Update contrib/restricted/aws/s2n to 1.3.12

ref:f8279d764b4c00974a63543a1364c91e2b81b7a6

1 files changed, 47 insertions, 6 deletions

diff --git a/contrib/restricted/aws/s2n/tls/s2n_config.h b/contrib/restricted/aws/s2n/tls/s2n_config.h
index c5edf02418..c0068ce133 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_config.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_config.h
@@ -18,11 +18,11 @@
 #include "api/s2n.h"
 #include "crypto/s2n_certificate.h"
 #include "crypto/s2n_dhe.h"
+#include "tls/s2n_psk.h"
 #include "tls/s2n_resume.h"
 #include "tls/s2n_x509_validator.h"
 #include "utils/s2n_blob.h"
 #include "utils/s2n_set.h"
-#include "tls/s2n_psk.h"
 
 #define S2N_MAX_TICKET_KEYS 48
 #define S2N_MAX_TICKET_KEY_HASHES 500 /* 10KB */
@@ -30,21 +30,37 @@
 struct s2n_cipher_preferences;
 
 struct s2n_config {
+    unsigned use_tickets:1;
+
+    /* Whether a connection can be used by a QUIC implementation.
+     * See s2n_quic_support.h */
+    unsigned quic_enabled:1;
+
     unsigned cert_allocated:1;
     unsigned default_certs_are_explicit:1;
-    unsigned use_tickets:1;
     unsigned use_session_cache:1;
     /* if this is FALSE, server will ignore client's Maximum Fragment Length request */
     unsigned accept_mfl:1;
     unsigned check_ocsp:1;
     unsigned disable_x509_validation:1;
     unsigned max_verify_cert_chain_depth_set:1;
-    /* Whether a connection can be used by a QUIC implementation.
-     * See s2n_quic_support.h */
-    unsigned quic_enabled:1;
     /* Whether to add dss cert type during a server certificate request.
-     * See https://github.com/awslabs/s2n/blob/main/docs/USAGE-GUIDE.md */
+     * See https://github.com/aws/s2n-tls/blob/main/docs/USAGE-GUIDE.md */
     unsigned cert_req_dss_legacy_compat_enabled:1;
+    /* Whether any RSA certificates have been configured server-side to send to clients. This is needed so that the
+     * server knows whether or not to self-downgrade to TLS 1.2 if the server is compiled with Openssl 1.0.2 and does
+     * not support RSA PSS signing (which is required for TLS 1.3). */
+    unsigned is_rsa_cert_configured:1;
+    /* It's possible to use a certificate without loading the private key,
+     * but async signing must be enabled. Use this flag to enforce that restriction.
+     */
+    unsigned no_signing_key:1;
+    /*
+     * This option exists to allow for polling the client_hello callback.
+     *
+     * Note: This defaults to false to ensure backwards compatibility.
+     */
+    unsigned client_hello_cb_enable_poll:1;
 
     struct s2n_dh_params *dhparams;
     /* Needed until we can deprecate s2n_config_add_cert_chain_and_key. This is
@@ -63,6 +79,8 @@ struct s2n_config {
     void *monotonic_clock_ctx;
 
     s2n_client_hello_fn *client_hello_cb;
+    s2n_client_hello_cb_mode client_hello_cb_mode;
+
     void *client_hello_cb_ctx;
 
     uint64_t session_state_lifetime_in_nanos;
@@ -98,13 +116,36 @@ struct s2n_config {
 
     uint8_t mfl_code;
 
+    uint8_t initial_tickets_to_send;
+
     struct s2n_x509_trust_store trust_store;
     uint16_t max_verify_cert_chain_depth;
 
     s2n_async_pkey_fn async_pkey_cb;
+
     s2n_psk_selection_callback psk_selection_cb;
+    void *psk_selection_ctx;
+
+    s2n_key_log_fn key_log_cb;
+    void *key_log_ctx;
+
+    s2n_session_ticket_fn session_ticket_cb;
+    void *session_ticket_ctx;
+
+    s2n_early_data_cb early_data_cb;
+
+    uint32_t server_max_early_data_size;
+
+    s2n_psk_mode psk_mode;
+
+    s2n_async_pkey_validation_mode async_pkey_validation_mode;
+
+    /* The user defined context associated with config */
+    void *context;
 };
 
+S2N_CLEANUP_RESULT s2n_config_ptr_free(struct s2n_config **config);
+
 int s2n_config_defaults_init(void);
 extern struct s2n_config *s2n_fetch_default_config(void);
 int s2n_config_set_unsafe_for_testing(struct s2n_config *config);