Update contrib/restricted/aws/s2n to 1.3.43

1 files changed, 78 insertions, 31 deletions

diff --git a/contrib/restricted/aws/s2n/tls/s2n_connection.c b/contrib/restricted/aws/s2n/tls/s2n_connection.c
index 16d1c19850..07768e2075 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_connection.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_connection.c
@@ -306,8 +306,8 @@ int s2n_connection_set_config(struct s2n_connection *conn, struct s2n_config *co
     } else {
         POSIX_GUARD(s2n_x509_validator_init(&conn->x509_validator, &config->trust_store, config->check_ocsp));
         if (!conn->verify_host_fn_overridden) {
-            if (config->verify_host != NULL) {
-                conn->verify_host_fn = config->verify_host;
+            if (config->verify_host_fn != NULL) {
+                conn->verify_host_fn = config->verify_host_fn;
                 conn->data_for_verify_host = config->data_for_verify_host;
             } else {
                 conn->verify_host_fn = s2n_default_verify_host;
@@ -1093,6 +1093,35 @@ uint64_t s2n_connection_get_delay(struct s2n_connection *conn)
     return conn->delay - elapsed;
 }
 
+static S2N_RESULT s2n_connection_kill(struct s2n_connection *conn)
+{
+    RESULT_ENSURE_REF(conn);
+    RESULT_GUARD(s2n_connection_set_closed(conn));
+
+    /* Delay between 10 and 30 seconds in nanoseconds */
+    int64_t min = TEN_S, max = 3 * TEN_S;
+
+    /* Keep track of the delay so that it can be enforced */
+    uint64_t rand_delay = 0;
+    RESULT_GUARD(s2n_public_random(max - min, &rand_delay));
+
+    conn->delay = min + rand_delay;
+
+    /* Restart the write timer */
+    RESULT_GUARD(s2n_timer_start(conn->config, &conn->write_timer));
+
+    if (conn->blinding == S2N_BUILT_IN_BLINDING) {
+        struct timespec sleep_time = { .tv_sec = conn->delay / ONE_S, .tv_nsec = conn->delay % ONE_S };
+
+        int r = 0;
+        do {
+            r = nanosleep(&sleep_time, &sleep_time);
+        } while (r != 0);
+    }
+
+    return S2N_RESULT_OK;
+}
+
 S2N_CLEANUP_RESULT s2n_connection_apply_error_blinding(struct s2n_connection **conn)
 {
     RESULT_ENSURE_REF(conn);
@@ -1126,45 +1155,23 @@ S2N_CLEANUP_RESULT s2n_connection_apply_error_blinding(struct s2n_connection **c
         case S2N_ERR_CANCELLED:
         case S2N_ERR_CIPHER_NOT_SUPPORTED:
         case S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED:
-            (*conn)->closed = 1;
+            RESULT_GUARD(s2n_connection_set_closed(*conn));
             break;
         default:
             /* Apply blinding to all other errors */
-            RESULT_GUARD_POSIX(s2n_connection_kill(*conn));
+            RESULT_GUARD(s2n_connection_kill(*conn));
             break;
     }
 
     return S2N_RESULT_OK;
 }
 
-int s2n_connection_kill(struct s2n_connection *conn)
+S2N_RESULT s2n_connection_set_closed(struct s2n_connection *conn)
 {
-    POSIX_ENSURE_REF(conn);
-
-    conn->closed = 1;
-
-    /* Delay between 10 and 30 seconds in nanoseconds */
-    int64_t min = TEN_S, max = 3 * TEN_S;
-
-    /* Keep track of the delay so that it can be enforced */
-    uint64_t rand_delay = 0;
-    POSIX_GUARD_RESULT(s2n_public_random(max - min, &rand_delay));
-
-    conn->delay = min + rand_delay;
-
-    /* Restart the write timer */
-    POSIX_GUARD_RESULT(s2n_timer_start(conn->config, &conn->write_timer));
-
-    if (conn->blinding == S2N_BUILT_IN_BLINDING) {
-        struct timespec sleep_time = { .tv_sec = conn->delay / ONE_S, .tv_nsec = conn->delay % ONE_S };
-        int r;
-
-        do {
-            r = nanosleep(&sleep_time, &sleep_time);
-        } while (r != 0);
-    }
-
-    return 0;
+    RESULT_ENSURE_REF(conn);
+    conn->read_closed = 1;
+    conn->write_closed = 1;
+    return S2N_RESULT_OK;
 }
 
 const uint8_t *s2n_connection_get_ocsp_response(struct s2n_connection *conn, uint32_t *length)
@@ -1534,3 +1541,43 @@ S2N_RESULT s2n_connection_dynamic_free_in_buffer(struct s2n_connection *conn)
 
     return S2N_RESULT_OK;
 }
+
+bool s2n_connection_check_io_status(struct s2n_connection *conn, s2n_io_status status)
+{
+    if (!conn) {
+        return false;
+    }
+
+    const bool is_full_duplex = !conn->read_closed && !conn->write_closed;
+
+    /*
+     *= https://tools.ietf.org/rfc/rfc8446#section-6.1
+     *# Note that this is a change from versions of TLS prior to TLS 1.3 in
+     *# which implementations were required to react to a "close_notify" by
+     *# discarding pending writes and sending an immediate "close_notify"
+     *# alert of their own.
+     */
+    if (s2n_connection_get_protocol_version(conn) < S2N_TLS13) {
+        switch (status) {
+            case S2N_IO_WRITABLE:
+            case S2N_IO_READABLE:
+            case S2N_IO_FULL_DUPLEX:
+                return is_full_duplex;
+            case S2N_IO_CLOSED:
+                return !is_full_duplex;
+        }
+    }
+
+    switch (status) {
+        case S2N_IO_WRITABLE:
+            return !conn->write_closed;
+        case S2N_IO_READABLE:
+            return !conn->read_closed;
+        case S2N_IO_FULL_DUPLEX:
+            return is_full_duplex;
+        case S2N_IO_CLOSED:
+            return conn->read_closed && conn->write_closed;
+    }
+
+    return false;
+}