n_security_policy_write_bytes(): Write policy data to a user buffer
3. s2n_security_policy_write_fd() : Write policy data to a file descriptor

We define a S2N_POLICY_FORMAT_DEBUG_V1 format that replaces the policy snapshot utility implementation. Future formats can be added as V2, V3, etc.

The name field was removed from output to ensure compatibility with custom security policies from policy builder.

Call-outs:

I ran the following command to regenerate all the snapshots and verify that the new policy output utility is working:

./tests/policy_snapshot/generate.sh build/bin/policy ./tests/policy_snapshot/snapshots

As a result, all snapshots were updated.

Testing:

Added unit tests for happy paths as well as negative paths. We have snapshot test that checks for exact content match.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[lrstewart]

The goal here isn't to print existing, hard-coded policies (except to share code with bin/policy.c). The goal is to print the newly constructed policies, to see the results of the builder. That means you cannot rely on security_policy_selection. The new policy won't be in security_policy_selection.

[jouho]

Ah right. If so I don't think the name field will be useful. I removed the field in the next revision, and updated the snapshots alongside.

[goatgoose]

Probably out of scope for this format, but I wonder if builder policies should still have a name that's generated with a hash of the contents or something. That way it'd be easy to determine if two separate policies built with the builder are the same or not. 🤔