Restoring authorship annotation for <orivej@yandex-team.ru>. Commit 1 of 2.

author: orivej <orivej@yandex-team.ru> 2022-02-10 16:44:49 +0300
committer: Daniil Cherednik <dcherednik@yandex-team.ru> 2022-02-10 16:44:49 +0300
commit: 718c552901d703c502ccbefdfc3c9028d608b947 (patch)
tree: 46534a98bbefcd7b1f3faa5b52c138ab27db75b7 /contrib/restricted/aws/s2n/tls/s2n_handshake.h
parent: e9656aae26e0358d5378e5b63dcac5c8dbe0e4d0 (diff)
download: ydb-718c552901d703c502ccbefdfc3c9028d608b947.tar.gz
1 files changed, 220 insertions, 220 deletions
diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake.h b/contrib/restricted/aws/s2n/tls/s2n_handshake.h
index cb871889e4..a0fde5f3af 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_handshake.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_handshake.h
@@ -1,220 +1,220 @@
-/*
- * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- *  http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-
-#pragma once
-
-#include <stdint.h>
-#include <s2n.h>
-
-#include "tls/s2n_crypto.h"
-#include "tls/s2n_signature_algorithms.h"
-#include "tls/s2n_tls_parameters.h"
-
-#include "stuffer/s2n_stuffer.h"
-
-#include "crypto/s2n_certificate.h"
-#include "crypto/s2n_hash.h"
-
-/* From RFC 8446: https://tools.ietf.org/html/rfc8446#appendix-B.3 */
-#define TLS_HELLO_REQUEST              0
-#define TLS_CLIENT_HELLO               1
-#define TLS_SERVER_HELLO               2
-#define TLS_SERVER_NEW_SESSION_TICKET  4
-#define TLS_ENCRYPTED_EXTENSIONS       8
-#define TLS_CERTIFICATE               11
-#define TLS_SERVER_KEY                12
-#define TLS_CERT_REQ                  13
-#define TLS_SERVER_HELLO_DONE         14
-#define TLS_CERT_VERIFY               15
-#define TLS_CLIENT_KEY                16
-#define TLS_FINISHED                  20
-#define TLS_SERVER_CERT_STATUS        22
-#define TLS_SERVER_SESSION_LOOKUP     23
-#define TLS_KEY_UPDATE                24
-#define TLS_MESSAGE_HASH             254
-
-/* This is the list of message types that we support */
-typedef enum {
-    CLIENT_HELLO=0,
-    SERVER_HELLO,
-    SERVER_CERT,
-    SERVER_NEW_SESSION_TICKET,
-    SERVER_CERT_STATUS,
-    SERVER_KEY,
-    SERVER_CERT_REQ,
-    SERVER_HELLO_DONE,
-    CLIENT_CERT,
-    CLIENT_KEY,
-    CLIENT_CERT_VERIFY,
-    CLIENT_CHANGE_CIPHER_SPEC,
-    CLIENT_FINISHED,
-    SERVER_CHANGE_CIPHER_SPEC,
-    SERVER_FINISHED,
-
-    /* TLS1.3 message types. Defined: https://tools.ietf.org/html/rfc8446#appendix-B.3 */
-    ENCRYPTED_EXTENSIONS,
-    SERVER_CERT_VERIFY,
-    HELLO_RETRY_MSG,
-
-    APPLICATION_DATA,
-} message_type_t;
-
-typedef enum {
-    S2N_ASYNC_NOT_INVOKED = 0,
-    S2N_ASYNC_INVOKING_CALLBACK,
-    S2N_ASYNC_INVOKED_WAITING,
-    S2N_ASYNC_INVOKED_COMPLETE,
-} s2n_async_state;
-
-struct s2n_handshake_parameters {
-    /* Signature/hash algorithm pairs offered by the client in the signature_algorithms extension */
-    struct s2n_sig_scheme_list client_sig_hash_algs;
-
-    /* Signature/hash algorithm pairs offered by the server in the certificate request */
-    struct s2n_sig_scheme_list server_sig_hash_algs;
-
-    /* The cert chain we will send the peer. */
-    struct s2n_cert_chain_and_key *our_chain_and_key;
-
-    /* The subset of certificates that match the server_name presented in the ClientHello.
-     * In the case of multiple certificates matching a server_name, s2n will prefer certificates
-     * in FIFO order based on calls to s2n_config_add_cert_chain_and_key_to_store
-     *
-     * Note that in addition to domain matching, the key type for the certificate must also be
-     * suitable for a negotiation in order to be selected. The set of matching certs here are indexed
-     * by s2n_authentication_method.
-     *
-     * Example:
-     *    - Assume certA is added to s2n_config via s2n_config_add_cert_chain_and_key_to_store
-     *    - Next certB is added.
-     *    - if certA matches www.foo.com and certB matches www.foo.com, s2n will prefer certA
-     *
-     * Note that in addition to domain matching, the key type for the certificate must also be
-     * suitable for a negotiation in order to be selected.
-     *
-     * Example:
-     *    - Assume certA and certB match server_name www.foo.com
-     *    - certA is ECDSA and certB is RSA.
-     *    - Client only supports RSA ciphers
-     *    - certB will be selected.
-     */
-    struct s2n_cert_chain_and_key *exact_sni_matches[S2N_CERT_TYPE_COUNT];
-    struct s2n_cert_chain_and_key *wc_sni_matches[S2N_CERT_TYPE_COUNT];
-    uint8_t exact_sni_match_exists;
-    uint8_t wc_sni_match_exists;
-};
-
-struct s2n_handshake {
-    struct s2n_stuffer io;
-
-    struct s2n_hash_state md5;
-    struct s2n_hash_state sha1;
-    struct s2n_hash_state sha224;
-    struct s2n_hash_state sha256;
-    struct s2n_hash_state sha384;
-    struct s2n_hash_state sha512;
-    struct s2n_hash_state md5_sha1;
-
-    /* A copy of the handshake messages hash used to validate the CertificateVerify message */
-    struct s2n_hash_state ccv_hash_copy;
-
-    /* Used for SSLv3, TLS 1.0, and TLS 1.1 PRFs */
-    struct s2n_hash_state prf_md5_hash_copy;
-    struct s2n_hash_state prf_sha1_hash_copy;
-    /*Used for TLS 1.2 PRF */
-    struct s2n_hash_state prf_tls12_hash_copy;
-    struct s2n_hash_state server_finished_copy;
-
-    /* Hash algorithms required for this handshake. The set of required hashes can be reduced as session parameters are
-     * negotiated, i.e. cipher suite and protocol version.
-     */
-    uint8_t required_hash_algs[S2N_HASH_SENTINEL];
-
-    uint8_t server_finished[S2N_TLS_SECRET_LEN];
-    uint8_t client_finished[S2N_TLS_SECRET_LEN];
-
-    /* Handshake type is a bitset, with the following
-       bit positions */
-    uint32_t handshake_type;
-
-/* Has the handshake been negotiated yet? */
-#define INITIAL                     0x00
-#define NEGOTIATED                  0x01
-#define IS_NEGOTIATED( type ) ( (type) & NEGOTIATED )
-
-/* Handshake is a full handshake  */
-#define FULL_HANDSHAKE              0x02
-#define IS_FULL_HANDSHAKE( type )   ( (type) & FULL_HANDSHAKE )
-#define IS_RESUMPTION_HANDSHAKE( type ) ( !IS_FULL_HANDSHAKE( (type) ) && IS_NEGOTIATED ( (type) ) )
-
-/* Handshake uses perfect forward secrecy */
-#define TLS12_PERFECT_FORWARD_SECRECY 0x04
-
-/* Handshake needs OCSP status message */
-#define OCSP_STATUS                 0x08
-#define IS_OCSP_STAPLED( type ) ( ( (type) & OCSP_STATUS ) != 0 )
-
-/* Handshake should request a Client Certificate */
-#define CLIENT_AUTH                 0x10
-#define IS_CLIENT_AUTH_HANDSHAKE( type )   ( (type) & CLIENT_AUTH )
-
-/* Session Resumption via session-tickets */
-#define WITH_SESSION_TICKET         0x20
-#define IS_ISSUING_NEW_SESSION_TICKET( type )   ( (type) & WITH_SESSION_TICKET )
-
-/* Handshake requested a Client Certificate but did not get one */
-#define NO_CLIENT_CERT              0x40
-#define IS_CLIENT_AUTH_NO_CERT( type )   ( IS_CLIENT_AUTH_HANDSHAKE( (type) ) && ( (type) & NO_CLIENT_CERT) )
-
-/* A HelloRetryRequest was needed to proceed with the handshake */
-#define HELLO_RETRY_REQUEST         0x80
-
-/* Disguise a TLS1.3 handshake as a TLS1.2 handshake for backwards compatibility
- * with some middleboxes: https://tools.ietf.org/html/rfc8446#appendix-D.4 */
-#define MIDDLEBOX_COMPAT            0x100
-#define IS_MIDDLEBOX_COMPAT_MODE( type ) ( (type) & MIDDLEBOX_COMPAT )
-
-    /* Which handshake message number are we processing */
-    int message_number;
-
-    /* State of the async pkey operation during handshake */
-    s2n_async_state async_state;
-
-    /* Indicates the CLIENT_HELLO message has been completely received */
-    unsigned client_hello_received:1;
-
-    /* Indicates the handshake blocked while trying to read or write data, and has been paused */
-    unsigned paused:1;
-
-    /* Set to 1 if the RSA verification failed */
-    unsigned rsa_failed:1;
-};
-
-extern message_type_t s2n_conn_get_current_message_type(struct s2n_connection *conn);
-extern int s2n_conn_set_handshake_type(struct s2n_connection *conn);
-extern int s2n_conn_set_handshake_no_client_cert(struct s2n_connection *conn);
-extern int s2n_conn_set_handshake_read_block(struct s2n_connection *conn);
-extern int s2n_conn_clear_handshake_read_block(struct s2n_connection *conn);
-extern int s2n_handshake_require_all_hashes(struct s2n_handshake *handshake);
-extern uint8_t s2n_handshake_is_hash_required(struct s2n_handshake *handshake, s2n_hash_algorithm hash_alg);
-extern int s2n_conn_update_required_handshake_hashes(struct s2n_connection *conn);
-extern int s2n_handshake_get_hash_state(struct s2n_connection *conn, s2n_hash_algorithm hash_alg, struct s2n_hash_state *hash_state);
-extern int s2n_handshake_reset_hash_state(struct s2n_connection *conn, s2n_hash_algorithm hash_alg);
-extern int s2n_conn_find_name_matching_certs(struct s2n_connection *conn);
-extern int s2n_create_wildcard_hostname(struct s2n_stuffer *hostname, struct s2n_stuffer *output);
-struct s2n_cert_chain_and_key *s2n_get_compatible_cert_chain_and_key(struct s2n_connection *conn, const s2n_pkey_type cert_type);
-int s2n_conn_update_handshake_hashes(struct s2n_connection *conn, struct s2n_blob *data);
-S2N_RESULT s2n_quic_read_handshake_message(struct s2n_connection *conn, uint8_t *message_type);
-S2N_RESULT s2n_quic_write_handshake_message(struct s2n_connection *conn, struct s2n_blob *in);
+/* 
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License"). 
+ * You may not use this file except in compliance with the License. 
+ * A copy of the License is located at 
+ * 
+ *  http://aws.amazon.com/apache2.0 
+ * 
+ * or in the "license" file accompanying this file. This file is distributed 
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 
+ * express or implied. See the License for the specific language governing 
+ * permissions and limitations under the License. 
+ */ 
+ 
+#pragma once 
+ 
+#include <stdint.h> 
+#include <s2n.h> 
+ 
+#include "tls/s2n_crypto.h" 
+#include "tls/s2n_signature_algorithms.h" 
+#include "tls/s2n_tls_parameters.h" 
+ 
+#include "stuffer/s2n_stuffer.h" 
+ 
+#include "crypto/s2n_certificate.h" 
+#include "crypto/s2n_hash.h" 
+ 
+/* From RFC 8446: https://tools.ietf.org/html/rfc8446#appendix-B.3 */ 
+#define TLS_HELLO_REQUEST              0 
+#define TLS_CLIENT_HELLO               1 
+#define TLS_SERVER_HELLO               2 
+#define TLS_SERVER_NEW_SESSION_TICKET  4 
+#define TLS_ENCRYPTED_EXTENSIONS       8 
+#define TLS_CERTIFICATE               11 
+#define TLS_SERVER_KEY                12 
+#define TLS_CERT_REQ                  13 
+#define TLS_SERVER_HELLO_DONE         14 
+#define TLS_CERT_VERIFY               15 
+#define TLS_CLIENT_KEY                16 
+#define TLS_FINISHED                  20 
+#define TLS_SERVER_CERT_STATUS        22 
+#define TLS_SERVER_SESSION_LOOKUP     23 
+#define TLS_KEY_UPDATE                24 
+#define TLS_MESSAGE_HASH             254 
+ 
+/* This is the list of message types that we support */ 
+typedef enum { 
+    CLIENT_HELLO=0, 
+    SERVER_HELLO, 
+    SERVER_CERT, 
+    SERVER_NEW_SESSION_TICKET, 
+    SERVER_CERT_STATUS, 
+    SERVER_KEY, 
+    SERVER_CERT_REQ, 
+    SERVER_HELLO_DONE, 
+    CLIENT_CERT, 
+    CLIENT_KEY, 
+    CLIENT_CERT_VERIFY, 
+    CLIENT_CHANGE_CIPHER_SPEC, 
+    CLIENT_FINISHED, 
+    SERVER_CHANGE_CIPHER_SPEC, 
+    SERVER_FINISHED, 
+ 
+    /* TLS1.3 message types. Defined: https://tools.ietf.org/html/rfc8446#appendix-B.3 */ 
+    ENCRYPTED_EXTENSIONS, 
+    SERVER_CERT_VERIFY, 
+    HELLO_RETRY_MSG, 
+ 
+    APPLICATION_DATA, 
+} message_type_t; 
+ 
+typedef enum { 
+    S2N_ASYNC_NOT_INVOKED = 0, 
+    S2N_ASYNC_INVOKING_CALLBACK, 
+    S2N_ASYNC_INVOKED_WAITING, 
+    S2N_ASYNC_INVOKED_COMPLETE, 
+} s2n_async_state; 
+ 
+struct s2n_handshake_parameters { 
+    /* Signature/hash algorithm pairs offered by the client in the signature_algorithms extension */ 
+    struct s2n_sig_scheme_list client_sig_hash_algs; 
+ 
+    /* Signature/hash algorithm pairs offered by the server in the certificate request */ 
+    struct s2n_sig_scheme_list server_sig_hash_algs; 
+ 
+    /* The cert chain we will send the peer. */ 
+    struct s2n_cert_chain_and_key *our_chain_and_key; 
+ 
+    /* The subset of certificates that match the server_name presented in the ClientHello. 
+     * In the case of multiple certificates matching a server_name, s2n will prefer certificates 
+     * in FIFO order based on calls to s2n_config_add_cert_chain_and_key_to_store 
+     * 
+     * Note that in addition to domain matching, the key type for the certificate must also be 
+     * suitable for a negotiation in order to be selected. The set of matching certs here are indexed 
+     * by s2n_authentication_method. 
+     * 
+     * Example: 
+     *    - Assume certA is added to s2n_config via s2n_config_add_cert_chain_and_key_to_store 
+     *    - Next certB is added. 
+     *    - if certA matches www.foo.com and certB matches www.foo.com, s2n will prefer certA 
+     * 
+     * Note that in addition to domain matching, the key type for the certificate must also be 
+     * suitable for a negotiation in order to be selected. 
+     * 
+     * Example: 
+     *    - Assume certA and certB match server_name www.foo.com 
+     *    - certA is ECDSA and certB is RSA. 
+     *    - Client only supports RSA ciphers 
+     *    - certB will be selected. 
+     */ 
+    struct s2n_cert_chain_and_key *exact_sni_matches[S2N_CERT_TYPE_COUNT]; 
+    struct s2n_cert_chain_and_key *wc_sni_matches[S2N_CERT_TYPE_COUNT]; 
+    uint8_t exact_sni_match_exists; 
+    uint8_t wc_sni_match_exists; 
+}; 
+ 
+struct s2n_handshake { 
+    struct s2n_stuffer io; 
+ 
+    struct s2n_hash_state md5; 
+    struct s2n_hash_state sha1; 
+    struct s2n_hash_state sha224; 
+    struct s2n_hash_state sha256; 
+    struct s2n_hash_state sha384; 
+    struct s2n_hash_state sha512; 
+    struct s2n_hash_state md5_sha1; 
+ 
+    /* A copy of the handshake messages hash used to validate the CertificateVerify message */ 
+    struct s2n_hash_state ccv_hash_copy; 
+ 
+    /* Used for SSLv3, TLS 1.0, and TLS 1.1 PRFs */ 
+    struct s2n_hash_state prf_md5_hash_copy; 
+    struct s2n_hash_state prf_sha1_hash_copy; 
+    /*Used for TLS 1.2 PRF */ 
+    struct s2n_hash_state prf_tls12_hash_copy; 
+    struct s2n_hash_state server_finished_copy; 
+ 
+    /* Hash algorithms required for this handshake. The set of required hashes can be reduced as session parameters are 
+     * negotiated, i.e. cipher suite and protocol version. 
+     */ 
+    uint8_t required_hash_algs[S2N_HASH_SENTINEL]; 
+ 
+    uint8_t server_finished[S2N_TLS_SECRET_LEN]; 
+    uint8_t client_finished[S2N_TLS_SECRET_LEN]; 
+ 
+    /* Handshake type is a bitset, with the following 
+       bit positions */ 
+    uint32_t handshake_type; 
+ 
+/* Has the handshake been negotiated yet? */ 
+#define INITIAL                     0x00 
+#define NEGOTIATED                  0x01 
+#define IS_NEGOTIATED( type ) ( (type) & NEGOTIATED ) 
+ 
+/* Handshake is a full handshake  */ 
+#define FULL_HANDSHAKE              0x02 
+#define IS_FULL_HANDSHAKE( type )   ( (type) & FULL_HANDSHAKE ) 
+#define IS_RESUMPTION_HANDSHAKE( type ) ( !IS_FULL_HANDSHAKE( (type) ) && IS_NEGOTIATED ( (type) ) ) 
+ 
+/* Handshake uses perfect forward secrecy */ 
+#define TLS12_PERFECT_FORWARD_SECRECY 0x04 
+ 
+/* Handshake needs OCSP status message */ 
+#define OCSP_STATUS                 0x08 
+#define IS_OCSP_STAPLED( type ) ( ( (type) & OCSP_STATUS ) != 0 ) 
+ 
+/* Handshake should request a Client Certificate */ 
+#define CLIENT_AUTH                 0x10 
+#define IS_CLIENT_AUTH_HANDSHAKE( type )   ( (type) & CLIENT_AUTH ) 
+ 
+/* Session Resumption via session-tickets */ 
+#define WITH_SESSION_TICKET         0x20 
+#define IS_ISSUING_NEW_SESSION_TICKET( type )   ( (type) & WITH_SESSION_TICKET ) 
+ 
+/* Handshake requested a Client Certificate but did not get one */ 
+#define NO_CLIENT_CERT              0x40 
+#define IS_CLIENT_AUTH_NO_CERT( type )   ( IS_CLIENT_AUTH_HANDSHAKE( (type) ) && ( (type) & NO_CLIENT_CERT) ) 
+ 
+/* A HelloRetryRequest was needed to proceed with the handshake */ 
+#define HELLO_RETRY_REQUEST         0x80 
+ 
+/* Disguise a TLS1.3 handshake as a TLS1.2 handshake for backwards compatibility 
+ * with some middleboxes: https://tools.ietf.org/html/rfc8446#appendix-D.4 */ 
+#define MIDDLEBOX_COMPAT            0x100 
+#define IS_MIDDLEBOX_COMPAT_MODE( type ) ( (type) & MIDDLEBOX_COMPAT ) 
+ 
+    /* Which handshake message number are we processing */ 
+    int message_number; 
+ 
+    /* State of the async pkey operation during handshake */ 
+    s2n_async_state async_state; 
+ 
+    /* Indicates the CLIENT_HELLO message has been completely received */ 
+    unsigned client_hello_received:1; 
+ 
+    /* Indicates the handshake blocked while trying to read or write data, and has been paused */ 
+    unsigned paused:1; 
+ 
+    /* Set to 1 if the RSA verification failed */ 
+    unsigned rsa_failed:1; 
+}; 
+ 
+extern message_type_t s2n_conn_get_current_message_type(struct s2n_connection *conn); 
+extern int s2n_conn_set_handshake_type(struct s2n_connection *conn); 
+extern int s2n_conn_set_handshake_no_client_cert(struct s2n_connection *conn); 
+extern int s2n_conn_set_handshake_read_block(struct s2n_connection *conn); 
+extern int s2n_conn_clear_handshake_read_block(struct s2n_connection *conn); 
+extern int s2n_handshake_require_all_hashes(struct s2n_handshake *handshake); 
+extern uint8_t s2n_handshake_is_hash_required(struct s2n_handshake *handshake, s2n_hash_algorithm hash_alg); 
+extern int s2n_conn_update_required_handshake_hashes(struct s2n_connection *conn); 
+extern int s2n_handshake_get_hash_state(struct s2n_connection *conn, s2n_hash_algorithm hash_alg, struct s2n_hash_state *hash_state); 
+extern int s2n_handshake_reset_hash_state(struct s2n_connection *conn, s2n_hash_algorithm hash_alg); 
+extern int s2n_conn_find_name_matching_certs(struct s2n_connection *conn); 
+extern int s2n_create_wildcard_hostname(struct s2n_stuffer *hostname, struct s2n_stuffer *output); 
+struct s2n_cert_chain_and_key *s2n_get_compatible_cert_chain_and_key(struct s2n_connection *conn, const s2n_pkey_type cert_type); 
+int s2n_conn_update_handshake_hashes(struct s2n_connection *conn, struct s2n_blob *data); 
+S2N_RESULT s2n_quic_read_handshake_message(struct s2n_connection *conn, uint8_t *message_type); 
+S2N_RESULT s2n_quic_write_handshake_message(struct s2n_connection *conn, struct s2n_blob *in);
author	orivej <orivej@yandex-team.ru>	2022-02-10 16:44:49 +0300
committer	Daniil Cherednik <dcherednik@yandex-team.ru>	2022-02-10 16:44:49 +0300
commit	718c552901d703c502ccbefdfc3c9028d608b947 (patch)
tree	46534a98bbefcd7b1f3faa5b52c138ab27db75b7 /contrib/restricted/aws/s2n/tls/s2n_handshake.h
parent	e9656aae26e0358d5378e5b63dcac5c8dbe0e4d0 (diff)
download	ydb-718c552901d703c502ccbefdfc3c9028d608b947.tar.gz