diff options
author | thegeorg <thegeorg@yandex-team.ru> | 2022-05-10 22:16:03 +0300 |
---|---|---|
committer | thegeorg <thegeorg@yandex-team.ru> | 2022-05-10 22:16:03 +0300 |
commit | 09c71d918d4d0b0ebf67e1ab41aa90ddf587a3f2 (patch) | |
tree | dd44d2cb68e2845c2d4c367b66893f3e043a6e8e /contrib/restricted/aws/s2n/tls/s2n_config.h | |
parent | 5eb4a8a2d487411924e1d1b27c454223dcf35005 (diff) | |
download | ydb-09c71d918d4d0b0ebf67e1ab41aa90ddf587a3f2.tar.gz |
Update contrib/restricted/aws/s2n to 1.3.12
ref:f8279d764b4c00974a63543a1364c91e2b81b7a6
Diffstat (limited to 'contrib/restricted/aws/s2n/tls/s2n_config.h')
-rw-r--r-- | contrib/restricted/aws/s2n/tls/s2n_config.h | 53 |
1 files changed, 47 insertions, 6 deletions
diff --git a/contrib/restricted/aws/s2n/tls/s2n_config.h b/contrib/restricted/aws/s2n/tls/s2n_config.h index c5edf02418..c0068ce133 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_config.h +++ b/contrib/restricted/aws/s2n/tls/s2n_config.h @@ -18,11 +18,11 @@ #include "api/s2n.h" #include "crypto/s2n_certificate.h" #include "crypto/s2n_dhe.h" +#include "tls/s2n_psk.h" #include "tls/s2n_resume.h" #include "tls/s2n_x509_validator.h" #include "utils/s2n_blob.h" #include "utils/s2n_set.h" -#include "tls/s2n_psk.h" #define S2N_MAX_TICKET_KEYS 48 #define S2N_MAX_TICKET_KEY_HASHES 500 /* 10KB */ @@ -30,21 +30,37 @@ struct s2n_cipher_preferences; struct s2n_config { + unsigned use_tickets:1; + + /* Whether a connection can be used by a QUIC implementation. + * See s2n_quic_support.h */ + unsigned quic_enabled:1; + unsigned cert_allocated:1; unsigned default_certs_are_explicit:1; - unsigned use_tickets:1; unsigned use_session_cache:1; /* if this is FALSE, server will ignore client's Maximum Fragment Length request */ unsigned accept_mfl:1; unsigned check_ocsp:1; unsigned disable_x509_validation:1; unsigned max_verify_cert_chain_depth_set:1; - /* Whether a connection can be used by a QUIC implementation. - * See s2n_quic_support.h */ - unsigned quic_enabled:1; /* Whether to add dss cert type during a server certificate request. - * See https://github.com/awslabs/s2n/blob/main/docs/USAGE-GUIDE.md */ + * See https://github.com/aws/s2n-tls/blob/main/docs/USAGE-GUIDE.md */ unsigned cert_req_dss_legacy_compat_enabled:1; + /* Whether any RSA certificates have been configured server-side to send to clients. This is needed so that the + * server knows whether or not to self-downgrade to TLS 1.2 if the server is compiled with Openssl 1.0.2 and does + * not support RSA PSS signing (which is required for TLS 1.3). */ + unsigned is_rsa_cert_configured:1; + /* It's possible to use a certificate without loading the private key, + * but async signing must be enabled. Use this flag to enforce that restriction. + */ + unsigned no_signing_key:1; + /* + * This option exists to allow for polling the client_hello callback. + * + * Note: This defaults to false to ensure backwards compatibility. + */ + unsigned client_hello_cb_enable_poll:1; struct s2n_dh_params *dhparams; /* Needed until we can deprecate s2n_config_add_cert_chain_and_key. This is @@ -63,6 +79,8 @@ struct s2n_config { void *monotonic_clock_ctx; s2n_client_hello_fn *client_hello_cb; + s2n_client_hello_cb_mode client_hello_cb_mode; + void *client_hello_cb_ctx; uint64_t session_state_lifetime_in_nanos; @@ -98,13 +116,36 @@ struct s2n_config { uint8_t mfl_code; + uint8_t initial_tickets_to_send; + struct s2n_x509_trust_store trust_store; uint16_t max_verify_cert_chain_depth; s2n_async_pkey_fn async_pkey_cb; + s2n_psk_selection_callback psk_selection_cb; + void *psk_selection_ctx; + + s2n_key_log_fn key_log_cb; + void *key_log_ctx; + + s2n_session_ticket_fn session_ticket_cb; + void *session_ticket_ctx; + + s2n_early_data_cb early_data_cb; + + uint32_t server_max_early_data_size; + + s2n_psk_mode psk_mode; + + s2n_async_pkey_validation_mode async_pkey_validation_mode; + + /* The user defined context associated with config */ + void *context; }; +S2N_CLEANUP_RESULT s2n_config_ptr_free(struct s2n_config **config); + int s2n_config_defaults_init(void); extern struct s2n_config *s2n_fetch_default_config(void); int s2n_config_set_unsafe_for_testing(struct s2n_config *config); |