diff options
author | robot-contrib <robot-contrib@yandex-team.com> | 2022-08-10 11:44:54 +0300 |
---|---|---|
committer | robot-contrib <robot-contrib@yandex-team.com> | 2022-08-10 11:44:54 +0300 |
commit | 80e5365ef2b1dd1a7c608103d8c13c0515aa8e95 (patch) | |
tree | 4db54a4f3052afd1456be6c038bf3e9a39c51c71 /contrib/restricted/aws/s2n/api/s2n.h | |
parent | b1e3c856d108130762d6ca0db45802eb791e7c59 (diff) | |
download | ydb-80e5365ef2b1dd1a7c608103d8c13c0515aa8e95.tar.gz |
Update contrib/restricted/aws/s2n to 1.3.19
Diffstat (limited to 'contrib/restricted/aws/s2n/api/s2n.h')
-rw-r--r-- | contrib/restricted/aws/s2n/api/s2n.h | 46 |
1 files changed, 25 insertions, 21 deletions
diff --git a/contrib/restricted/aws/s2n/api/s2n.h b/contrib/restricted/aws/s2n/api/s2n.h index 11df0c5f99..e1d4c587bd 100644 --- a/contrib/restricted/aws/s2n/api/s2n.h +++ b/contrib/restricted/aws/s2n/api/s2n.h @@ -496,7 +496,7 @@ S2N_API extern int s2n_config_set_cache_delete_callback(struct s2n_config *config, s2n_cache_delete_callback cache_delete_callback, void *data); /** - * A function that will be called when s2n-tls is initialized. + * Called when `s2n_init` is executed. */ typedef int (*s2n_mem_init_callback)(void); @@ -506,8 +506,9 @@ typedef int (*s2n_mem_init_callback)(void); typedef int (*s2n_mem_cleanup_callback)(void); /** - * A function that can allocate at least `requested` bytes of memory and - * store the location of that memory in **\*ptr**, and the size of the allocated + * A function that can allocate at least `requested` bytes of memory. + * + * It stores the location of that memory in **\*ptr** and the size of the allocated * data in **\*allocated**. The function may choose to allocate more memory * than was requested. s2n-tls will consider all allocated memory available for * use, and will attempt to free all allocated memory when able. @@ -515,12 +516,12 @@ typedef int (*s2n_mem_cleanup_callback)(void); typedef int (*s2n_mem_malloc_callback)(void **ptr, uint32_t requested, uint32_t *allocated); /** - * A function that can free memory. + * Frees memory allocated by s2n_mem_malloc_callback. */ typedef int (*s2n_mem_free_callback)(void *ptr, uint32_t size); /** - * Allows the caller to over-ride s2n-tls's internal memory handling functions. + * Allows the caller to override s2n-tls's internal memory handling functions. * * @warning This function must be called before s2n_init(). * @@ -557,7 +558,7 @@ typedef int (*s2n_rand_seed_callback)(void *data, uint32_t size); typedef int (*s2n_rand_mix_callback)(void *data, uint32_t size); /** - * Allows the caller to over-ride s2n-tls's entropy functions. + * Allows the caller to override s2n-tls's entropy functions. * * @warning This function must be called before s2n_init(). * @@ -880,22 +881,21 @@ extern int s2n_config_wipe_trust_store(struct s2n_config *config); * of the X.509 validation will succeed. * * If no hostname results in a 1 being returned, the certificate will be untrusted and the - * validation will terminate immediately. The default behavior is to reject all host names - * found in a certificate if client mode or client authentication is being used. + * validation will terminate immediately. * - * Data is a opaque user context set in s2n_config_set_verify_host_callback(). + * Data is a opaque user context set in s2n_config_set_verify_host_callback() or s2n_connection_set_verify_host_callback(). */ typedef uint8_t (*s2n_verify_host_fn) (const char *host_name, size_t host_name_len, void *data); /** * Sets the callback to use for verifying that a hostname from an X.509 certificate is trusted. - * By default, no certificate will be trusted. To override this behavior, set this callback. * - * This change will be inherited by s2n_connections using this config. If s2n_connection specifies - * a callback, that callback will be used for that connection. + * The default behavior is to require that the hostname match the server name set with s2n_set_server_name(). + * This will likely lead to all client certificates being rejected, so the callback will need to be overriden when using + * client authentication. * - * If a separate callback for different connections using the same config is desired, - * see s2n_connection_set_verify_host_callback(). + * This change will be inherited by s2n_connections using this config. If a separate callback for different connections + * using the same config is desired, see s2n_connection_set_verify_host_callback(). * * @param config The configuration object being updated * @param data A user supplied opaque context to pass back to the callback @@ -1035,6 +1035,7 @@ extern int s2n_config_set_ct_support_level(struct s2n_config *config, s2n_ct_sup * - `S2N_ALERT_IGNORE_WARNINGS` - with the exception of `close_notify` s2n-tls will ignore all WARNING alerts and keep communicating with its peer. This setting is ignored in TLS1.3 * * @note TLS1.3 terminates a connection for all alerts except user_canceled. + * @warning S2N_ALERT_FAIL_ON_WARNINGS is the recommended behavior. Past TLS protocol vulnerabilities have involved downgrading alerts to warnings. */ typedef enum { S2N_ALERT_FAIL_ON_WARNINGS = 0, S2N_ALERT_IGNORE_WARNINGS = 1 } s2n_alert_behavior; @@ -1071,6 +1072,8 @@ extern int s2n_config_set_extension_data(struct s2n_config *config, s2n_tls_exte * length overrides the preference set by the `s2n_connection_prefer_throughput` and * `s2n_connection_prefer_low_latency`. * + * @note Some TLS implementations do not respect their peer's max fragment length extension. + * * @param config The configuration object being updated * @param mfl_code The selected MFL size * @returns S2N_SUCCESS on success. S2N_FAILURE on failure @@ -1083,6 +1086,8 @@ extern int s2n_config_send_max_fragment_length(struct s2n_config *config, s2n_ma * requests. If this API is not called, and client requests the extension, server will ignore * the request and continue TLS handshake with default maximum fragment length of 8k bytes * + * @note Some TLS implementations do not respect their peer's max fragment length extension. + * * @param config The configuration object being updated * @returns S2N_SUCCESS on success. S2N_FAILURE on failure */ @@ -1618,21 +1623,20 @@ S2N_API extern int s2n_connection_set_dynamic_record_threshold(struct s2n_connection *conn, uint32_t resize_threshold, uint16_t timeout_threshold); /** - * Sets the callback to use for verifying that a hostname from an X.509 certificate is trusted. By default, - * no certificate will be trusted. To override this behavior, set this callback. See s2n_verify_host_fn() - * for details. This configuration will be inherited by default to new instances of `s2n_connection`. + * Sets the callback to use for verifying that a hostname from an X.509 certificate is trusted. * - * If a separate callback for different connections using the same config is desired, see s2n_connection_set_verify_host_callback() + * The default behavior is to require that the hostname match the server name set with s2n_set_server_name(). This will + * likely lead to all client certificates being rejected, so the callback will need to be overriden when using client authentication. * - * @note If you don't want to use the configuration wide callback, you can set this per connection and it will be honored. + * If a single callback for different connections using the same config is desired, see s2n_config_set_verify_host_callback(). * - * @param config A pointer to a s2n_config object + * @param conn A pointer to a s2n_connection object * @param host_fn A pointer to a callback function that s2n will invoke in order to verify the hostname of an X.509 certificate * @param data Opaque pointer to data that the verify host function will be invoked with * @returns S2N_SUCCESS on success. S2N_FAILURE on failure */ S2N_API -extern int s2n_connection_set_verify_host_callback(struct s2n_connection *config, s2n_verify_host_fn host_fn, void *data); +extern int s2n_connection_set_verify_host_callback(struct s2n_connection *conn, s2n_verify_host_fn host_fn, void *data); /** * Used to opt-out of s2n-tls's built-in blinding. Blinding is a |