diff options
| author | robot-contrib <robot-contrib@yandex-team.com> | 2023-02-11 08:41:49 +0300 |
|---|---|---|
| committer | robot-contrib <robot-contrib@yandex-team.com> | 2023-02-11 08:41:49 +0300 |
| commit | 3c6b83916202a9cafc749f9e0580ac0c507378be (patch) | |
| tree | f269bf1f2fcaf02c15cf9921e045082fa4a7914d | |
| parent | 17dbb95cd16a40cae47b42c20177d002399d0966 (diff) | |
| download | ydb-3c6b83916202a9cafc749f9e0580ac0c507378be.tar.gz | |
Update contrib/restricted/aws/s2n to 1.3.34
35 files changed, 251 insertions, 172 deletions
diff --git a/contrib/restricted/aws/s2n/CMakeLists.darwin.txt b/contrib/restricted/aws/s2n/CMakeLists.darwin.txt index 9b0b52a91ab..5b1516b606d 100644 --- a/contrib/restricted/aws/s2n/CMakeLists.darwin.txt +++ b/contrib/restricted/aws/s2n/CMakeLists.darwin.txt @@ -83,7 +83,10 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer_network_order.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer_pem.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer_text.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status_response.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cert_status_request.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cookie.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_early_data_indication.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_ems.c @@ -96,7 +99,6 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c - ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c @@ -109,7 +111,6 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_psk_key_exchange_modes.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_quic_transport_params.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_alpn.c - ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_certificate_status.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_cookie.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_early_data_indication.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_ems.c @@ -121,7 +122,6 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_server_name.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_signature_algorithms.c - ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_supported_versions.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_aead.c diff --git a/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt b/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt index bf1fc950d04..d03ea8fb0fc 100644 --- a/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt +++ b/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt @@ -78,7 +78,10 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer_network_order.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer_pem.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer_text.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status_response.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cert_status_request.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cookie.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_early_data_indication.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_ems.c @@ -91,7 +94,6 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c - ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c @@ -104,7 +106,6 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_psk_key_exchange_modes.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_quic_transport_params.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_alpn.c - ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_certificate_status.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_cookie.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_early_data_indication.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_ems.c @@ -116,7 +117,6 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_server_name.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_signature_algorithms.c - ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_supported_versions.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_aead.c diff --git a/contrib/restricted/aws/s2n/CMakeLists.linux.txt b/contrib/restricted/aws/s2n/CMakeLists.linux.txt index 889dcbbbc58..9737b44e301 100644 --- a/contrib/restricted/aws/s2n/CMakeLists.linux.txt +++ b/contrib/restricted/aws/s2n/CMakeLists.linux.txt @@ -85,7 +85,10 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer_network_order.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer_pem.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer_text.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status_response.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cert_status_request.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cookie.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_early_data_indication.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_ems.c @@ -98,7 +101,6 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c - ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c @@ -111,7 +113,6 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_psk_key_exchange_modes.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_quic_transport_params.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_alpn.c - ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_certificate_status.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_cookie.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_early_data_indication.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_ems.c @@ -123,7 +124,6 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_server_name.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_signature_algorithms.c - ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/extensions/s2n_supported_versions.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_aead.c diff --git a/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c b/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c index 57a308d2278..7583b47da04 100644 --- a/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c +++ b/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c @@ -136,7 +136,8 @@ static int s2n_composite_cipher_aes_sha_initial_hmac(struct s2n_session_key *key POSIX_BAIL(S2N_ERR_NO_SUPPORTED_LIBCRYPTO_API); #else uint8_t ctrl_buf[S2N_TLS12_AAD_LEN]; - struct s2n_blob ctrl_blob = { .data = ctrl_buf, .size = S2N_TLS12_AAD_LEN }; + struct s2n_blob ctrl_blob = { 0 }; + POSIX_GUARD(s2n_blob_init(&ctrl_blob, ctrl_buf, S2N_TLS12_AAD_LEN)); struct s2n_stuffer ctrl_stuffer = { 0 }; POSIX_GUARD(s2n_stuffer_init(&ctrl_stuffer, &ctrl_blob)); diff --git a/contrib/restricted/aws/s2n/crypto/s2n_hkdf.c b/contrib/restricted/aws/s2n/crypto/s2n_hkdf.c index e2a26d9050f..dd666ae6537 100644 --- a/contrib/restricted/aws/s2n/crypto/s2n_hkdf.c +++ b/contrib/restricted/aws/s2n/crypto/s2n_hkdf.c @@ -115,7 +115,8 @@ int s2n_hkdf(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, const struct s const struct s2n_blob *key, const struct s2n_blob *info, struct s2n_blob *output) { uint8_t prk_pad[MAX_DIGEST_SIZE]; - struct s2n_blob pseudo_rand_key = { .data = prk_pad, .size = sizeof(prk_pad) }; + struct s2n_blob pseudo_rand_key = { 0 }; + POSIX_GUARD(s2n_blob_init(&pseudo_rand_key, prk_pad, sizeof(prk_pad))); POSIX_GUARD(s2n_hkdf_extract(hmac, alg, salt, key, &pseudo_rand_key)); POSIX_GUARD(s2n_hkdf_expand(hmac, alg, &pseudo_rand_key, info, output)); diff --git a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq_random.c b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq_random.c index 275a3e132d1..aa97630cf0f 100644 --- a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq_random.c +++ b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq_random.c @@ -30,7 +30,8 @@ S2N_RESULT s2n_get_random_bytes(uint8_t *buffer, uint32_t num_bytes) { } static S2N_RESULT s2n_get_random_bytes_default(uint8_t *buffer, uint32_t num_bytes) { - struct s2n_blob out = { .data = buffer, .size = num_bytes }; + struct s2n_blob out = { 0 }; + RESULT_GUARD_POSIX(s2n_blob_init(&out, buffer, num_bytes)); RESULT_GUARD(s2n_get_private_random_data(&out)); return S2N_RESULT_OK; diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_certificate_status.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status.c index d58cc1f4b3f..57521653b77 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_certificate_status.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status.c @@ -13,7 +13,7 @@ * permissions and limitations under the License. */ -#include "tls/extensions/s2n_server_certificate_status.h" +#include "tls/extensions/s2n_cert_status.h" #include "tls/s2n_config.h" #include "tls/s2n_connection.h" @@ -27,23 +27,23 @@ * status request as well as the OCSP response. This contrasts to TLS 1.2 where * the OCSP response is sent in the Certificate Status handshake message */ -static bool s2n_tls13_server_status_request_should_send(struct s2n_connection *conn); +static bool s2n_cert_status_should_send(struct s2n_connection *conn); -const s2n_extension_type s2n_tls13_server_status_request_extension = { +const s2n_extension_type s2n_cert_status_extension = { .iana_value = TLS_EXTENSION_STATUS_REQUEST, .is_response = true, - .send = s2n_server_certificate_status_send, - .recv = s2n_server_certificate_status_recv, - .should_send = s2n_tls13_server_status_request_should_send, + .send = s2n_cert_status_send, + .recv = s2n_cert_status_recv, + .should_send = s2n_cert_status_should_send, .if_missing = s2n_extension_noop_if_missing, }; -static bool s2n_tls13_server_status_request_should_send(struct s2n_connection *conn) +static bool s2n_cert_status_should_send(struct s2n_connection *conn) { return s2n_server_can_send_ocsp(conn); } -int s2n_server_certificate_status_send(struct s2n_connection *conn, struct s2n_stuffer *out) +int s2n_cert_status_send(struct s2n_connection *conn, struct s2n_stuffer *out) { POSIX_ENSURE_REF(conn); struct s2n_blob *ocsp_status = &conn->handshake_params.our_chain_and_key->ocsp_status; @@ -56,7 +56,7 @@ int s2n_server_certificate_status_send(struct s2n_connection *conn, struct s2n_s return S2N_SUCCESS; } -int s2n_server_certificate_status_recv(struct s2n_connection *conn, struct s2n_stuffer *in) +int s2n_cert_status_recv(struct s2n_connection *conn, struct s2n_stuffer *in) { POSIX_ENSURE_REF(conn); /** diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status.h index 205d3964b90..dd3e5c8fc23 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status.h @@ -19,7 +19,7 @@ #include "tls/extensions/s2n_extension_type.h" #include "tls/s2n_connection.h" -extern const s2n_extension_type s2n_server_status_request_extension; +extern const s2n_extension_type s2n_cert_status_extension; -/* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_recv_server_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension); +int s2n_cert_status_send(struct s2n_connection *conn, struct s2n_stuffer *out); +int s2n_cert_status_recv(struct s2n_connection *conn, struct s2n_stuffer *in); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status_response.c index 5752c0a350f..a663c09e453 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status_response.c @@ -13,41 +13,34 @@ * permissions and limitations under the License. */ -#include "tls/extensions/s2n_server_status_request.h" +#include "tls/extensions/s2n_cert_status_response.h" #include "stuffer/s2n_stuffer.h" #include "tls/s2n_connection.h" #include "tls/s2n_tls.h" #include "tls/s2n_tls_parameters.h" -static bool s2n_server_status_request_should_send(struct s2n_connection *conn); -static int s2n_server_status_request_recv(struct s2n_connection *conn, struct s2n_stuffer *extension); +static bool s2n_cert_status_response_should_send(struct s2n_connection *conn); +static int s2n_cert_status_response_recv(struct s2n_connection *conn, struct s2n_stuffer *extension); -const s2n_extension_type s2n_server_status_request_extension = { +const s2n_extension_type s2n_cert_status_response_extension = { .iana_value = TLS_EXTENSION_STATUS_REQUEST, .is_response = true, .send = s2n_extension_send_noop, - .recv = s2n_server_status_request_recv, - .should_send = s2n_server_status_request_should_send, + .recv = s2n_cert_status_response_recv, + .should_send = s2n_cert_status_response_should_send, .if_missing = s2n_extension_noop_if_missing, }; -static bool s2n_server_status_request_should_send(struct s2n_connection *conn) +static bool s2n_cert_status_response_should_send(struct s2n_connection *conn) { return s2n_server_can_send_ocsp(conn); } -int s2n_server_status_request_recv(struct s2n_connection *conn, struct s2n_stuffer *extension) +int s2n_cert_status_response_recv(struct s2n_connection *conn, struct s2n_stuffer *extension) { /* Read nothing. The extension just needs to exist. */ POSIX_ENSURE_REF(conn); conn->status_type = S2N_STATUS_REQUEST_OCSP; return S2N_SUCCESS; } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_recv_server_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_server_status_request_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status_response.h index 526a8f678cc..d2d389f003b 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_cert_status_response.h @@ -19,4 +19,4 @@ #include "tls/extensions/s2n_extension_type.h" #include "tls/s2n_connection.h" -extern const s2n_extension_type s2n_client_status_request_extension; +extern const s2n_extension_type s2n_cert_status_response_extension; diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cert_status_request.c index dec50e3a39b..7b5e658f6fd 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cert_status_request.c @@ -13,7 +13,7 @@ * permissions and limitations under the License. */ -#include "tls/extensions/s2n_client_status_request.h" +#include "tls/extensions/s2n_client_cert_status_request.h" #include <stdint.h> #include <sys/param.h> @@ -22,25 +22,25 @@ #include "tls/s2n_tls_parameters.h" #include "utils/s2n_safety.h" -static bool s2n_client_status_request_should_send(struct s2n_connection *conn); -static int s2n_client_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out); -static int s2n_client_status_request_recv(struct s2n_connection *conn, struct s2n_stuffer *extension); +static bool s2n_client_cert_status_request_should_send(struct s2n_connection *conn); +static int s2n_client_cert_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out); +static int s2n_client_cert_status_request_recv(struct s2n_connection *conn, struct s2n_stuffer *extension); -const s2n_extension_type s2n_client_status_request_extension = { +const s2n_extension_type s2n_client_cert_status_request_extension = { .iana_value = TLS_EXTENSION_STATUS_REQUEST, .is_response = false, - .send = s2n_client_status_request_send, - .recv = s2n_client_status_request_recv, - .should_send = s2n_client_status_request_should_send, + .send = s2n_client_cert_status_request_send, + .recv = s2n_client_cert_status_request_recv, + .should_send = s2n_client_cert_status_request_should_send, .if_missing = s2n_extension_noop_if_missing, }; -static bool s2n_client_status_request_should_send(struct s2n_connection *conn) +static bool s2n_client_cert_status_request_should_send(struct s2n_connection *conn) { return conn->config->status_request_type != S2N_STATUS_REQUEST_NONE; } -static int s2n_client_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out) +static int s2n_client_cert_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out) { POSIX_GUARD(s2n_stuffer_write_uint8(out, (uint8_t) conn->config->status_request_type)); @@ -60,7 +60,7 @@ static int s2n_client_status_request_send(struct s2n_connection *conn, struct s2 return S2N_SUCCESS; } -static int s2n_client_status_request_recv(struct s2n_connection *conn, struct s2n_stuffer *extension) +static int s2n_client_cert_status_request_recv(struct s2n_connection *conn, struct s2n_stuffer *extension) { if (s2n_stuffer_data_available(extension) < 5) { /* Malformed length, ignore the extension */ diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_certificate_status.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cert_status_request.h index 60e28f4a243..fa7738f1e1f 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_certificate_status.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_cert_status_request.h @@ -19,7 +19,4 @@ #include "tls/extensions/s2n_extension_type.h" #include "tls/s2n_connection.h" -extern const s2n_extension_type s2n_tls13_server_status_request_extension; - -int s2n_server_certificate_status_send(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_server_certificate_status_recv(struct s2n_connection *conn, struct s2n_stuffer *in); +extern const s2n_extension_type s2n_client_cert_status_request_extension; diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_extension_list.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_extension_list.c index bffbebf14b5..71fd5213fdd 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_extension_list.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_extension_list.c @@ -173,7 +173,7 @@ int s2n_extension_list_parse(struct s2n_stuffer *in, s2n_parsed_extensions_list POSIX_GUARD(s2n_blob_init(&parsed_extension_list->raw, extensions_data, total_extensions_size)); - struct s2n_stuffer extensions_stuffer; + struct s2n_stuffer extensions_stuffer = { 0 }; POSIX_GUARD(s2n_stuffer_init(&extensions_stuffer, &parsed_extension_list->raw)); POSIX_GUARD(s2n_stuffer_skip_write(&extensions_stuffer, total_extensions_size)); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_extension_type_lists.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_extension_type_lists.c index b928f1bc388..49b771bee3d 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_extension_type_lists.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_extension_type_lists.c @@ -16,7 +16,10 @@ #include "tls/extensions/s2n_extension_type_lists.h" #include "api/s2n.h" +#include "tls/extensions/s2n_cert_status.h" +#include "tls/extensions/s2n_cert_status_response.h" #include "tls/extensions/s2n_client_alpn.h" +#include "tls/extensions/s2n_client_cert_status_request.h" #include "tls/extensions/s2n_client_key_share.h" #include "tls/extensions/s2n_client_max_frag_len.h" #include "tls/extensions/s2n_client_pq_kem.h" @@ -26,7 +29,6 @@ #include "tls/extensions/s2n_client_server_name.h" #include "tls/extensions/s2n_client_session_ticket.h" #include "tls/extensions/s2n_client_signature_algorithms.h" -#include "tls/extensions/s2n_client_status_request.h" #include "tls/extensions/s2n_client_supported_groups.h" #include "tls/extensions/s2n_client_supported_versions.h" #include "tls/extensions/s2n_cookie.h" @@ -37,7 +39,6 @@ #include "tls/extensions/s2n_psk_key_exchange_modes.h" #include "tls/extensions/s2n_quic_transport_params.h" #include "tls/extensions/s2n_server_alpn.h" -#include "tls/extensions/s2n_server_certificate_status.h" #include "tls/extensions/s2n_server_key_share.h" #include "tls/extensions/s2n_server_max_fragment_length.h" #include "tls/extensions/s2n_server_psk.h" @@ -46,7 +47,6 @@ #include "tls/extensions/s2n_server_server_name.h" #include "tls/extensions/s2n_server_session_ticket.h" #include "tls/extensions/s2n_server_signature_algorithms.h" -#include "tls/extensions/s2n_server_status_request.h" #include "tls/extensions/s2n_server_supported_versions.h" #include "tls/s2n_connection.h" @@ -67,7 +67,7 @@ static const s2n_extension_type *const client_hello_extensions[] = { &s2n_client_alpn_extension, &s2n_client_npn_extension, - &s2n_client_status_request_extension, + &s2n_client_cert_status_request_extension, &s2n_client_sct_list_extension, &s2n_client_max_frag_len_extension, &s2n_client_session_ticket_extension, @@ -88,7 +88,7 @@ static const s2n_extension_type *const tls12_server_hello_extensions[] = { &s2n_server_ec_point_format_extension, &s2n_server_renegotiation_info_extension, &s2n_server_alpn_extension, - &s2n_server_status_request_extension, + &s2n_cert_status_response_extension, &s2n_server_sct_list_extension, &s2n_server_max_fragment_length_extension, &s2n_server_session_ticket_extension, @@ -132,7 +132,7 @@ static const s2n_extension_type *const cert_req_extensions[] = { }; static const s2n_extension_type *const certificate_extensions[] = { - &s2n_tls13_server_status_request_extension, + &s2n_cert_status_extension, &s2n_server_sct_list_extension, }; diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_key_share.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_key_share.c index eefdf0c56da..4d1a2f1927d 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_key_share.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_key_share.c @@ -206,7 +206,7 @@ static int s2n_server_key_share_recv_pq_hybrid(struct s2n_connection *conn, uint /* Parse ECC key share */ uint16_t ecc_share_size; - struct s2n_blob point_blob; + struct s2n_blob point_blob = { 0 }; POSIX_GUARD(s2n_stuffer_read_uint16(extension, &ecc_share_size)); POSIX_ENSURE(s2n_ecc_evp_read_params_point(extension, ecc_share_size, &point_blob) == S2N_SUCCESS, S2N_ERR_BAD_KEY_SHARE); POSIX_ENSURE(s2n_ecc_evp_parse_params_point(&point_blob, &server_kem_group_params->ecc_params) == S2N_SUCCESS, S2N_ERR_BAD_KEY_SHARE); @@ -285,7 +285,7 @@ static int s2n_server_key_share_recv_ecc(struct s2n_connection *conn, uint16_t n S2N_ERROR_IF(s2n_stuffer_data_available(extension) < share_size, S2N_ERR_BAD_KEY_SHARE); /* Proceed to parse share */ - struct s2n_blob point_blob; + struct s2n_blob point_blob = { 0 }; S2N_ERROR_IF(s2n_ecc_evp_read_params_point(extension, share_size, &point_blob) < 0, S2N_ERR_BAD_KEY_SHARE); S2N_ERROR_IF(s2n_ecc_evp_parse_params_point(&point_blob, server_ecc_evp_params) < 0, S2N_ERR_BAD_KEY_SHARE); S2N_ERROR_IF(server_ecc_evp_params->evp_pkey == NULL, S2N_ERR_BAD_KEY_SHARE); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_sct_list.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_sct_list.c index d062c1975ac..8a516d6ba7f 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_sct_list.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_sct_list.c @@ -54,7 +54,7 @@ int s2n_server_sct_list_recv(struct s2n_connection *conn, struct s2n_stuffer *ex { POSIX_ENSURE_REF(conn); - struct s2n_blob sct_list; + struct s2n_blob sct_list = { 0 }; size_t data_available = s2n_stuffer_data_available(extension); POSIX_GUARD(s2n_blob_init(&sct_list, s2n_stuffer_raw_read(extension, data_available), diff --git a/contrib/restricted/aws/s2n/tls/s2n_client_key_exchange.c b/contrib/restricted/aws/s2n/tls/s2n_client_key_exchange.c index bfd22667f90..bc227698999 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_client_key_exchange.c +++ b/contrib/restricted/aws/s2n/tls/s2n_client_key_exchange.c @@ -130,7 +130,8 @@ int s2n_rsa_client_key_recv(struct s2n_connection *conn, struct s2n_blob *shared client_hello_protocol_version[1] = legacy_client_hello_protocol_version % 10; /* Decrypt the pre-master secret */ - struct s2n_blob encrypted = { .size = length, .data = s2n_stuffer_raw_read(in, length) }; + struct s2n_blob encrypted = { 0 }; + POSIX_GUARD(s2n_blob_init(&encrypted, s2n_stuffer_raw_read(in, length), length)); POSIX_ENSURE_REF(encrypted.data); POSIX_ENSURE_GT(encrypted.size, 0); diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_handshake.c index 49e5aeea583..f7de288acdd 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_handshake.c +++ b/contrib/restricted/aws/s2n/tls/s2n_handshake.c @@ -224,7 +224,7 @@ static int s2n_find_cert_matches(struct s2n_map *domain_name_to_cert_map, struct s2n_cert_chain_and_key *matches[S2N_CERT_TYPE_COUNT], uint8_t *match_exists) { - struct s2n_blob map_value; + struct s2n_blob map_value = { 0 }; bool key_found = false; POSIX_GUARD_RESULT(s2n_map_lookup(domain_name_to_cert_map, dns_name, &map_value, &key_found)); if (key_found) { @@ -260,7 +260,7 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn) POSIX_GUARD(s2n_blob_init(&normalized_name, (uint8_t *) normalized_hostname, hostname_blob.size)); POSIX_GUARD(s2n_blob_char_to_lower(&normalized_name)); - struct s2n_stuffer normalized_hostname_stuffer; + struct s2n_stuffer normalized_hostname_stuffer = { 0 }; POSIX_GUARD(s2n_stuffer_init(&normalized_hostname_stuffer, &normalized_name)); POSIX_GUARD(s2n_stuffer_skip_write(&normalized_hostname_stuffer, normalized_name.size)); @@ -275,7 +275,7 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn) char wildcard_hostname[S2N_MAX_SERVER_NAME + 1] = { 0 }; struct s2n_blob wildcard_blob = { 0 }; POSIX_GUARD(s2n_blob_init(&wildcard_blob, (uint8_t *) wildcard_hostname, sizeof(wildcard_hostname))); - struct s2n_stuffer wildcard_stuffer; + struct s2n_stuffer wildcard_stuffer = { 0 }; POSIX_GUARD(s2n_stuffer_init(&wildcard_stuffer, &wildcard_blob)); POSIX_GUARD(s2n_create_wildcard_hostname(&normalized_hostname_stuffer, &wildcard_stuffer)); const uint32_t wildcard_len = s2n_stuffer_data_available(&wildcard_stuffer); diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake.h b/contrib/restricted/aws/s2n/tls/s2n_handshake.h index 5831afd9ac8..93b3da41755 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_handshake.h +++ b/contrib/restricted/aws/s2n/tls/s2n_handshake.h @@ -82,6 +82,18 @@ typedef enum { S2N_ASYNC_COMPLETE, } s2n_async_state; +/* Indicates which state machine is being used. The handshake + * starts off on the initial enum, which indicates we're using + * the TLS12 state machine. Once the handshake version is determined + * the enum is set to either the TLS12 or TLS13 state machine. + * This works because the initial entries in both the TLS12 and + * TLS13 state machines are the same. */ +typedef enum { + S2N_STATE_MACHINE_INITIAL = 0, + S2N_STATE_MACHINE_TLS12, + S2N_STATE_MACHINE_TLS13, +} s2n_state_machine; + struct s2n_handshake_parameters { /* Public keys for server / client */ struct s2n_pkey server_public_key; @@ -184,6 +196,8 @@ struct s2n_handshake { /* Indicates that this is a renegotiation handshake */ unsigned renegotiation : 1; + + s2n_state_machine state_machine; }; /* Only used in our test cases. */ @@ -202,14 +216,18 @@ S2N_RESULT s2n_negotiate_until_message(struct s2n_connection *conn, s2n_blocked_ S2N_RESULT s2n_handshake_validate(const struct s2n_handshake *s2n_handshake); S2N_RESULT s2n_handshake_set_finished_len(struct s2n_connection *conn, uint8_t len); bool s2n_handshake_is_renegotiation(struct s2n_connection *conn); +S2N_RESULT s2n_handshake_message_send(struct s2n_connection *conn, uint8_t content_type, s2n_blocked_status *blocked); /* s2n_handshake_io */ int s2n_conn_set_handshake_type(struct s2n_connection *conn); int s2n_conn_set_handshake_no_client_cert(struct s2n_connection *conn); +S2N_RESULT s2n_conn_choose_state_machine(struct s2n_connection *conn, uint8_t protocol_version); +bool s2n_handshake_is_complete(struct s2n_connection *conn); /* s2n_handshake_transcript */ +S2N_RESULT s2n_handshake_transcript_update(struct s2n_connection *conn); int s2n_conn_update_handshake_hashes(struct s2n_connection *conn, struct s2n_blob *data); /* s2n_quic_support */ S2N_RESULT s2n_quic_read_handshake_message(struct s2n_connection *conn, uint8_t *message_type); -S2N_RESULT s2n_quic_write_handshake_message(struct s2n_connection *conn, struct s2n_blob *in); +S2N_RESULT s2n_quic_write_handshake_message(struct s2n_connection *conn); diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c index 8c24781a9ae..87aa6efb88e 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c +++ b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c @@ -824,7 +824,7 @@ static const char *tls13_handshake_type_names[] = { "EARLY_CLIENT_CCS|", }; -#define IS_TLS13_HANDSHAKE(conn) ((conn)->actual_protocol_version == S2N_TLS13) +#define IS_TLS13_HANDSHAKE(conn) ((conn)->handshake.state_machine == S2N_STATE_MACHINE_TLS13) #define ACTIVE_STATE_MACHINE(conn) (IS_TLS13_HANDSHAKE(conn) ? tls13_state_machine : state_machine) #define ACTIVE_HANDSHAKES(conn) (IS_TLS13_HANDSHAKE(conn) ? tls13_handshakes : handshakes) @@ -1017,6 +1017,8 @@ int s2n_conn_set_handshake_type(struct s2n_connection *conn) POSIX_ENSURE_REF(conn); POSIX_ENSURE_REF(conn->secure); + POSIX_GUARD_RESULT(s2n_conn_choose_state_machine(conn, conn->actual_protocol_version)); + if (IS_TLS13_HANDSHAKE(conn)) { POSIX_GUARD_RESULT(s2n_conn_set_tls13_handshake_type(conn)); return S2N_SUCCESS; @@ -1109,6 +1111,26 @@ int s2n_conn_set_handshake_no_client_cert(struct s2n_connection *conn) return S2N_SUCCESS; } +S2N_RESULT s2n_conn_choose_state_machine(struct s2n_connection *conn, uint8_t protocol_version) +{ + RESULT_ENSURE_REF(conn); + + /* This should never be called before we know what version we're on */ + RESULT_ENSURE_NE(protocol_version, S2N_UNKNOWN_PROTOCOL_VERSION); + + if (protocol_version == S2N_TLS13) { + /* State machine should not change once set */ + RESULT_ENSURE_NE(conn->handshake.state_machine, S2N_STATE_MACHINE_TLS12); + conn->handshake.state_machine = S2N_STATE_MACHINE_TLS13; + } else { + /* State machine should not change once set */ + RESULT_ENSURE_NE(conn->handshake.state_machine, S2N_STATE_MACHINE_TLS13); + conn->handshake.state_machine = S2N_STATE_MACHINE_TLS12; + } + + return S2N_RESULT_OK; +} + const char *s2n_connection_get_last_message_name(struct s2n_connection *conn) { PTR_ENSURE_REF(conn); @@ -1167,6 +1189,40 @@ const char *s2n_connection_get_handshake_type_name(struct s2n_connection *conn) return handshake_type_str[handshake_type]; } +S2N_RESULT s2n_handshake_message_send(struct s2n_connection *conn, uint8_t content_type, s2n_blocked_status *blocked) +{ + RESULT_ENSURE_REF(conn); + struct s2n_stuffer *in = &conn->handshake.io; + + uint32_t size = s2n_stuffer_data_available(in); + if (size == 0) { + return S2N_RESULT_OK; + } + + if (s2n_connection_is_quic_enabled(conn)) { + RESULT_GUARD(s2n_quic_write_handshake_message(conn)); + RESULT_GUARD_POSIX(s2n_flush(conn, blocked)); + return S2N_RESULT_OK; + } + + struct iovec iov = { 0 }; + iov.iov_len = size; + iov.iov_base = s2n_stuffer_raw_read(in, size); + RESULT_ENSURE_REF(iov.iov_base); + RESULT_GUARD_POSIX(s2n_stuffer_rewind_read(in, size)); + + uint32_t total_bytes_written = 0; + while (total_bytes_written < size) { + int bytes_written = s2n_record_writev(conn, content_type, &iov, 1, + total_bytes_written, size - total_bytes_written); + RESULT_GUARD_POSIX(bytes_written); + total_bytes_written += bytes_written; + RESULT_GUARD_POSIX(s2n_stuffer_skip_read(in, bytes_written)); + RESULT_GUARD_POSIX(s2n_flush(conn, blocked)); + } + return S2N_RESULT_OK; +} + /* Writing is relatively straight forward, simply write each message out as a record, * we may fragment a message across multiple records, but we never coalesce multiple * messages into single records. @@ -1191,29 +1247,9 @@ static int s2n_handshake_write_io(struct s2n_connection *conn) } } - /* Write the handshake data to records in fragment sized chunks */ - struct s2n_blob out = { 0 }; - while (s2n_stuffer_data_available(&conn->handshake.io) > 0) { - uint16_t max_payload_size = 0; - POSIX_GUARD_RESULT(s2n_record_max_write_payload_size(conn, &max_payload_size)); - out.size = MIN(s2n_stuffer_data_available(&conn->handshake.io), max_payload_size); - - out.data = s2n_stuffer_raw_read(&conn->handshake.io, out.size); - POSIX_ENSURE_REF(out.data); - - if (s2n_connection_is_quic_enabled(conn)) { - POSIX_GUARD_RESULT(s2n_quic_write_handshake_message(conn, &out)); - } else { - POSIX_GUARD_RESULT(s2n_record_write(conn, record_type, &out)); - } - - /* MD5 and SHA sum the handshake data too */ - if (record_type == TLS_HANDSHAKE) { - POSIX_GUARD(s2n_conn_update_handshake_hashes(conn, &out)); - } - - /* Actually send the record. We could block here. Assume the caller will call flush before coming back. */ - POSIX_GUARD(s2n_flush(conn, &blocked)); + POSIX_GUARD_RESULT(s2n_handshake_message_send(conn, record_type, &blocked)); + if (record_type == TLS_HANDSHAKE) { + POSIX_GUARD_RESULT(s2n_handshake_transcript_update(conn)); } /* We're done sending the last record, reset everything */ @@ -1274,25 +1310,6 @@ static int s2n_read_full_handshake_message(struct s2n_connection *conn, uint8_t return 1; } -static int s2n_handshake_conn_update_hashes(struct s2n_connection *conn) -{ - uint8_t message_type; - uint32_t handshake_message_length; - - POSIX_GUARD(s2n_stuffer_reread(&conn->handshake.io)); - POSIX_GUARD_RESULT(s2n_handshake_parse_header(&conn->handshake.io, &message_type, &handshake_message_length)); - - struct s2n_blob handshake_record = { 0 }; - handshake_record.data = conn->handshake.io.blob.data; - handshake_record.size = TLS_HANDSHAKE_HEADER_LENGTH + handshake_message_length; - POSIX_ENSURE_REF(handshake_record.data); - - /* MD5 and SHA sum the handshake data too */ - POSIX_GUARD(s2n_conn_update_handshake_hashes(conn, &handshake_record)); - - return S2N_SUCCESS; -} - static int s2n_handshake_handle_sslv2(struct s2n_connection *conn) { S2N_ERROR_IF(ACTIVE_MESSAGE(conn) != CLIENT_HELLO, S2N_ERR_BAD_MESSAGE); @@ -1352,7 +1369,7 @@ static S2N_RESULT s2n_finish_read(struct s2n_connection *conn) { RESULT_ENSURE_REF(conn); - RESULT_GUARD_POSIX(s2n_handshake_conn_update_hashes(conn)); + RESULT_GUARD(s2n_handshake_transcript_update(conn)); RESULT_GUARD_POSIX(s2n_stuffer_wipe(&conn->handshake.io)); RESULT_GUARD(s2n_tls13_secrets_update(conn)); RESULT_GUARD(s2n_tls13_key_schedule_update(conn)); @@ -1584,12 +1601,17 @@ static int s2n_handle_retry_state(struct s2n_connection *conn) return S2N_SUCCESS; } +bool s2n_handshake_is_complete(struct s2n_connection *conn) +{ + return conn && ACTIVE_STATE(conn).writer == 'B'; +} + int s2n_negotiate_impl(struct s2n_connection *conn, s2n_blocked_status *blocked) { POSIX_ENSURE_REF(conn); POSIX_ENSURE_REF(blocked); - while (ACTIVE_STATE(conn).writer != 'B' && ACTIVE_MESSAGE(conn) != conn->handshake.end_of_messages) { + while (!s2n_handshake_is_complete(conn) && ACTIVE_MESSAGE(conn) != conn->handshake.end_of_messages) { errno = 0; s2n_errno = S2N_ERR_OK; diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake_transcript.c b/contrib/restricted/aws/s2n/tls/s2n_handshake_transcript.c index 5475a10ca69..4bcfdadc8c7 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_handshake_transcript.c +++ b/contrib/restricted/aws/s2n/tls/s2n_handshake_transcript.c @@ -22,6 +22,23 @@ /* Length of the synthetic message header */ #define MESSAGE_HASH_HEADER_LENGTH 4 +S2N_RESULT s2n_handshake_transcript_update(struct s2n_connection *conn) +{ + RESULT_ENSURE_REF(conn); + + struct s2n_stuffer message = conn->handshake.io; + RESULT_GUARD_POSIX(s2n_stuffer_reread(&message)); + + struct s2n_blob data = { 0 }; + uint32_t len = s2n_stuffer_data_available(&message); + uint8_t *bytes = s2n_stuffer_raw_read(&message, len); + RESULT_ENSURE_REF(bytes); + RESULT_GUARD_POSIX(s2n_blob_init(&data, bytes, len)); + + RESULT_GUARD_POSIX(s2n_conn_update_handshake_hashes(conn, &data)); + return S2N_RESULT_OK; +} + int s2n_conn_update_handshake_hashes(struct s2n_connection *conn, struct s2n_blob *data) { POSIX_ENSURE_REF(conn); diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake_type.c b/contrib/restricted/aws/s2n/tls/s2n_handshake_type.c index 46d24ddaf3f..2494372f4c0 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_handshake_type.c +++ b/contrib/restricted/aws/s2n/tls/s2n_handshake_type.c @@ -35,6 +35,7 @@ S2N_RESULT s2n_handshake_type_set_tls12_flag(struct s2n_connection *conn, s2n_tl RESULT_ENSURE_REF(conn); RESULT_ENSURE(s2n_connection_get_protocol_version(conn) < S2N_TLS13, S2N_ERR_HANDSHAKE_STATE); conn->handshake.handshake_type |= flag; + RESULT_GUARD(s2n_conn_choose_state_machine(conn, S2N_TLS12)); return S2N_RESULT_OK; } @@ -57,6 +58,7 @@ S2N_RESULT s2n_handshake_type_set_tls13_flag(struct s2n_connection *conn, s2n_tl RESULT_ENSURE_REF(conn); RESULT_ENSURE(s2n_connection_get_protocol_version(conn) >= S2N_TLS13, S2N_ERR_HANDSHAKE_STATE); conn->handshake.handshake_type |= flag; + RESULT_GUARD(s2n_conn_choose_state_machine(conn, S2N_TLS13)); return S2N_RESULT_OK; } diff --git a/contrib/restricted/aws/s2n/tls/s2n_ocsp_stapling.c b/contrib/restricted/aws/s2n/tls/s2n_ocsp_stapling.c index aef15748ebd..e9059f5c047 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_ocsp_stapling.c +++ b/contrib/restricted/aws/s2n/tls/s2n_ocsp_stapling.c @@ -16,7 +16,7 @@ #include <strings.h> #include "error/s2n_errno.h" -#include "tls/extensions/s2n_server_certificate_status.h" +#include "tls/extensions/s2n_cert_status.h" #include "tls/s2n_cipher_suites.h" #include "tls/s2n_config.h" #include "tls/s2n_connection.h" @@ -27,7 +27,7 @@ int s2n_server_status_send(struct s2n_connection *conn) { if (s2n_server_can_send_ocsp(conn)) { - POSIX_GUARD(s2n_server_certificate_status_send(conn, &conn->handshake.io)); + POSIX_GUARD(s2n_cert_status_send(conn, &conn->handshake.io)); } return 0; @@ -35,5 +35,5 @@ int s2n_server_status_send(struct s2n_connection *conn) int s2n_server_status_recv(struct s2n_connection *conn) { - return s2n_server_certificate_status_recv(conn, &conn->handshake.io); + return s2n_cert_status_recv(conn, &conn->handshake.io); } diff --git a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c index 1a74dde55cc..1693ee60d9f 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c +++ b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c @@ -171,28 +171,14 @@ S2N_RESULT s2n_post_handshake_write_records(struct s2n_connection *conn, s2n_blo { struct s2n_stuffer *message = &conn->handshake.io; - uint32_t remaining = 0; - while ((remaining = s2n_stuffer_data_available(message)) > 0) { - /* Flush any existing records before we write a new record. - * We do not support buffering multiple handshake records. - */ - if (s2n_stuffer_data_available(&conn->out)) { - RESULT_GUARD_POSIX(s2n_flush(conn, blocked)); - } - - uint16_t max_payload_size = 0; - RESULT_GUARD(s2n_record_max_write_payload_size(conn, &max_payload_size)); - - struct s2n_blob fragment = { 0 }; - uint32_t fragment_size = MIN(remaining, max_payload_size); - uint8_t *fragment_data = s2n_stuffer_raw_read(message, fragment_size); - RESULT_ENSURE_REF(fragment_data); - RESULT_GUARD_POSIX(s2n_blob_init(&fragment, fragment_data, fragment_size)); - - RESULT_GUARD(s2n_record_write(conn, TLS_HANDSHAKE, &fragment)); + /* Flush any existing records before we write a new handshake record. + * We do not support buffering multiple handshake records. + */ + if (s2n_stuffer_data_available(message)) { RESULT_GUARD_POSIX(s2n_flush(conn, blocked)); } + RESULT_GUARD(s2n_handshake_message_send(conn, TLS_HANDSHAKE, blocked)); RESULT_GUARD_POSIX(s2n_stuffer_wipe(message)); return S2N_RESULT_OK; } diff --git a/contrib/restricted/aws/s2n/tls/s2n_prf.c b/contrib/restricted/aws/s2n/tls/s2n_prf.c index 9f7e7b3aefe..131c26ef2f2 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_prf.c +++ b/contrib/restricted/aws/s2n/tls/s2n_prf.c @@ -488,7 +488,8 @@ static int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct seed_c, out); } - struct s2n_blob half_secret = { .data = secret->data, .size = (secret->size + 1) / 2 }; + struct s2n_blob half_secret = { 0 }; + POSIX_GUARD(s2n_blob_init(&half_secret, secret->data, (secret->size + 1) / 2)); POSIX_GUARD(s2n_p_hash(conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out)); half_secret.data += secret->size - half_secret.size; @@ -501,12 +502,16 @@ int s2n_tls_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *prem { POSIX_ENSURE_REF(conn); - struct s2n_blob client_random = { .size = sizeof(conn->handshake_params.client_random), .data = conn->handshake_params.client_random }; - struct s2n_blob server_random = { .size = sizeof(conn->handshake_params.server_random), .data = conn->handshake_params.server_random }; - struct s2n_blob master_secret = { .size = sizeof(conn->secrets.tls12.master_secret), .data = conn->secrets.tls12.master_secret }; + struct s2n_blob client_random = { 0 }; + POSIX_GUARD(s2n_blob_init(&client_random, conn->handshake_params.client_random, sizeof(conn->handshake_params.client_random))); + struct s2n_blob server_random = { 0 }; + POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random))); + struct s2n_blob master_secret = { 0 }; + POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); uint8_t master_secret_label[] = "master secret"; - struct s2n_blob label = { .size = sizeof(master_secret_label) - 1, .data = master_secret_label }; + struct s2n_blob label = { 0 }; + POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1)); return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret); } @@ -515,12 +520,16 @@ int s2n_hybrid_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *p { POSIX_ENSURE_REF(conn); - struct s2n_blob client_random = { .size = sizeof(conn->handshake_params.client_random), .data = conn->handshake_params.client_random }; - struct s2n_blob server_random = { .size = sizeof(conn->handshake_params.server_random), .data = conn->handshake_params.server_random }; - struct s2n_blob master_secret = { .size = sizeof(conn->secrets.tls12.master_secret), .data = conn->secrets.tls12.master_secret }; + struct s2n_blob client_random = { 0 }; + POSIX_GUARD(s2n_blob_init(&client_random, conn->handshake_params.client_random, sizeof(conn->handshake_params.client_random))); + struct s2n_blob server_random = { 0 }; + POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random))); + struct s2n_blob master_secret = { 0 }; + POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); uint8_t master_secret_label[] = "hybrid master secret"; - struct s2n_blob label = { .size = sizeof(master_secret_label) - 1, .data = master_secret_label }; + struct s2n_blob label = { 0 }; + POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1)); return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->kex_params.client_key_exchange_message, &master_secret); } @@ -580,11 +589,13 @@ S2N_RESULT s2n_tls_prf_extended_master_secret(struct s2n_connection *conn, struc { RESULT_ENSURE_REF(conn); - struct s2n_blob extended_master_secret = { .size = sizeof(conn->secrets.tls12.master_secret), .data = conn->secrets.tls12.master_secret }; + struct s2n_blob extended_master_secret = { 0 }; + RESULT_GUARD_POSIX(s2n_blob_init(&extended_master_secret, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); uint8_t extended_master_secret_label[] = "extended master secret"; /* Subtract one from the label size to remove the "\0" */ - struct s2n_blob label = { .size = sizeof(extended_master_secret_label) - 1, .data = extended_master_secret_label }; + struct s2n_blob label = { 0 }; + RESULT_GUARD_POSIX(s2n_blob_init(&label, extended_master_secret_label, sizeof(extended_master_secret_label) - 1)); RESULT_GUARD_POSIX(s2n_prf(conn, premaster_secret, &label, session_hash, sha1_hash, NULL, &extended_master_secret)); @@ -833,9 +844,12 @@ int s2n_prf_key_expansion(struct s2n_connection *conn) POSIX_ENSURE_REF(conn); POSIX_ENSURE_REF(conn->secure); - struct s2n_blob client_random = { .data = conn->handshake_params.client_random, .size = sizeof(conn->handshake_params.client_random) }; - struct s2n_blob server_random = { .data = conn->handshake_params.server_random, .size = sizeof(conn->handshake_params.server_random) }; - struct s2n_blob master_secret = { .data = conn->secrets.tls12.master_secret, .size = sizeof(conn->secrets.tls12.master_secret) }; + struct s2n_blob client_random = { 0 }; + POSIX_GUARD(s2n_blob_init(&client_random, conn->handshake_params.client_random, sizeof(conn->handshake_params.client_random))); + struct s2n_blob server_random = { 0 }; + POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random))); + struct s2n_blob master_secret = { 0 }; + POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); struct s2n_blob label, out; uint8_t key_expansion_label[] = "key expansion"; uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN]; @@ -908,8 +922,10 @@ int s2n_prf_key_expansion(struct s2n_connection *conn) break; } - struct s2n_blob client_implicit_iv = { .data = conn->secure->client_implicit_iv, .size = implicit_iv_size }; - struct s2n_blob server_implicit_iv = { .data = conn->secure->server_implicit_iv, .size = implicit_iv_size }; + struct s2n_blob client_implicit_iv = { 0 }; + POSIX_GUARD(s2n_blob_init(&client_implicit_iv, conn->secure->client_implicit_iv, implicit_iv_size)); + struct s2n_blob server_implicit_iv = { 0 }; + POSIX_GUARD(s2n_blob_init(&server_implicit_iv, conn->secure->server_implicit_iv, implicit_iv_size)); POSIX_GUARD(s2n_stuffer_read(&key_material, &client_implicit_iv)); POSIX_GUARD(s2n_stuffer_read(&key_material, &server_implicit_iv)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_psk.c b/contrib/restricted/aws/s2n/tls/s2n_psk.c index ebefe6c7bde..4b5e5b4f71c 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_psk.c +++ b/contrib/restricted/aws/s2n/tls/s2n_psk.c @@ -460,7 +460,7 @@ static S2N_RESULT s2n_psk_write_binder(struct s2n_connection *conn, struct s2n_p { RESULT_ENSURE_REF(binder_hash); - struct s2n_blob binder; + struct s2n_blob binder = { 0 }; uint8_t binder_data[S2N_TLS13_SECRET_MAX_LEN] = { 0 }; RESULT_GUARD_POSIX(s2n_blob_init(&binder, binder_data, binder_hash->size)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_quic_support.c b/contrib/restricted/aws/s2n/tls/s2n_quic_support.c index 66c6c3fdc06..15342299463 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_quic_support.c +++ b/contrib/restricted/aws/s2n/tls/s2n_quic_support.c @@ -115,13 +115,14 @@ S2N_RESULT s2n_quic_read_handshake_message(struct s2n_connection *conn, uint8_t /* When using QUIC, S2N writes unencrypted handshake messages instead of encrypted records. * This method sets up the S2N output buffer to match the result of using s2n_record_write. */ -S2N_RESULT s2n_quic_write_handshake_message(struct s2n_connection *conn, struct s2n_blob *in) +S2N_RESULT s2n_quic_write_handshake_message(struct s2n_connection *conn) { RESULT_ENSURE_REF(conn); /* Allocate stuffer space now so that we don't have to realloc later in the handshake. */ RESULT_GUARD_POSIX(s2n_stuffer_resize_if_empty(&conn->out, S2N_EXPECTED_QUIC_MESSAGE_SIZE)); - RESULT_GUARD_POSIX(s2n_stuffer_write(&conn->out, in)); + RESULT_GUARD_POSIX(s2n_stuffer_copy(&conn->handshake.io, &conn->out, + s2n_stuffer_data_available(&conn->handshake.io))); return S2N_RESULT_OK; } diff --git a/contrib/restricted/aws/s2n/tls/s2n_record_write.c b/contrib/restricted/aws/s2n/tls/s2n_record_write.c index 224fd218000..a6275769b52 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_record_write.c +++ b/contrib/restricted/aws/s2n/tls/s2n_record_write.c @@ -443,7 +443,7 @@ int s2n_record_writev(struct s2n_connection *conn, uint8_t content_type, const s * NOTE: We can't use the same random IV blob as both the initial block and IV since it will result in: * AES(Key, XOR(random_iv, random_iv)) == AES(Key, 0), which will be shared by all records in this session. */ - struct s2n_blob explicit_iv_placeholder; + struct s2n_blob explicit_iv_placeholder = { 0 }; uint8_t zero_block[S2N_TLS_MAX_IV_LEN] = { 0 }; POSIX_GUARD(s2n_blob_init(&explicit_iv_placeholder, zero_block, block_size)); POSIX_GUARD_RESULT(s2n_get_public_random_data(&explicit_iv_placeholder)); @@ -458,7 +458,8 @@ int s2n_record_writev(struct s2n_connection *conn, uint8_t content_type, const s } /* We are done with this sequence number, so we can increment it */ - struct s2n_blob seq = { .data = sequence_number, .size = S2N_TLS_SEQUENCE_NUM_LEN }; + struct s2n_blob seq = { 0 }; + POSIX_GUARD(s2n_blob_init(&seq, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); POSIX_GUARD(s2n_increment_sequence_number(&seq)); /* Write the plaintext data */ diff --git a/contrib/restricted/aws/s2n/tls/s2n_recv.c b/contrib/restricted/aws/s2n/tls/s2n_recv.c index 2255fd4e909..d90badaa993 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_recv.c +++ b/contrib/restricted/aws/s2n/tls/s2n_recv.c @@ -111,7 +111,8 @@ int s2n_read_full_record(struct s2n_connection *conn, uint8_t *record_type, int ssize_t s2n_recv_impl(struct s2n_connection *conn, void *buf, ssize_t size, s2n_blocked_status *blocked) { ssize_t bytes_read = 0; - struct s2n_blob out = { .data = (uint8_t *) buf }; + struct s2n_blob out = { 0 }; + POSIX_GUARD(s2n_blob_init(&out, (uint8_t *) buf, 0)); if (conn->closed) { return 0; diff --git a/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c b/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c index 1c073c7faaf..6a269a720cf 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c +++ b/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c @@ -76,8 +76,9 @@ int s2n_server_nst_send(struct s2n_connection *conn) { uint16_t session_ticket_len = S2N_TLS12_TICKET_SIZE_IN_BYTES; uint8_t data[S2N_TLS12_TICKET_SIZE_IN_BYTES] = { 0 }; - struct s2n_blob entry = { .data = data, .size = sizeof(data) }; - struct s2n_stuffer to; + struct s2n_blob entry = { 0 }; + POSIX_GUARD(s2n_blob_init(&entry, data, sizeof(data))); + struct s2n_stuffer to = { 0 }; uint32_t lifetime_hint_in_secs = (conn->config->encrypt_decrypt_key_lifetime_in_nanos + conn->config->decrypt_key_lifetime_in_nanos) / ONE_SEC_IN_NANOS; diff --git a/contrib/restricted/aws/s2n/tls/s2n_shutdown.c b/contrib/restricted/aws/s2n/tls/s2n_shutdown.c index 877552ce8da..b076991e470 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_shutdown.c +++ b/contrib/restricted/aws/s2n/tls/s2n_shutdown.c @@ -39,6 +39,19 @@ int s2n_shutdown(struct s2n_connection *conn, s2n_blocked_status *more) /* Write it */ POSIX_GUARD(s2n_flush(conn, more)); + /* + * The purpose of the peer responding to our close_notify + * with its own close_notify is to prevent application data truncation. + * However, application data is not a concern during the handshake. + * + * Additionally, decrypting alerts sent during the handshake can be error prone + * due to different encryption keys and may lead to unnecessary error reporting + * and unnecessary blinding. + */ + if (!s2n_handshake_is_complete(conn)) { + return S2N_SUCCESS; + } + /* Assume caller isn't interested in pending incoming data */ if (conn->in_status == PLAINTEXT) { POSIX_GUARD(s2n_stuffer_wipe(&conn->header_in)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_tls13_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_tls13_handshake.c index d49b8d40ad7..8d0e8423d94 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_tls13_handshake.c +++ b/contrib/restricted/aws/s2n/tls/s2n_tls13_handshake.c @@ -23,7 +23,7 @@ static int s2n_zero_sequence_number(struct s2n_connection *conn, s2n_mode mode) { POSIX_ENSURE_REF(conn); POSIX_ENSURE_REF(conn->secure); - struct s2n_blob sequence_number; + struct s2n_blob sequence_number = { 0 }; if (mode == S2N_CLIENT) { POSIX_GUARD(s2n_blob_init(&sequence_number, conn->secure->client_sequence_number, sizeof(conn->secure->client_sequence_number))); } else { @@ -163,8 +163,8 @@ int s2n_update_application_traffic_keys(struct s2n_connection *conn, s2n_mode mo s2n_tls13_connection_keys(keys, conn); struct s2n_session_key *old_key; - struct s2n_blob old_app_secret; - struct s2n_blob app_iv; + struct s2n_blob old_app_secret = { 0 }; + struct s2n_blob app_iv = { 0 }; if (mode == S2N_CLIENT) { old_key = &conn->secure->client_key; diff --git a/contrib/restricted/aws/s2n/tls/s2n_tls13_key_schedule.c b/contrib/restricted/aws/s2n/tls/s2n_tls13_key_schedule.c index 046c57e3893..de7b493ccea 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_tls13_key_schedule.c +++ b/contrib/restricted/aws/s2n/tls/s2n_tls13_key_schedule.c @@ -35,7 +35,7 @@ static S2N_RESULT s2n_zero_sequence_number(struct s2n_connection *conn, s2n_mode { RESULT_ENSURE_REF(conn); RESULT_ENSURE_REF(conn->secure); - struct s2n_blob sequence_number; + struct s2n_blob sequence_number = { 0 }; if (mode == S2N_CLIENT) { RESULT_GUARD_POSIX(s2n_blob_init(&sequence_number, conn->secure->client_sequence_number, sizeof(conn->secure->client_sequence_number))); diff --git a/contrib/restricted/aws/s2n/tls/s2n_x509_validator.c b/contrib/restricted/aws/s2n/tls/s2n_x509_validator.c index c15f5b53d11..7e2c30c4c76 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_x509_validator.c +++ b/contrib/restricted/aws/s2n/tls/s2n_x509_validator.c @@ -325,7 +325,8 @@ static S2N_RESULT s2n_x509_validator_read_cert_chain(struct s2n_x509_validator * RESULT_ENSURE(validator->skip_cert_validation || s2n_x509_trust_store_has_certs(validator->trust_store), S2N_ERR_CERT_UNTRUSTED); RESULT_ENSURE(validator->state == INIT, S2N_ERR_INVALID_CERT_STATE); - struct s2n_blob cert_chain_blob = { .data = cert_chain_in, .size = cert_chain_len }; + struct s2n_blob cert_chain_blob = { 0 }; + RESULT_GUARD_POSIX(s2n_blob_init(&cert_chain_blob, cert_chain_in, cert_chain_len)); DEFER_CLEANUP(struct s2n_stuffer cert_chain_in_stuffer = { 0 }, s2n_stuffer_free); RESULT_GUARD_POSIX(s2n_stuffer_init(&cert_chain_in_stuffer, &cert_chain_blob)); @@ -467,7 +468,8 @@ static S2N_RESULT s2n_x509_validator_verify_cert_chain(struct s2n_x509_validator static S2N_RESULT s2n_x509_validator_read_leaf_info(struct s2n_connection *conn, uint8_t *cert_chain_in, uint32_t cert_chain_len, struct s2n_pkey *public_key, s2n_pkey_type *pkey_type, s2n_parsed_extensions_list *first_certificate_extensions) { - struct s2n_blob cert_chain_blob = { .data = cert_chain_in, .size = cert_chain_len }; + struct s2n_blob cert_chain_blob = { 0 }; + RESULT_GUARD_POSIX(s2n_blob_init(&cert_chain_blob, cert_chain_in, cert_chain_len)); DEFER_CLEANUP(struct s2n_stuffer cert_chain_in_stuffer = { 0 }, s2n_stuffer_free); RESULT_GUARD_POSIX(s2n_stuffer_init(&cert_chain_in_stuffer, &cert_chain_blob)); diff --git a/contrib/restricted/aws/s2n/utils/s2n_random.c b/contrib/restricted/aws/s2n/utils/s2n_random.c index 73fad07834c..97f81970745 100644 --- a/contrib/restricted/aws/s2n/utils/s2n_random.c +++ b/contrib/restricted/aws/s2n/utils/s2n_random.c @@ -134,8 +134,10 @@ static S2N_RESULT s2n_init_drbgs(void) { uint8_t s2n_public_drbg[] = "s2n public drbg"; uint8_t s2n_private_drbg[] = "s2n private drbg"; - struct s2n_blob public = { .data = s2n_public_drbg, .size = sizeof(s2n_public_drbg) }; - struct s2n_blob private = { .data = s2n_private_drbg, .size = sizeof(s2n_private_drbg) }; + struct s2n_blob public = { 0 }; + RESULT_GUARD_POSIX(s2n_blob_init(&public, s2n_public_drbg, sizeof(s2n_public_drbg))); + struct s2n_blob private = { 0 }; + RESULT_GUARD_POSIX(s2n_blob_init(&private, s2n_private_drbg, sizeof(s2n_private_drbg))); RESULT_GUARD(s2n_drbg_instantiate(&s2n_per_thread_rand_state.public_drbg, &public, S2N_AES_128_CTR_NO_DF_PR)); RESULT_GUARD(s2n_drbg_instantiate(&s2n_per_thread_rand_state.private_drbg, &private, S2N_AES_256_CTR_NO_DF_PR)); @@ -290,7 +292,8 @@ S2N_RESULT s2n_public_random(int64_t bound, uint64_t *output) RESULT_ENSURE_GT(bound, 0); while (1) { - struct s2n_blob blob = { .data = (void *) &r, sizeof(r) }; + struct s2n_blob blob = { 0 }; + RESULT_GUARD_POSIX(s2n_blob_init(&blob, (void *) &r, sizeof(r))); RESULT_GUARD(s2n_get_public_random_data(&blob)); /* Imagine an int was one byte and UINT_MAX was 256. If the @@ -319,7 +322,8 @@ S2N_RESULT s2n_public_random(int64_t bound, uint64_t *output) int s2n_openssl_compat_rand(unsigned char *buf, int num) { - struct s2n_blob out = { .data = buf, .size = num }; + struct s2n_blob out = { 0 }; + POSIX_GUARD(s2n_blob_init(&out, buf, num)); if (s2n_result_is_error(s2n_get_private_random_data(&out))) { return 0; @@ -465,7 +469,8 @@ S2N_RESULT s2n_set_private_drbg_for_test(struct s2n_drbg drbg) static int s2n_rand_rdrand_impl(void *data, uint32_t size) { #if defined(__x86_64__) || defined(__i386__) - struct s2n_blob out = { .data = data, .size = size }; + struct s2n_blob out = { 0 }; + POSIX_GUARD(s2n_blob_init(&out, data, size)); int space_remaining = 0; struct s2n_stuffer stuffer = { 0 }; union { |