diff options
| author | robot-contrib <robot-contrib@yandex-team.com> | 2023-04-19 09:30:08 +0300 |
|---|---|---|
| committer | robot-contrib <robot-contrib@yandex-team.com> | 2023-04-19 09:30:08 +0300 |
| commit | bbce3f5cecdf453747a498f97c3a644782ba80ec (patch) | |
| tree | dba4ad561b48e2f96e7b252b1d600fa3cd2815fd | |
| parent | 9c7fa5c7b2caf9a0f6416289b2cd9e8feb19a191 (diff) | |
| download | ydb-bbce3f5cecdf453747a498f97c3a644782ba80ec.tar.gz | |
Update contrib/restricted/aws/s2n to 1.3.42
14 files changed, 97 insertions, 65 deletions
diff --git a/contrib/restricted/aws/s2n/api/unstable/fingerprint.h b/contrib/restricted/aws/s2n/api/unstable/fingerprint.h index f76b2e03da..90ecbfb144 100644 --- a/contrib/restricted/aws/s2n/api/unstable/fingerprint.h +++ b/contrib/restricted/aws/s2n/api/unstable/fingerprint.h @@ -52,7 +52,7 @@ typedef enum { * output of `s2n_client_hello_get_fingerprint_string`. * @returns S2N_SUCCESS on success, S2N_FAILURE on failure. */ -int s2n_client_hello_get_fingerprint_hash(struct s2n_client_hello *ch, +S2N_API int s2n_client_hello_get_fingerprint_hash(struct s2n_client_hello *ch, s2n_fingerprint_type type, uint32_t max_hash_size, uint8_t *hash, uint32_t *hash_size, uint32_t *str_size); @@ -71,7 +71,7 @@ int s2n_client_hello_get_fingerprint_hash(struct s2n_client_hello *ch, * @param output_size The actual size of the data written to `output`. * @returns S2N_SUCCESS on success, S2N_FAILURE on failure. */ -int s2n_client_hello_get_fingerprint_string(struct s2n_client_hello *ch, +S2N_API int s2n_client_hello_get_fingerprint_string(struct s2n_client_hello *ch, s2n_fingerprint_type type, uint32_t max_size, uint8_t *output, uint32_t *output_size); @@ -87,7 +87,7 @@ int s2n_client_hello_get_fingerprint_string(struct s2n_client_hello *ch, * @param size The size of raw_message. * @returns A new s2n_client_hello on success, or NULL on failure. */ -struct s2n_client_hello *s2n_client_hello_parse_message(const uint8_t *bytes, uint32_t size); +S2N_API struct s2n_client_hello *s2n_client_hello_parse_message(const uint8_t *bytes, uint32_t size); /** * Frees an s2n_client_hello structure. @@ -99,4 +99,4 @@ struct s2n_client_hello *s2n_client_hello_parse_message(const uint8_t *bytes, ui * @param ch The structure to be freed. * @returns S2N_SUCCESS on success, S2N_FAILURE on failure. */ -int s2n_client_hello_free(struct s2n_client_hello **ch); +S2N_API int s2n_client_hello_free(struct s2n_client_hello **ch); diff --git a/contrib/restricted/aws/s2n/tls/s2n_client_hello.c b/contrib/restricted/aws/s2n/tls/s2n_client_hello.c index 91d8664371..4e3c33ed30 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_client_hello.c +++ b/contrib/restricted/aws/s2n/tls/s2n_client_hello.c @@ -64,27 +64,34 @@ static S2N_RESULT s2n_generate_client_session_id(struct s2n_connection *conn) return S2N_RESULT_OK; } - /* Only generate the session id for pre-TLS1.3 if using tickets */ - if (conn->client_protocol_version < S2N_TLS13 && !conn->config->use_tickets) { - return S2N_RESULT_OK; + /* Only generate the session id if using tickets */ + bool generate = conn->config->use_tickets; + + /* TLS1.3 doesn't require session ids. The field is actually renamed to legacy_session_id. + * However, we still set a session id if dealing with troublesome middleboxes + * (middlebox compatibility mode) or if trying to use a TLS1.2 ticket. + */ + if (conn->client_protocol_version >= S2N_TLS13) { + generate = s2n_is_middlebox_compat_enabled(conn) || conn->resume_protocol_version; } - /* Only generate the session id for TLS1.3 if in middlebox compatibility mode - * - * s2n_connection_get_protocol_version, which returns conn->actual_protocol_version, is used here because - * s2n_tls12_client_deserialize_session_state sets actual_protocol_version based on the protocol the - * server that issued the session ticket indicated. If we are attempting to resume a session for that - * session ticket, we should base the decision of whether to generate a session ID on the protocol version - * we are attempting to resume with. */ - if (s2n_connection_get_protocol_version(conn) >= S2N_TLS13 && !s2n_is_middlebox_compat_enabled(conn)) { + /* Session id not needed - no-op */ + if (!generate) { return S2N_RESULT_OK; } + /* QUIC should not allow session ids for any reason. + * + *= https://tools.ietf.org/rfc/rfc9001#section-8.4 + *# A server SHOULD treat the receipt of a TLS ClientHello with a non-empty + *# legacy_session_id field as a connection error of type PROTOCOL_VIOLATION. + */ + RESULT_ENSURE(!conn->quic_enabled, S2N_ERR_UNSUPPORTED_WITH_QUIC); + struct s2n_blob session_id = { 0 }; RESULT_GUARD_POSIX(s2n_blob_init(&session_id, conn->session_id, S2N_TLS_SESSION_ID_MAX_LEN)); RESULT_GUARD(s2n_get_public_random_data(&session_id)); conn->session_id_len = S2N_TLS_SESSION_ID_MAX_LEN; - return S2N_RESULT_OK; } diff --git a/contrib/restricted/aws/s2n/tls/s2n_client_key_exchange.c b/contrib/restricted/aws/s2n/tls/s2n_client_key_exchange.c index 865427952c..fdb08fb88b 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_client_key_exchange.c +++ b/contrib/restricted/aws/s2n/tls/s2n_client_key_exchange.c @@ -104,7 +104,7 @@ int s2n_rsa_client_key_recv(struct s2n_connection *conn, struct s2n_blob *shared { /* Set shared_key before async guard to pass the proper shared_key to the caller upon async completion */ POSIX_ENSURE_REF(shared_key); - shared_key->data = conn->secrets.tls12.rsa_premaster_secret; + shared_key->data = conn->secrets.version.tls12.rsa_premaster_secret; shared_key->size = S2N_TLS_SECRET_LEN; S2N_ASYNC_PKEY_GUARD(conn); @@ -137,8 +137,8 @@ int s2n_rsa_client_key_recv(struct s2n_connection *conn, struct s2n_blob *shared /* First: use a random pre-master secret */ POSIX_GUARD_RESULT(s2n_get_private_random_data(shared_key)); - conn->secrets.tls12.rsa_premaster_secret[0] = client_hello_protocol_version[0]; - conn->secrets.tls12.rsa_premaster_secret[1] = client_hello_protocol_version[1]; + conn->secrets.version.tls12.rsa_premaster_secret[0] = client_hello_protocol_version[0]; + conn->secrets.version.tls12.rsa_premaster_secret[1] = client_hello_protocol_version[1]; S2N_ASYNC_PKEY_DECRYPT(conn, &encrypted, shared_key, s2n_rsa_client_key_recv_complete); } @@ -148,9 +148,9 @@ int s2n_rsa_client_key_recv_complete(struct s2n_connection *conn, bool rsa_faile S2N_ERROR_IF(decrypted->size != S2N_TLS_SECRET_LEN, S2N_ERR_SIZE_MISMATCH); /* Avoid copying the same buffer for the case where async pkey is not used */ - if (conn->secrets.tls12.rsa_premaster_secret != decrypted->data) { + if (conn->secrets.version.tls12.rsa_premaster_secret != decrypted->data) { /* Copy (maybe) decrypted data into shared key */ - POSIX_CHECKED_MEMCPY(conn->secrets.tls12.rsa_premaster_secret, decrypted->data, S2N_TLS_SECRET_LEN); + POSIX_CHECKED_MEMCPY(conn->secrets.version.tls12.rsa_premaster_secret, decrypted->data, S2N_TLS_SECRET_LEN); } /* Get client hello protocol version for comparison with decrypted data */ @@ -163,7 +163,7 @@ int s2n_rsa_client_key_recv_complete(struct s2n_connection *conn, bool rsa_faile /* Set rsa_failed to true, if it isn't already, if the protocol version isn't what we expect */ conn->handshake.rsa_failed |= !s2n_constant_time_equals(client_hello_protocol_version, - conn->secrets.tls12.rsa_premaster_secret, S2N_TLS_PROTOCOL_VERSION_LEN); + conn->secrets.version.tls12.rsa_premaster_secret, S2N_TLS_PROTOCOL_VERSION_LEN); return 0; } @@ -258,7 +258,7 @@ int s2n_rsa_client_key_send(struct s2n_connection *conn, struct s2n_blob *shared client_hello_protocol_version[0] = legacy_client_hello_protocol_version / 10; client_hello_protocol_version[1] = legacy_client_hello_protocol_version % 10; - shared_key->data = conn->secrets.tls12.rsa_premaster_secret; + shared_key->data = conn->secrets.version.tls12.rsa_premaster_secret; shared_key->size = S2N_TLS_SECRET_LEN; POSIX_GUARD_RESULT(s2n_get_private_random_data(shared_key)); @@ -267,7 +267,7 @@ int s2n_rsa_client_key_send(struct s2n_connection *conn, struct s2n_blob *shared * The latest version supported by client (as seen from the the client hello version) are <= TLS1.2 * for all clients, because TLS 1.3 clients freezes the TLS1.2 legacy version in client hello. */ - POSIX_CHECKED_MEMCPY(conn->secrets.tls12.rsa_premaster_secret, client_hello_protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN); + POSIX_CHECKED_MEMCPY(conn->secrets.version.tls12.rsa_premaster_secret, client_hello_protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN); uint32_t encrypted_size = 0; POSIX_GUARD_RESULT(s2n_pkey_size(&conn->handshake_params.server_public_key, &encrypted_size)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_connection.h b/contrib/restricted/aws/s2n/tls/s2n_connection.h index 503b488ff5..60d29b6cad 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_connection.h +++ b/contrib/restricted/aws/s2n/tls/s2n_connection.h @@ -201,6 +201,11 @@ struct s2n_connection { uint8_t client_protocol_version; uint8_t server_protocol_version; uint8_t actual_protocol_version; + /* The version stored in the ticket / session we are resuming. + * We expect the connection to negotiate this version during + * the resumption handshake. + */ + uint8_t resume_protocol_version; /* Flag indicating whether a protocol version has been * negotiated yet. */ @@ -209,7 +214,7 @@ struct s2n_connection { /* Our crypto parameters */ struct s2n_crypto_parameters *initial; struct s2n_crypto_parameters *secure; - union s2n_secrets secrets; + struct s2n_secrets secrets; /* Which set is the client/server actually using? */ struct s2n_crypto_parameters *client; diff --git a/contrib/restricted/aws/s2n/tls/s2n_crypto.h b/contrib/restricted/aws/s2n/tls/s2n_crypto.h index 2e72224f3c..5dd5d16b4b 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_crypto.h +++ b/contrib/restricted/aws/s2n/tls/s2n_crypto.h @@ -47,9 +47,12 @@ struct s2n_tls12_secrets { uint8_t master_secret[S2N_TLS_SECRET_LEN]; }; -union s2n_secrets { - struct s2n_tls12_secrets tls12; - struct s2n_tls13_secrets tls13; +struct s2n_secrets { + union { + struct s2n_tls12_secrets tls12; + struct s2n_tls13_secrets tls13; + } version; + s2n_extract_secret_type_t extract_secret_type; }; struct s2n_crypto_parameters { diff --git a/contrib/restricted/aws/s2n/tls/s2n_key_log.c b/contrib/restricted/aws/s2n/tls/s2n_key_log.c index ec2ea3cb6c..0ea0ed182f 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_key_log.c +++ b/contrib/restricted/aws/s2n/tls/s2n_key_log.c @@ -160,7 +160,7 @@ S2N_RESULT s2n_key_log_tls12_secret(struct s2n_connection *conn) RESULT_GUARD_POSIX(s2n_stuffer_write_bytes(&output, label, label_size)); RESULT_GUARD(s2n_key_log_hex_encode(&output, conn->handshake_params.client_random, S2N_TLS_RANDOM_DATA_LEN)); RESULT_GUARD_POSIX(s2n_stuffer_write_uint8(&output, ' ')); - RESULT_GUARD(s2n_key_log_hex_encode(&output, conn->secrets.tls12.master_secret, S2N_TLS_SECRET_LEN)); + RESULT_GUARD(s2n_key_log_hex_encode(&output, conn->secrets.version.tls12.master_secret, S2N_TLS_SECRET_LEN)); uint8_t *data = s2n_stuffer_raw_read(&output, len); RESULT_ENSURE_REF(data); diff --git a/contrib/restricted/aws/s2n/tls/s2n_prf.c b/contrib/restricted/aws/s2n/tls/s2n_prf.c index 3519f08365..325968cff4 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_prf.c +++ b/contrib/restricted/aws/s2n/tls/s2n_prf.c @@ -507,7 +507,7 @@ int s2n_tls_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *prem struct s2n_blob server_random = { 0 }; POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random))); struct s2n_blob master_secret = { 0 }; - POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); + POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret))); uint8_t master_secret_label[] = "master secret"; struct s2n_blob label = { 0 }; @@ -525,7 +525,7 @@ int s2n_hybrid_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *p struct s2n_blob server_random = { 0 }; POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random))); struct s2n_blob master_secret = { 0 }; - POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); + POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret))); uint8_t master_secret_label[] = "hybrid master secret"; struct s2n_blob label = { 0 }; @@ -590,7 +590,7 @@ S2N_RESULT s2n_tls_prf_extended_master_secret(struct s2n_connection *conn, struc RESULT_ENSURE_REF(conn); struct s2n_blob extended_master_secret = { 0 }; - RESULT_GUARD_POSIX(s2n_blob_init(&extended_master_secret, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); + RESULT_GUARD_POSIX(s2n_blob_init(&extended_master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret))); uint8_t extended_master_secret_label[] = "extended master secret"; /* Subtract one from the label size to remove the "\0" */ @@ -639,11 +639,11 @@ static int s2n_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], st struct s2n_hash_state *md5 = hash_workspace; POSIX_GUARD(s2n_hash_copy(md5, &conn->handshake.hashes->md5)); POSIX_GUARD(s2n_hash_update(md5, prefix, 4)); - POSIX_GUARD(s2n_hash_update(md5, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); + POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret))); POSIX_GUARD(s2n_hash_update(md5, xorpad1, 48)); POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); POSIX_GUARD(s2n_hash_reset(md5)); - POSIX_GUARD(s2n_hash_update(md5, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); + POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret))); POSIX_GUARD(s2n_hash_update(md5, xorpad2, 48)); POSIX_GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH)); POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); @@ -652,11 +652,11 @@ static int s2n_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], st struct s2n_hash_state *sha1 = hash_workspace; POSIX_GUARD(s2n_hash_copy(sha1, &conn->handshake.hashes->sha1)); POSIX_GUARD(s2n_hash_update(sha1, prefix, 4)); - POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); + POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret))); POSIX_GUARD(s2n_hash_update(sha1, xorpad1, 40)); POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); POSIX_GUARD(s2n_hash_reset(sha1)); - POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); + POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret))); POSIX_GUARD(s2n_hash_update(sha1, xorpad2, 40)); POSIX_GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH)); POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); @@ -708,8 +708,8 @@ int s2n_prf_client_finished(struct s2n_connection *conn) label.data = client_finished_label; label.size = sizeof(client_finished_label) - 1; - master_secret.data = conn->secrets.tls12.master_secret; - master_secret.size = sizeof(conn->secrets.tls12.master_secret); + master_secret.data = conn->secrets.version.tls12.master_secret; + master_secret.size = sizeof(conn->secrets.version.tls12.master_secret); if (conn->actual_protocol_version == S2N_TLS12) { switch (conn->secure->cipher_suite->prf_alg) { case S2N_HMAC_SHA256: @@ -766,8 +766,8 @@ int s2n_prf_server_finished(struct s2n_connection *conn) label.data = server_finished_label; label.size = sizeof(server_finished_label) - 1; - master_secret.data = conn->secrets.tls12.master_secret; - master_secret.size = sizeof(conn->secrets.tls12.master_secret); + master_secret.data = conn->secrets.version.tls12.master_secret; + master_secret.size = sizeof(conn->secrets.version.tls12.master_secret); if (conn->actual_protocol_version == S2N_TLS12) { switch (conn->secure->cipher_suite->prf_alg) { case S2N_HMAC_SHA256: @@ -849,7 +849,7 @@ int s2n_prf_key_expansion(struct s2n_connection *conn) struct s2n_blob server_random = { 0 }; POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random))); struct s2n_blob master_secret = { 0 }; - POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.tls12.master_secret, sizeof(conn->secrets.tls12.master_secret))); + POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret))); struct s2n_blob label, out; uint8_t key_expansion_label[] = "key expansion"; uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN]; diff --git a/contrib/restricted/aws/s2n/tls/s2n_resume.c b/contrib/restricted/aws/s2n/tls/s2n_resume.c index bd8015e475..c667020017 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_resume.c +++ b/contrib/restricted/aws/s2n/tls/s2n_resume.c @@ -43,6 +43,23 @@ int s2n_allowed_to_cache_connection(struct s2n_connection *conn) return config->use_session_cache; } +/* If a protocol version is required before the actual_protocol_version + * is negotiated, we should fall back to resume_protocol_version if available. + * + * This covers the case where the application requests a ticket / session state + * before a NewSessionTicket message has been sent or received. Historically, + * in that case we return the ticket / session state already set for the connection. + * resume_protocol_version represents the protocol version of that existing ticket / state. + */ +static uint8_t s2n_resume_protocol_version(struct s2n_connection *conn) +{ + if (!IS_NEGOTIATED(conn) && conn->resume_protocol_version) { + return conn->resume_protocol_version; + } else { + return conn->actual_protocol_version; + } +} + static int s2n_tls12_serialize_resumption_state(struct s2n_connection *conn, struct s2n_stuffer *to) { POSIX_ENSURE_REF(to); @@ -58,10 +75,10 @@ static int s2n_tls12_serialize_resumption_state(struct s2n_connection *conn, str /* Write the entry */ POSIX_GUARD(s2n_stuffer_write_uint8(to, S2N_SERIALIZED_FORMAT_TLS12_V3)); - POSIX_GUARD(s2n_stuffer_write_uint8(to, conn->actual_protocol_version)); + POSIX_GUARD(s2n_stuffer_write_uint8(to, s2n_resume_protocol_version(conn))); POSIX_GUARD(s2n_stuffer_write_bytes(to, conn->secure->cipher_suite->iana_value, S2N_TLS_CIPHER_SUITE_LEN)); POSIX_GUARD(s2n_stuffer_write_uint64(to, now)); - POSIX_GUARD(s2n_stuffer_write_bytes(to, conn->secrets.tls12.master_secret, S2N_TLS_SECRET_LEN)); + POSIX_GUARD(s2n_stuffer_write_bytes(to, conn->secrets.version.tls12.master_secret, S2N_TLS_SECRET_LEN)); POSIX_GUARD(s2n_stuffer_write_uint8(to, conn->ems_negotiated)); return S2N_SUCCESS; @@ -126,7 +143,7 @@ static S2N_RESULT s2n_tls13_serialize_resumption_state(struct s2n_connection *co static S2N_RESULT s2n_serialize_resumption_state(struct s2n_connection *conn, struct s2n_stuffer *out) { - if (conn->actual_protocol_version < S2N_TLS13) { + if (s2n_resume_protocol_version(conn) < S2N_TLS13) { RESULT_GUARD_POSIX(s2n_tls12_serialize_resumption_state(conn, out)); } else { RESULT_GUARD(s2n_tls13_serialize_resumption_state(conn, out)); @@ -158,7 +175,7 @@ static int s2n_tls12_deserialize_resumption_state(struct s2n_connection *conn, s S2N_ERROR_IF(then > now, S2N_ERR_INVALID_SERIALIZED_SESSION_STATE); S2N_ERROR_IF(now - then > conn->config->session_state_lifetime_in_nanos, S2N_ERR_INVALID_SERIALIZED_SESSION_STATE); - POSIX_GUARD(s2n_stuffer_read_bytes(from, conn->secrets.tls12.master_secret, S2N_TLS_SECRET_LEN)); + POSIX_GUARD(s2n_stuffer_read_bytes(from, conn->secrets.version.tls12.master_secret, S2N_TLS_SECRET_LEN)); if (s2n_stuffer_data_available(from)) { uint8_t ems_negotiated = 0; @@ -216,7 +233,7 @@ static S2N_RESULT s2n_tls12_client_deserialize_session_state(struct s2n_connecti RESULT_ENSURE_REF(conn); RESULT_ENSURE_REF(from); - RESULT_GUARD_POSIX(s2n_stuffer_read_uint8(from, &conn->actual_protocol_version)); + RESULT_GUARD_POSIX(s2n_stuffer_read_uint8(from, &conn->resume_protocol_version)); uint8_t *cipher_suite_wire = s2n_stuffer_raw_read(from, S2N_TLS_CIPHER_SUITE_LEN); RESULT_ENSURE_REF(cipher_suite_wire); @@ -225,7 +242,7 @@ static S2N_RESULT s2n_tls12_client_deserialize_session_state(struct s2n_connecti uint64_t then = 0; RESULT_GUARD_POSIX(s2n_stuffer_read_uint64(from, &then)); - RESULT_GUARD_POSIX(s2n_stuffer_read_bytes(from, conn->secrets.tls12.master_secret, S2N_TLS_SECRET_LEN)); + RESULT_GUARD_POSIX(s2n_stuffer_read_bytes(from, conn->secrets.version.tls12.master_secret, S2N_TLS_SECRET_LEN)); if (s2n_stuffer_data_available(from)) { uint8_t ems_negotiated = 0; @@ -505,7 +522,7 @@ S2N_RESULT s2n_connection_get_session_state_size(struct s2n_connection *conn, si RESULT_ENSURE_REF(conn->secure); RESULT_ENSURE_REF(state_size); - if (conn->actual_protocol_version < S2N_TLS13) { + if (s2n_resume_protocol_version(conn) < S2N_TLS13) { *state_size = S2N_TLS12_STATE_SIZE_IN_BYTES; return S2N_RESULT_OK; } diff --git a/contrib/restricted/aws/s2n/tls/s2n_server_hello.c b/contrib/restricted/aws/s2n/tls/s2n_server_hello.c index 708346f1cb..b95d0157f9 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_server_hello.c +++ b/contrib/restricted/aws/s2n/tls/s2n_server_hello.c @@ -218,7 +218,7 @@ static int s2n_server_hello_parse(struct s2n_connection *conn) POSIX_BAIL(S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED); } - uint8_t actual_protocol_version = MIN(conn->server_protocol_version, conn->client_protocol_version); + conn->actual_protocol_version = MIN(conn->server_protocol_version, conn->client_protocol_version); /* *= https://tools.ietf.org/rfc/rfc5077#section-3.4 @@ -230,8 +230,8 @@ static int s2n_server_hello_parse(struct s2n_connection *conn) */ if (session_ids_match) { /* check if the resumed session state is valid */ - S2N_ERROR_IF(conn->actual_protocol_version != actual_protocol_version, S2N_ERR_BAD_MESSAGE); - S2N_ERROR_IF(memcmp(conn->secure->cipher_suite->iana_value, cipher_suite_wire, S2N_TLS_CIPHER_SUITE_LEN) != 0, + POSIX_ENSURE(conn->resume_protocol_version == conn->actual_protocol_version, S2N_ERR_BAD_MESSAGE); + POSIX_ENSURE(memcmp(conn->secure->cipher_suite->iana_value, cipher_suite_wire, S2N_TLS_CIPHER_SUITE_LEN) == 0, S2N_ERR_BAD_MESSAGE); /* Session is resumed */ @@ -239,10 +239,9 @@ static int s2n_server_hello_parse(struct s2n_connection *conn) } else { conn->session_id_len = session_id_len; POSIX_CHECKED_MEMCPY(conn->session_id, session_id, session_id_len); - conn->actual_protocol_version = actual_protocol_version; POSIX_GUARD(s2n_set_cipher_as_client(conn, cipher_suite_wire)); /* Erase master secret which might have been set for session resumption */ - POSIX_CHECKED_MEMSET((uint8_t *) conn->secrets.tls12.master_secret, 0, S2N_TLS_SECRET_LEN); + POSIX_CHECKED_MEMSET((uint8_t *) conn->secrets.version.tls12.master_secret, 0, S2N_TLS_SECRET_LEN); /* Erase client session ticket which might have been set for session resumption */ POSIX_GUARD(s2n_free(&conn->client_ticket)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c b/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c index 6a269a720c..2f8166def3 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c +++ b/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c @@ -243,7 +243,7 @@ static int s2n_generate_session_secret(struct s2n_connection *conn, struct s2n_b s2n_tls13_connection_keys(secrets, conn); struct s2n_blob master_secret = { 0 }; - POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.tls13.resumption_master_secret, secrets.size)); + POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls13.resumption_master_secret, secrets.size)); POSIX_GUARD(s2n_realloc(output, secrets.size)); POSIX_GUARD_RESULT(s2n_tls13_derive_session_ticket_secret(&secrets, &master_secret, nonce, output)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_tls13_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_tls13_handshake.c index 8d0e8423d9..26c523be87 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_tls13_handshake.c +++ b/contrib/restricted/aws/s2n/tls/s2n_tls13_handshake.c @@ -168,11 +168,11 @@ int s2n_update_application_traffic_keys(struct s2n_connection *conn, s2n_mode mo if (mode == S2N_CLIENT) { old_key = &conn->secure->client_key; - POSIX_GUARD(s2n_blob_init(&old_app_secret, conn->secrets.tls13.client_app_secret, keys.size)); + POSIX_GUARD(s2n_blob_init(&old_app_secret, conn->secrets.version.tls13.client_app_secret, keys.size)); POSIX_GUARD(s2n_blob_init(&app_iv, conn->secure->client_implicit_iv, S2N_TLS13_FIXED_IV_LEN)); } else { old_key = &conn->secure->server_key; - POSIX_GUARD(s2n_blob_init(&old_app_secret, conn->secrets.tls13.server_app_secret, keys.size)); + POSIX_GUARD(s2n_blob_init(&old_app_secret, conn->secrets.version.tls13.server_app_secret, keys.size)); POSIX_GUARD(s2n_blob_init(&app_iv, conn->secure->server_implicit_iv, S2N_TLS13_FIXED_IV_LEN)); } diff --git a/contrib/restricted/aws/s2n/tls/s2n_tls13_key_schedule.c b/contrib/restricted/aws/s2n/tls/s2n_tls13_key_schedule.c index de7b493cce..1aecbef345 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_tls13_key_schedule.c +++ b/contrib/restricted/aws/s2n/tls/s2n_tls13_key_schedule.c @@ -332,6 +332,6 @@ S2N_RESULT s2n_tls13_key_schedule_reset(struct s2n_connection *conn) RESULT_ENSURE_REF(conn->initial); conn->client = conn->initial; conn->server = conn->initial; - conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET; + conn->secrets.extract_secret_type = S2N_NONE_SECRET; return S2N_RESULT_OK; } diff --git a/contrib/restricted/aws/s2n/tls/s2n_tls13_secrets.c b/contrib/restricted/aws/s2n/tls/s2n_tls13_secrets.c index 66343fbd7d..3914a04461 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_tls13_secrets.c +++ b/contrib/restricted/aws/s2n/tls/s2n_tls13_secrets.c @@ -23,7 +23,7 @@ #define S2N_MAX_HASHLEN SHA384_DIGEST_LENGTH #define CONN_HMAC_ALG(conn) ((conn)->secure->cipher_suite->prf_alg) -#define CONN_SECRETS(conn) ((conn)->secrets.tls13) +#define CONN_SECRETS(conn) ((conn)->secrets.version.tls13) #define CONN_HASHES(conn) ((conn)->handshake.hashes) #define CONN_SECRET(conn, secret) ( \ @@ -170,7 +170,7 @@ static S2N_RESULT s2n_derive_secret_with_context(struct s2n_connection *conn, RESULT_ENSURE_REF(label); RESULT_ENSURE_REF(output); - RESULT_ENSURE(CONN_SECRETS(conn).extract_secret_type == input_secret_type, S2N_ERR_SECRET_SCHEDULE_STATE); + RESULT_ENSURE(conn->secrets.extract_secret_type == input_secret_type, S2N_ERR_SECRET_SCHEDULE_STATE); RESULT_ENSURE(s2n_conn_get_current_message_type(conn) == transcript_end_msg, S2N_ERR_SECRET_SCHEDULE_STATE); RESULT_GUARD(s2n_derive_secret(CONN_HMAC_ALG(conn), &CONN_SECRET(conn, extract_secret), label, &CONN_HASH(conn, transcript_hash_digest), output)); @@ -183,7 +183,7 @@ static S2N_RESULT s2n_derive_secret_without_context(struct s2n_connection *conn, RESULT_ENSURE_REF(conn); RESULT_ENSURE_REF(output); - RESULT_ENSURE(CONN_SECRETS(conn).extract_secret_type == input_secret_type, S2N_ERR_SECRET_SCHEDULE_STATE); + RESULT_ENSURE(conn->secrets.extract_secret_type == input_secret_type, S2N_ERR_SECRET_SCHEDULE_STATE); RESULT_GUARD(s2n_derive_secret(CONN_HMAC_ALG(conn), &CONN_SECRET(conn, extract_secret), &s2n_tls13_label_derived_secret, &EMPTY_CONTEXT(CONN_HMAC_ALG(conn)), output)); return S2N_RESULT_OK; @@ -537,11 +537,11 @@ S2N_RESULT s2n_tls13_extract_secret(struct s2n_connection *conn, s2n_extract_sec RESULT_ENSURE_GTE(secret_type, 0); RESULT_ENSURE_LT(secret_type, s2n_array_len(extract_methods)); - s2n_extract_secret_type_t next_secret_type = CONN_SECRETS(conn).extract_secret_type + 1; + s2n_extract_secret_type_t next_secret_type = conn->secrets.extract_secret_type + 1; for (s2n_extract_secret_type_t i = next_secret_type; i <= secret_type; i++) { RESULT_ENSURE_REF(extract_methods[i]); RESULT_GUARD(extract_methods[i](conn)); - CONN_SECRETS(conn).extract_secret_type = i; + conn->secrets.extract_secret_type = i; } return S2N_RESULT_OK; @@ -592,7 +592,7 @@ S2N_RESULT s2n_tls13_secrets_clean(struct s2n_connection *conn) * so these are the most sensitive secrets. */ RESULT_GUARD_POSIX(s2n_blob_zero(&CONN_SECRET(conn, extract_secret))); - conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET; + conn->secrets.extract_secret_type = S2N_NONE_SECRET; /* Wipe other secrets no longer needed */ RESULT_GUARD_POSIX(s2n_blob_zero(&CONN_SECRET(conn, client_early_secret))); @@ -663,7 +663,7 @@ S2N_RESULT s2n_tls13_secrets_get(struct s2n_connection *conn, s2n_extract_secret }; RESULT_ENSURE_GT(secret_type, S2N_NONE_SECRET); RESULT_ENSURE_LT(secret_type, s2n_array_len(secrets)); - RESULT_ENSURE_LTE(secret_type, CONN_SECRETS(conn).extract_secret_type); + RESULT_ENSURE_LTE(secret_type, conn->secrets.extract_secret_type); RESULT_ENSURE_REF(secrets[secret_type][mode]); secret->size = s2n_get_hash_len(CONN_HMAC_ALG(conn)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_tls13_secrets.h b/contrib/restricted/aws/s2n/tls/s2n_tls13_secrets.h index 526089169f..b99f76df8f 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_tls13_secrets.h +++ b/contrib/restricted/aws/s2n/tls/s2n_tls13_secrets.h @@ -32,7 +32,6 @@ typedef enum { struct s2n_tls13_secrets { uint8_t extract_secret[S2N_TLS13_SECRET_MAX_LEN]; - s2n_extract_secret_type_t extract_secret_type; uint8_t client_early_secret[S2N_TLS13_SECRET_MAX_LEN]; uint8_t client_handshake_secret[S2N_TLS13_SECRET_MAX_LEN]; @@ -41,6 +40,8 @@ struct s2n_tls13_secrets { uint8_t client_app_secret[S2N_TLS13_SECRET_MAX_LEN]; uint8_t server_app_secret[S2N_TLS13_SECRET_MAX_LEN]; uint8_t resumption_master_secret[S2N_TLS13_SECRET_MAX_LEN]; + + s2n_extract_secret_type_t extract_secret_type; }; S2N_RESULT s2n_tls13_empty_transcripts_init(); |