diff options
author | thegeorg <thegeorg@yandex-team.ru> | 2022-05-10 22:16:03 +0300 |
---|---|---|
committer | thegeorg <thegeorg@yandex-team.ru> | 2022-05-10 22:16:03 +0300 |
commit | 09c71d918d4d0b0ebf67e1ab41aa90ddf587a3f2 (patch) | |
tree | dd44d2cb68e2845c2d4c367b66893f3e043a6e8e /contrib/restricted/aws/s2n/tls/s2n_client_cert_verify.c | |
parent | 5eb4a8a2d487411924e1d1b27c454223dcf35005 (diff) | |
download | ydb-09c71d918d4d0b0ebf67e1ab41aa90ddf587a3f2.tar.gz |
Update contrib/restricted/aws/s2n to 1.3.12
ref:f8279d764b4c00974a63543a1364c91e2b81b7a6
Diffstat (limited to 'contrib/restricted/aws/s2n/tls/s2n_client_cert_verify.c')
-rw-r--r-- | contrib/restricted/aws/s2n/tls/s2n_client_cert_verify.c | 72 |
1 files changed, 41 insertions, 31 deletions
diff --git a/contrib/restricted/aws/s2n/tls/s2n_client_cert_verify.c b/contrib/restricted/aws/s2n/tls/s2n_client_cert_verify.c index b11150c48c..5327b5bc7e 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_client_cert_verify.c +++ b/contrib/restricted/aws/s2n/tls/s2n_client_cert_verify.c @@ -13,7 +13,7 @@ * permissions and limitations under the License. */ -#include <s2n.h> +#include "api/s2n.h" #include "error/s2n_errno.h" @@ -25,68 +25,78 @@ #include "stuffer/s2n_stuffer.h" #include "utils/s2n_safety.h" +#include "tls/s2n_async_pkey.h" +static int s2n_client_cert_verify_send_complete(struct s2n_connection *conn, struct s2n_blob *signature); int s2n_client_cert_verify_recv(struct s2n_connection *conn) { + POSIX_ENSURE_REF(conn); + struct s2n_handshake_hashes *hashes = conn->handshake.hashes; + POSIX_ENSURE_REF(hashes); + struct s2n_stuffer *in = &conn->handshake.io; - struct s2n_signature_scheme chosen_sig_scheme = s2n_rsa_pkcs1_md5_sha1; + struct s2n_signature_scheme *chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme; - if(conn->actual_protocol_version >= S2N_TLS12){ + if (conn->actual_protocol_version < S2N_TLS12) { + POSIX_GUARD(s2n_choose_default_sig_scheme(conn, chosen_sig_scheme, S2N_CLIENT)); + } else { /* Verify the SigScheme picked by the Client was in the preference list we sent (or is the default SigScheme) */ - GUARD(s2n_get_and_validate_negotiated_signature_scheme(conn, in, &chosen_sig_scheme)); + POSIX_GUARD(s2n_get_and_validate_negotiated_signature_scheme(conn, in, chosen_sig_scheme)); } + uint16_t signature_size; struct s2n_blob signature = {0}; - GUARD(s2n_stuffer_read_uint16(in, &signature_size)); + POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_size)); signature.size = signature_size; signature.data = s2n_stuffer_raw_read(in, signature.size); - notnull_check(signature.data); + POSIX_ENSURE_REF(signature.data); /* Use a copy of the hash state since the verify digest computation may modify the running hash state we need later. */ - struct s2n_hash_state hash_state = {0}; - GUARD(s2n_handshake_get_hash_state(conn, chosen_sig_scheme.hash_alg, &hash_state)); - GUARD(s2n_hash_copy(&conn->handshake.ccv_hash_copy, &hash_state)); + struct s2n_hash_state *hash_state = &hashes->hash_workspace; + POSIX_GUARD_RESULT(s2n_handshake_copy_hash_state(conn, chosen_sig_scheme->hash_alg, hash_state)); /* Verify the signature */ - GUARD(s2n_pkey_verify(&conn->secure.client_public_key, chosen_sig_scheme.sig_alg, &conn->handshake.ccv_hash_copy, &signature)); + POSIX_GUARD(s2n_pkey_verify(&conn->handshake_params.client_public_key, chosen_sig_scheme->sig_alg, hash_state, &signature)); /* Client certificate has been verified. Minimize required handshake hash algs */ - GUARD(s2n_conn_update_required_handshake_hashes(conn)); + POSIX_GUARD(s2n_conn_update_required_handshake_hashes(conn)); - return 0; + return S2N_SUCCESS; } int s2n_client_cert_verify_send(struct s2n_connection *conn) { - struct s2n_stuffer *out = &conn->handshake.io; + POSIX_ENSURE_REF(conn); + struct s2n_handshake_hashes *hashes = conn->handshake.hashes; + POSIX_ENSURE_REF(hashes); - struct s2n_signature_scheme chosen_sig_scheme = s2n_rsa_pkcs1_md5_sha1; + S2N_ASYNC_PKEY_GUARD(conn); + struct s2n_stuffer *out = &conn->handshake.io; - if (conn->actual_protocol_version >= S2N_TLS12) { - chosen_sig_scheme = conn->secure.client_cert_sig_scheme; - GUARD(s2n_stuffer_write_uint16(out, conn->secure.client_cert_sig_scheme.iana_value)); + struct s2n_signature_scheme *chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme; + if (conn->actual_protocol_version < S2N_TLS12) { + POSIX_GUARD(s2n_choose_default_sig_scheme(conn, chosen_sig_scheme, S2N_CLIENT)); + } else { + POSIX_GUARD(s2n_stuffer_write_uint16(out, conn->handshake_params.client_cert_sig_scheme.iana_value)); } /* Use a copy of the hash state since the verify digest computation may modify the running hash state we need later. */ - struct s2n_hash_state hash_state = {0}; - GUARD(s2n_handshake_get_hash_state(conn, chosen_sig_scheme.hash_alg, &hash_state)); - GUARD(s2n_hash_copy(&conn->handshake.ccv_hash_copy, &hash_state)); + struct s2n_hash_state *hash_state = &hashes->hash_workspace; + POSIX_GUARD_RESULT(s2n_handshake_copy_hash_state(conn, chosen_sig_scheme->hash_alg, hash_state)); - struct s2n_cert_chain_and_key *cert_chain_and_key = conn->handshake_params.our_chain_and_key; - - DEFER_CLEANUP(struct s2n_blob signature = {0}, s2n_free); - uint32_t max_signature_size = 0; - GUARD_AS_POSIX(s2n_pkey_size(cert_chain_and_key->private_key, &max_signature_size)); - GUARD(s2n_alloc(&signature, max_signature_size)); + S2N_ASYNC_PKEY_SIGN(conn, chosen_sig_scheme->sig_alg, hash_state, s2n_client_cert_verify_send_complete); +} - GUARD(s2n_pkey_sign(cert_chain_and_key->private_key, chosen_sig_scheme.sig_alg, &conn->handshake.ccv_hash_copy, &signature)); +static int s2n_client_cert_verify_send_complete(struct s2n_connection *conn, struct s2n_blob *signature) +{ + struct s2n_stuffer *out = &conn->handshake.io; - GUARD(s2n_stuffer_write_uint16(out, signature.size)); - GUARD(s2n_stuffer_write(out, &signature)); + POSIX_GUARD(s2n_stuffer_write_uint16(out, signature->size)); + POSIX_GUARD(s2n_stuffer_write(out, signature)); /* Client certificate has been verified. Minimize required handshake hash algs */ - GUARD(s2n_conn_update_required_handshake_hashes(conn)); + POSIX_GUARD(s2n_conn_update_required_handshake_hashes(conn)); - return 0; + return S2N_SUCCESS; } |