Update contrib/restricted/aws/s2n to 1.3.28

1 files changed, 27 insertions, 0 deletions

diff --git a/contrib/restricted/aws/s2n/tls/s2n_crl.h b/contrib/restricted/aws/s2n/tls/s2n_crl.h
index db8c967d32..f905f853ba 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_crl.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_crl.h
@@ -16,16 +16,43 @@
 #pragma once
 
 #include "api/s2n.h"
+#include "utils/s2n_result.h"
 
 #include <openssl/x509v3.h>
 
+struct s2n_x509_validator;
+
 struct s2n_crl {
     X509_CRL *crl;
 };
 
+typedef enum {
+    AWAITING_RESPONSE,
+    FINISHED
+} crl_lookup_callback_status;
+
+struct s2n_crl_lookup {
+    crl_lookup_callback_status status;
+    X509 *cert;
+    uint16_t cert_idx;
+    struct s2n_crl *crl;
+};
+
+typedef int (*s2n_crl_lookup_callback) (struct s2n_crl_lookup *lookup, void *context);
+
 /* TODO: APIs are part of an unfinished CRL validation feature and are temporarily hidden
  * https://github.com/aws/s2n-tls/issues/3499 */
 struct s2n_crl *s2n_crl_new(void);
 int s2n_crl_load_pem(struct s2n_crl *crl, uint8_t *pem, size_t len);
 int s2n_crl_free(struct s2n_crl **crl);
 int s2n_crl_get_issuer_hash(struct s2n_crl *crl, uint64_t *hash);
+int s2n_crl_validate_active(struct s2n_crl *crl);
+int s2n_crl_validate_not_expired(struct s2n_crl *crl);
+int s2n_crl_lookup_get_cert_issuer_hash(struct s2n_crl_lookup *lookup, uint64_t *hash);
+int s2n_crl_lookup_set(struct s2n_crl_lookup *lookup, struct s2n_crl *crl);
+int s2n_crl_lookup_ignore(struct s2n_crl_lookup *lookup);
+
+S2N_RESULT s2n_crl_handle_lookup_callback_result(struct s2n_x509_validator *validator);
+S2N_RESULT s2n_crl_invoke_lookup_callbacks(struct s2n_connection *conn, struct s2n_x509_validator *validator);
+S2N_RESULT s2n_crl_get_crls_from_lookup_list(struct s2n_x509_validator *validator, STACK_OF(X509_CRL) *crl_stack);
+int s2n_crl_ossl_verify_callback(int default_ossl_ret, X509_STORE_CTX *ctx);