aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/restricted/aws/s2n/tls
diff options
context:
space:
mode:
authorrobot-contrib <robot-contrib@yandex-team.com>2023-02-08 07:58:31 +0300
committerrobot-contrib <robot-contrib@yandex-team.com>2023-02-08 07:58:31 +0300
commit1e5926b916901f05acb5474e056989b592c011a3 (patch)
treeae4e3269dfef4e441539d9c8797072d8e21aa168 /contrib/restricted/aws/s2n/tls
parent3b51ba21855488020df8a45b52e443ef24215ec4 (diff)
downloadydb-1e5926b916901f05acb5474e056989b592c011a3.tar.gz
Update contrib/restricted/aws/s2n to 1.3.33
Diffstat (limited to 'contrib/restricted/aws/s2n/tls')
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c12
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.h5
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.c5
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.h1
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.c12
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.h5
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.c12
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.h5
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.c7
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.h4
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.c12
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.h5
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c10
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.h4
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c12
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.h4
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c18
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.h5
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c12
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h4
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c12
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.h1
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c6
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.h1
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c18
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.h4
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.c15
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.h2
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c15
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.h2
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c14
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h2
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c9
-rw-r--r--contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.h1
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_alerts.c6
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_change_cipher_spec.c6
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c3
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_config.c12
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_handshake.c10
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_handshake_io.c6
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_kem.c3
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_post_handshake.c33
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_post_handshake.h1
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_record_read_aead.c9
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_record_write.c36
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_server_key_exchange.c7
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c26
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.c11
48 files changed, 120 insertions, 305 deletions
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c
index 5b1c2de5c5..bd8754a44e 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c
@@ -86,15 +86,3 @@ static int s2n_client_alpn_recv(struct s2n_connection *conn, struct s2n_stuffer
return S2N_SUCCESS;
}
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_alpn_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_client_alpn_extension, conn, out);
-}
-
-int s2n_recv_client_alpn(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_alpn_extension, conn, extension);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.h
index 50ac98575a..33252a6e61 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.h
@@ -21,8 +21,3 @@
extern const s2n_extension_type s2n_client_alpn_extension;
bool s2n_client_alpn_should_send(struct s2n_connection *conn);
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_alpn_send(struct s2n_connection *conn, struct s2n_stuffer *out);
-int s2n_recv_client_alpn(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.c
index 739a499ba3..0c3909e7cf 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.c
@@ -459,11 +459,6 @@ uint32_t s2n_extensions_client_key_share_size(struct s2n_connection *conn)
return s2n_client_key_share_extension_size;
}
-int s2n_extensions_client_key_share_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_client_key_share_extension, conn, out);
-}
-
int s2n_extensions_client_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
{
return s2n_extension_recv(&s2n_client_key_share_extension, conn, extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.h
index 8129ea3265..9da85e789c 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.h
@@ -23,4 +23,3 @@ extern const s2n_extension_type s2n_client_key_share_extension;
/* Old-style extension functions -- remove after extensions refactor is complete */
int s2n_extensions_client_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
uint32_t s2n_extensions_client_key_share_size(struct s2n_connection *conn);
-int s2n_extensions_client_key_share_send(struct s2n_connection *conn, struct s2n_stuffer *out);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.c
index 634f507e8f..8019d2d3ef 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.c
@@ -77,15 +77,3 @@ static int s2n_client_max_frag_len_recv(struct s2n_connection *conn, struct s2n_
POSIX_GUARD_RESULT(s2n_connection_set_max_fragment_length(conn, mfl_code_to_length[mfl_code]));
return S2N_SUCCESS;
}
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_max_frag_len_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_client_max_frag_len_extension, conn, out);
-}
-
-int s2n_recv_client_max_frag_len(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_max_frag_len_extension, conn, extension);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.h
index b58b055978..29e8d8347e 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.h
@@ -19,8 +19,3 @@
#include "tls/s2n_connection.h"
extern const s2n_extension_type s2n_client_max_frag_len_extension;
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_max_frag_len_send(struct s2n_connection *conn, struct s2n_stuffer *out);
-int s2n_recv_client_max_frag_len(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.c
index a2d0a98a02..5ad72e642c 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.c
@@ -82,15 +82,3 @@ static int s2n_client_pq_kem_recv(struct s2n_connection *conn, struct s2n_stuffe
return S2N_SUCCESS;
}
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_pq_kem_send(struct s2n_connection *conn, struct s2n_stuffer *out, uint16_t pq_kem_list_size)
-{
- return s2n_extension_send(&s2n_client_pq_kem_extension, conn, out);
-}
-
-int s2n_recv_pq_kem_extension(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_pq_kem_extension, conn, extension);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.h
index 5e089b7567..ae2374a688 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.h
@@ -20,8 +20,3 @@
#include "tls/s2n_connection.h"
extern const s2n_extension_type s2n_client_pq_kem_extension;
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_pq_kem_send(struct s2n_connection *conn, struct s2n_stuffer *out, uint16_t pq_kem_list_size);
-int s2n_recv_pq_kem_extension(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.c
index 120caf47f9..28b9e6c6e4 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.c
@@ -189,10 +189,3 @@ static int s2n_client_renegotiation_if_missing(struct s2n_connection *conn)
return S2N_SUCCESS;
}
}
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_recv_client_renegotiation_info(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_renegotiation_info_extension, conn, extension);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.h
index f67c1bb896..42ca0f3bff 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.h
@@ -19,7 +19,3 @@
#include "tls/s2n_connection.h"
extern const s2n_extension_type s2n_client_renegotiation_info_extension;
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_recv_client_renegotiation_info(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.c
index 98891e7017..708de17f9b 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.c
@@ -45,15 +45,3 @@ static int s2n_client_sct_list_recv(struct s2n_connection *conn, struct s2n_stuf
/* Skip reading the extension, per RFC6962 (3.1.1) it SHOULD be empty anyway */
return S2N_SUCCESS;
}
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_sct_list_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_client_sct_list_extension, conn, out);
-}
-
-int s2n_recv_client_sct_list(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_sct_list_extension, conn, extension);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.h
index cd2be3b1d9..3b2f030d54 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.h
@@ -19,8 +19,3 @@
#include "tls/s2n_connection.h"
extern const s2n_extension_type s2n_client_sct_list_extension;
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_sct_list_send(struct s2n_connection *conn, struct s2n_stuffer *out);
-int s2n_recv_client_sct_list(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c
index 0fd0b1ca44..f66c0e6512 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c
@@ -101,13 +101,3 @@ static int s2n_client_server_name_recv(struct s2n_connection *conn, struct s2n_s
return S2N_SUCCESS;
}
-
-int s2n_extensions_client_server_name_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_client_server_name_extension, conn, out);
-}
-
-int s2n_parse_client_hello_server_name(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_server_name_extension, conn, extension);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.h
index 4e26b33b8a..8eb868cb6b 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.h
@@ -20,7 +20,3 @@
#include "tls/s2n_connection.h"
extern const s2n_extension_type s2n_client_server_name_extension;
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-int s2n_extensions_client_server_name_send(struct s2n_connection *conn, struct s2n_stuffer *out);
-int s2n_parse_client_hello_server_name(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c
index 8155f35325..0ca9987c9e 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c
@@ -69,15 +69,3 @@ static int s2n_client_session_ticket_recv(struct s2n_connection *conn, struct s2
return S2N_SUCCESS;
}
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_session_ticket_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_client_session_ticket_extension, conn, out);
-}
-
-int s2n_recv_client_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_session_ticket_extension, conn, extension);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.h
index 58964aaa44..9fd94df00c 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.h
@@ -19,7 +19,3 @@
#include "tls/s2n_connection.h"
extern const s2n_extension_type s2n_client_session_ticket_extension;
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-int s2n_extensions_client_session_ticket_send(struct s2n_connection *conn, struct s2n_stuffer *out);
-int s2n_recv_client_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c
index 7ee72e6233..876b8a72ad 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c
@@ -44,21 +44,3 @@ static int s2n_client_signature_algorithms_recv(struct s2n_connection *conn, str
{
return s2n_recv_supported_sig_scheme_list(extension, &conn->handshake_params.client_sig_hash_algs);
}
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_client_signature_algorithms_extension, conn, out);
-}
-
-int s2n_extensions_client_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_signature_algorithms_extension, conn, extension);
-}
-
-int s2n_extensions_client_signature_algorithms_size(struct s2n_connection *conn)
-{
- /* extra 6 = 2 from extension type, 2 from extension size, 2 from list length */
- return s2n_supported_sig_scheme_list_size(conn) + 6;
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.h
index 2d2d00ff9b..2eec70493a 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.h
@@ -20,8 +20,3 @@
#include "tls/s2n_connection.h"
extern const s2n_extension_type s2n_client_signature_algorithms_extension;
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-int s2n_extensions_client_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *out);
-int s2n_extensions_client_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
-int s2n_extensions_client_signature_algorithms_size(struct s2n_connection *conn);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c
index e5d4b1a29a..dec50e3a39 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c
@@ -77,15 +77,3 @@ static int s2n_client_status_request_recv(struct s2n_connection *conn, struct s2
conn->status_type = (s2n_status_request_type) type;
return S2N_SUCCESS;
}
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_extensions_client_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_client_status_request_extension, conn, out);
-}
-
-int s2n_recv_client_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_status_request_extension, conn, extension);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h
index 61ee7aea09..526a8f678c 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h
@@ -20,7 +20,3 @@
#include "tls/s2n_connection.h"
extern const s2n_extension_type s2n_client_status_request_extension;
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-int s2n_extensions_client_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out);
-int s2n_recv_client_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c
index f58cbd3a18..4f7e3e12c4 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c
@@ -185,18 +185,6 @@ static int s2n_client_supported_groups_recv(struct s2n_connection *conn, struct
/* Old-style extension functions -- remove after extensions refactor is complete */
-int s2n_extensions_client_supported_groups_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- POSIX_GUARD(s2n_extension_send(&s2n_client_supported_groups_extension, conn, out));
-
- /* The original send method also sent ec point formats. To avoid breaking
- * anything, I'm going to let it continue writing point formats.
- */
- POSIX_GUARD(s2n_extension_send(&s2n_client_ec_point_format_extension, conn, out));
-
- return S2N_SUCCESS;
-}
-
int s2n_recv_client_supported_groups(struct s2n_connection *conn, struct s2n_stuffer *extension)
{
return s2n_extension_recv(&s2n_client_supported_groups_extension, conn, extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.h
index 611e392a76..322ac14813 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.h
@@ -23,5 +23,4 @@ extern const s2n_extension_type s2n_client_supported_groups_extension;
bool s2n_extension_should_send_if_ecc_enabled(struct s2n_connection *conn);
/* Old-style extension functions -- remove after extensions refactor is complete */
-int s2n_extensions_client_supported_groups_send(struct s2n_connection *conn, struct s2n_stuffer *out);
int s2n_recv_client_supported_groups(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c
index b7a8c72715..1880dd8387 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c
@@ -150,12 +150,8 @@ int s2n_extensions_client_supported_versions_size(struct s2n_connection *conn)
return version_list_length * S2N_TLS_PROTOCOL_VERSION_LEN + 5;
}
+/* still used in fuzz test */
int s2n_extensions_client_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
{
return s2n_extension_recv(&s2n_client_supported_versions_extension, conn, extension);
}
-
-int s2n_extensions_client_supported_versions_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_client_supported_versions_extension, conn, out);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.h
index df6a7c41ff..7b69b92895 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.h
@@ -23,4 +23,3 @@ extern const s2n_extension_type s2n_client_supported_versions_extension;
/* Old-style extension functions -- remove after extensions refactor is complete */
int s2n_extensions_client_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
int s2n_extensions_client_supported_versions_size(struct s2n_connection *conn);
-int s2n_extensions_client_supported_versions_send(struct s2n_connection *conn, struct s2n_stuffer *out);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c
index 755b2f59cf..ae003c8fc8 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c
@@ -71,21 +71,3 @@ static int s2n_ec_point_format_recv(struct s2n_connection *conn, struct s2n_stuf
conn->ec_point_formats = 1;
return S2N_SUCCESS;
}
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-
-int s2n_server_ecc_point_format_extension_size(struct s2n_connection *conn)
-{
- if (s2n_server_ec_point_format_extension.should_send(conn) && s2n_server_can_send_ec_point_formats(conn)) {
- return sizeof(uint16_t) /* extension type */
- + sizeof(uint16_t) /* extension size */
- + sizeof(uint8_t) /* point list size */
- + sizeof(uint8_t); /* point */
- }
- return 0;
-}
-
-int s2n_recv_client_ec_point_formats(struct s2n_connection *conn, struct s2n_stuffer *extension)
-{
- return s2n_extension_recv(&s2n_client_ec_point_format_extension, conn, extension);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.h
index e8c55d369e..d06959d52f 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.h
@@ -23,7 +23,3 @@
extern const s2n_extension_type s2n_client_ec_point_format_extension;
extern const s2n_extension_type s2n_server_ec_point_format_extension;
-
-/* Old-style extension functions -- remove after extensions refactor is complete */
-int s2n_server_ecc_point_format_extension_size(struct s2n_connection *conn);
-int s2n_recv_client_ec_point_formats(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.c
index 7f972064c1..845d573501 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.c
@@ -256,18 +256,3 @@ int s2n_recv_server_renegotiation_info_ext(struct s2n_connection *conn, struct s
{
return s2n_extension_recv(&s2n_server_renegotiation_info_extension, conn, extension);
}
-
-int s2n_send_server_renegotiation_info_ext(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_server_renegotiation_info_extension, conn, out);
-}
-
-int s2n_server_renegotiation_info_ext_size(struct s2n_connection *conn)
-{
- if (s2n_renegotiation_info_should_send(conn)) {
- /* 2 for ext type, 2 for extension length, 1 for value of 0 */
- return 5;
- }
-
- return 0;
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.h
index eb9a862de5..f72394ba66 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.h
@@ -23,5 +23,3 @@ extern const s2n_extension_type s2n_server_renegotiation_info_extension;
/* Old-style extension functions -- remove after extensions refactor is complete */
int s2n_recv_server_renegotiation_info_ext(struct s2n_connection *conn, struct s2n_stuffer *extension);
-int s2n_send_server_renegotiation_info_ext(struct s2n_connection *conn, struct s2n_stuffer *out);
-int s2n_server_renegotiation_info_ext_size(struct s2n_connection *conn);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c
index 187da6b831..77234a29e1 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c
@@ -51,18 +51,3 @@ int s2n_recv_server_session_ticket_ext(struct s2n_connection *conn, struct s2n_s
{
return s2n_extension_recv(&s2n_server_session_ticket_extension, conn, extension);
}
-
-int s2n_send_server_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_server_session_ticket_extension, conn, out);
-}
-
-int s2n_server_session_ticket_ext_size(struct s2n_connection *conn)
-{
- if (s2n_session_ticket_should_send(conn)) {
- /* 2 for extension type. 2 for extension length of 0 */
- return 4;
- }
-
- return 0;
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.h
index d6c8ab35e9..78c242adca 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.h
@@ -23,5 +23,3 @@ extern const s2n_extension_type s2n_server_session_ticket_extension;
/* Old-style extension functions -- remove after extensions refactor is complete */
int s2n_recv_server_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *extension);
-int s2n_send_server_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *out);
-int s2n_server_session_ticket_ext_size(struct s2n_connection *conn);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c
index 4248db8b7c..5752c0a350 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c
@@ -47,20 +47,6 @@ int s2n_server_status_request_recv(struct s2n_connection *conn, struct s2n_stuff
/* Old-style extension functions -- remove after extensions refactor is complete */
-int s2n_server_extensions_status_request_send_size(struct s2n_connection *conn)
-{
- if (s2n_server_can_send_ocsp(conn)) {
- return 2 * sizeof(uint16_t);
- }
-
- return 0;
-}
-
-int s2n_server_extensions_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_server_status_request_extension, conn, out);
-}
-
int s2n_recv_server_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension)
{
return s2n_extension_recv(&s2n_server_status_request_extension, conn, extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h
index 4bb46dd4df..205d3964b9 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h
@@ -22,6 +22,4 @@
extern const s2n_extension_type s2n_server_status_request_extension;
/* Old-style extension functions -- remove after extensions refactor is complete */
-int s2n_server_extensions_status_request_send_size(struct s2n_connection *conn);
-int s2n_server_extensions_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out);
int s2n_recv_server_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension);
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c
index 8dc4179683..d950b166fa 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c
@@ -28,8 +28,8 @@
/**
* Specified in https://tools.ietf.org/html/rfc8446#section-4.2.1
*
- * "A server which negotiates TLS 1.3 MUST respond by sending a
- * "supported_versions" extension containing the selected version value
+ * "A server which negotiates TLS 1.3 MUST respond by sending a
+ * "supported_versions" extension containing the selected version value
* (0x0304)."
*
* Structure:
@@ -112,8 +112,3 @@ int s2n_extensions_server_supported_versions_recv(struct s2n_connection *conn, s
{
return s2n_extension_recv(&s2n_server_supported_versions_extension, conn, extension);
}
-
-int s2n_extensions_server_supported_versions_send(struct s2n_connection *conn, struct s2n_stuffer *out)
-{
- return s2n_extension_send(&s2n_server_supported_versions_extension, conn, out);
-}
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.h
index 8a5f74579c..aecbc9ed3a 100644
--- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.h
+++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.h
@@ -22,5 +22,4 @@ extern const s2n_extension_type s2n_server_supported_versions_extension;
/* Old-style extension functions -- remove after extensions refactor is complete */
int s2n_extensions_server_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
-int s2n_extensions_server_supported_versions_send(struct s2n_connection *conn, struct s2n_stuffer *out);
int s2n_extensions_server_supported_versions_size(struct s2n_connection *conn);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_alerts.c b/contrib/restricted/aws/s2n/tls/s2n_alerts.c
index 49fa3ffbe3..4e1ea5f31a 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_alerts.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_alerts.c
@@ -253,7 +253,8 @@ int s2n_queue_writer_close_alert_warning(struct s2n_connection *conn)
alert[0] = S2N_TLS_ALERT_LEVEL_WARNING;
alert[1] = S2N_TLS_ALERT_CLOSE_NOTIFY;
- struct s2n_blob out = { .data = alert, .size = sizeof(alert) };
+ struct s2n_blob out = { 0 };
+ POSIX_GUARD(s2n_blob_init(&out, alert, sizeof(alert)));
/* If there is an alert pending or we've already sent a close_notify, do nothing */
if (s2n_stuffer_data_available(&conn->writer_alert_out) || conn->close_notify_queued) {
@@ -278,7 +279,8 @@ static int s2n_queue_reader_alert(struct s2n_connection *conn, uint8_t level, ui
alert[0] = level;
alert[1] = error_code;
- struct s2n_blob out = { .data = alert, .size = sizeof(alert) };
+ struct s2n_blob out = { 0 };
+ POSIX_GUARD(s2n_blob_init(&out, alert, sizeof(alert)));
/* If there is an alert pending, do nothing */
if (s2n_stuffer_data_available(&conn->reader_alert_out)) {
diff --git a/contrib/restricted/aws/s2n/tls/s2n_change_cipher_spec.c b/contrib/restricted/aws/s2n/tls/s2n_change_cipher_spec.c
index d8ba233290..14478e6d29 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_change_cipher_spec.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_change_cipher_spec.c
@@ -43,7 +43,8 @@ int s2n_client_ccs_recv(struct s2n_connection *conn)
POSIX_GUARD(s2n_basic_ccs_recv(conn));
/* Zero the sequence number */
- struct s2n_blob seq = { .data = conn->secure->client_sequence_number, .size = sizeof(conn->secure->client_sequence_number) };
+ struct s2n_blob seq = { 0 };
+ POSIX_GUARD(s2n_blob_init(&seq, conn->secure->client_sequence_number, sizeof(conn->secure->client_sequence_number)));
POSIX_GUARD(s2n_blob_zero(&seq));
/* Update the client to use the cipher-suite */
@@ -65,7 +66,8 @@ int s2n_server_ccs_recv(struct s2n_connection *conn)
POSIX_GUARD(s2n_basic_ccs_recv(conn));
/* Zero the sequence number */
- struct s2n_blob seq = { .data = conn->secure->server_sequence_number, .size = sizeof(conn->secure->server_sequence_number) };
+ struct s2n_blob seq = { 0 };
+ POSIX_GUARD(s2n_blob_init(&seq, conn->secure->server_sequence_number, sizeof(conn->secure->server_sequence_number)));
POSIX_GUARD(s2n_blob_zero(&seq));
/* Compute the finished message */
diff --git a/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c b/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c
index c2a6e60440..d3a19746ad 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c
@@ -998,7 +998,8 @@ int s2n_cipher_suites_init(void)
/* Initialize SSLv3 cipher suite if SSLv3 utilizes a different record algorithm */
if (cur_suite->sslv3_record_alg && cur_suite->sslv3_record_alg->cipher->is_available()) {
- struct s2n_blob cur_suite_mem = { .data = (uint8_t *) cur_suite, .size = sizeof(struct s2n_cipher_suite) };
+ struct s2n_blob cur_suite_mem = { 0 };
+ POSIX_GUARD(s2n_blob_init(&cur_suite_mem, (uint8_t *) cur_suite, sizeof(struct s2n_cipher_suite)));
struct s2n_blob new_suite_mem = { 0 };
POSIX_GUARD(s2n_dup(&cur_suite_mem, &new_suite_mem));
diff --git a/contrib/restricted/aws/s2n/tls/s2n_config.c b/contrib/restricted/aws/s2n/tls/s2n_config.c
index 02593a25a2..14cabda2e3 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_config.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_config.c
@@ -841,10 +841,14 @@ int s2n_config_add_ticket_crypto_key(struct s2n_config *config,
POSIX_ENSURE(s2n_find_ticket_key(config, name_data) == NULL, S2N_ERR_INVALID_TICKET_KEY_NAME_OR_NAME_LENGTH);
uint8_t output_pad[S2N_AES256_KEY_LEN + S2N_TICKET_AAD_IMPLICIT_LEN] = { 0 };
- struct s2n_blob out_key = { .data = output_pad, .size = s2n_array_len(output_pad) };
- struct s2n_blob in_key = { .data = key, .size = key_len };
- struct s2n_blob salt = { .size = 0 };
- struct s2n_blob info = { .size = 0 };
+ struct s2n_blob out_key = { 0 };
+ POSIX_GUARD(s2n_blob_init(&out_key, output_pad, s2n_array_len(output_pad)));
+ struct s2n_blob in_key = { 0 };
+ POSIX_GUARD(s2n_blob_init(&in_key, key, key_len));
+ struct s2n_blob salt = { 0 };
+ POSIX_GUARD(s2n_blob_init(&salt, NULL, 0));
+ struct s2n_blob info = { 0 };
+ POSIX_GUARD(s2n_blob_init(&info, NULL, 0));
struct s2n_ticket_key *session_ticket_key = { 0 };
DEFER_CLEANUP(struct s2n_blob allocator = { 0 }, s2n_free);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_handshake.c
index 0168a758f0..49e5aeea58 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_handshake.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_handshake.c
@@ -251,11 +251,14 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn)
return S2N_SUCCESS;
}
const char *name = conn->server_name;
- struct s2n_blob hostname_blob = { .data = (uint8_t *) (uintptr_t) name, .size = strlen(name) };
+ struct s2n_blob hostname_blob = { 0 };
+ POSIX_GUARD(s2n_blob_init(&hostname_blob, (uint8_t *) (uintptr_t) name, strlen(name)));
POSIX_ENSURE_LTE(hostname_blob.size, S2N_MAX_SERVER_NAME);
char normalized_hostname[S2N_MAX_SERVER_NAME + 1] = { 0 };
POSIX_CHECKED_MEMCPY(normalized_hostname, hostname_blob.data, hostname_blob.size);
- struct s2n_blob normalized_name = { .data = (uint8_t *) normalized_hostname, .size = hostname_blob.size };
+ struct s2n_blob normalized_name = { 0 };
+ POSIX_GUARD(s2n_blob_init(&normalized_name, (uint8_t *) normalized_hostname, hostname_blob.size));
+
POSIX_GUARD(s2n_blob_char_to_lower(&normalized_name));
struct s2n_stuffer normalized_hostname_stuffer;
POSIX_GUARD(s2n_stuffer_init(&normalized_hostname_stuffer, &normalized_name));
@@ -270,7 +273,8 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn)
if (!conn->handshake_params.exact_sni_match_exists) {
/* We have not yet found an exact domain match. Try to find wildcard matches. */
char wildcard_hostname[S2N_MAX_SERVER_NAME + 1] = { 0 };
- struct s2n_blob wildcard_blob = { .data = (uint8_t *) wildcard_hostname, .size = sizeof(wildcard_hostname) };
+ struct s2n_blob wildcard_blob = { 0 };
+ POSIX_GUARD(s2n_blob_init(&wildcard_blob, (uint8_t *) wildcard_hostname, sizeof(wildcard_hostname)));
struct s2n_stuffer wildcard_stuffer;
POSIX_GUARD(s2n_stuffer_init(&wildcard_stuffer, &wildcard_blob));
POSIX_GUARD(s2n_create_wildcard_hostname(&normalized_hostname_stuffer, &wildcard_stuffer));
diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c
index d73e3edbc8..8c24781a9a 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c
@@ -900,7 +900,8 @@ static int s2n_advance_message(struct s2n_connection *conn)
int s2n_generate_new_client_session_id(struct s2n_connection *conn)
{
if (conn->mode == S2N_SERVER) {
- struct s2n_blob session_id = { .data = conn->session_id, .size = S2N_TLS_SESSION_ID_MAX_LEN };
+ struct s2n_blob session_id = { 0 };
+ POSIX_GUARD(s2n_blob_init(&session_id, conn->session_id, S2N_TLS_SESSION_ID_MAX_LEN));
/* Generate a new session id */
POSIX_GUARD_RESULT(s2n_get_public_random_data(&session_id));
@@ -1297,7 +1298,8 @@ static int s2n_handshake_handle_sslv2(struct s2n_connection *conn)
S2N_ERROR_IF(ACTIVE_MESSAGE(conn) != CLIENT_HELLO, S2N_ERR_BAD_MESSAGE);
/* Add the message to our handshake hashes */
- struct s2n_blob hashed = { .data = conn->header_in.blob.data + 2, .size = 3 };
+ struct s2n_blob hashed = { 0 };
+ POSIX_GUARD(s2n_blob_init(&hashed, conn->header_in.blob.data + 2, 3));
POSIX_GUARD(s2n_conn_update_handshake_hashes(conn, &hashed));
hashed.data = conn->in.blob.data;
diff --git a/contrib/restricted/aws/s2n/tls/s2n_kem.c b/contrib/restricted/aws/s2n/tls/s2n_kem.c
index d1411baea2..4c830e6960 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_kem.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_kem.c
@@ -338,7 +338,8 @@ int s2n_kem_send_ciphertext(struct s2n_stuffer *out, struct s2n_kem_params *kem_
POSIX_GUARD(s2n_stuffer_write_uint16(out, kem->ciphertext_length));
/* Ciphertext will get written to *out */
- struct s2n_blob ciphertext = { .data = s2n_stuffer_raw_write(out, kem->ciphertext_length), .size = kem->ciphertext_length };
+ struct s2n_blob ciphertext = { 0 };
+ POSIX_GUARD(s2n_blob_init(&ciphertext, s2n_stuffer_raw_write(out, kem->ciphertext_length), kem->ciphertext_length));
POSIX_ENSURE_REF(ciphertext.data);
/* Saves the shared secret in kem_params */
diff --git a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c
index 5b78e129c1..1a74dde55c 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c
@@ -167,12 +167,45 @@ S2N_RESULT s2n_post_handshake_recv(struct s2n_connection *conn)
return S2N_RESULT_OK;
}
+S2N_RESULT s2n_post_handshake_write_records(struct s2n_connection *conn, s2n_blocked_status *blocked)
+{
+ struct s2n_stuffer *message = &conn->handshake.io;
+
+ uint32_t remaining = 0;
+ while ((remaining = s2n_stuffer_data_available(message)) > 0) {
+ /* Flush any existing records before we write a new record.
+ * We do not support buffering multiple handshake records.
+ */
+ if (s2n_stuffer_data_available(&conn->out)) {
+ RESULT_GUARD_POSIX(s2n_flush(conn, blocked));
+ }
+
+ uint16_t max_payload_size = 0;
+ RESULT_GUARD(s2n_record_max_write_payload_size(conn, &max_payload_size));
+
+ struct s2n_blob fragment = { 0 };
+ uint32_t fragment_size = MIN(remaining, max_payload_size);
+ uint8_t *fragment_data = s2n_stuffer_raw_read(message, fragment_size);
+ RESULT_ENSURE_REF(fragment_data);
+ RESULT_GUARD_POSIX(s2n_blob_init(&fragment, fragment_data, fragment_size));
+
+ RESULT_GUARD(s2n_record_write(conn, TLS_HANDSHAKE, &fragment));
+ RESULT_GUARD_POSIX(s2n_flush(conn, blocked));
+ }
+
+ RESULT_GUARD_POSIX(s2n_stuffer_wipe(message));
+ return S2N_RESULT_OK;
+}
+
int s2n_post_handshake_send(struct s2n_connection *conn, s2n_blocked_status *blocked)
{
POSIX_ENSURE_REF(conn);
+ POSIX_GUARD_RESULT(s2n_post_handshake_write_records(conn, blocked));
+
POSIX_GUARD(s2n_key_update_send(conn, blocked));
POSIX_GUARD_RESULT(s2n_tls13_server_nst_send(conn, blocked));
+ POSIX_GUARD(s2n_stuffer_resize(&conn->handshake.io, 0));
return S2N_SUCCESS;
}
diff --git a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h
index 57a4f2b4e7..56621df778 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h
@@ -30,3 +30,4 @@ struct s2n_post_handshake {
S2N_RESULT s2n_post_handshake_recv(struct s2n_connection *conn);
int s2n_post_handshake_send(struct s2n_connection *conn, s2n_blocked_status *blocked);
+S2N_RESULT s2n_post_handshake_write_records(struct s2n_connection *conn, s2n_blocked_status *blocked);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_record_read_aead.c b/contrib/restricted/aws/s2n/tls/s2n_record_read_aead.c
index 10a85887b8..a141b4bbd3 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_record_read_aead.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_record_read_aead.c
@@ -41,13 +41,15 @@ int s2n_record_parse_aead(
/* TLS 1.3 record protection uses a different 5 byte associated data than TLS 1.2's */
s2n_stack_blob(aad, is_tls13_record ? S2N_TLS13_AAD_LEN : S2N_TLS_MAX_AAD_LEN, S2N_TLS_MAX_AAD_LEN);
- struct s2n_blob en = { .size = encrypted_length, .data = s2n_stuffer_raw_read(&conn->in, encrypted_length) };
+ struct s2n_blob en = { 0 };
+ POSIX_GUARD(s2n_blob_init(&en, s2n_stuffer_raw_read(&conn->in, encrypted_length), encrypted_length));
POSIX_ENSURE_REF(en.data);
/* In AEAD mode, the explicit IV is in the record */
POSIX_ENSURE_GTE(en.size, cipher_suite->record_alg->cipher->io.aead.record_iv_size);
uint8_t aad_iv[S2N_TLS_MAX_IV_LEN] = { 0 };
- struct s2n_blob iv = { .data = aad_iv, .size = sizeof(aad_iv) };
+ struct s2n_blob iv = { 0 };
+ POSIX_GUARD(s2n_blob_init(&iv, aad_iv, sizeof(aad_iv)));
struct s2n_stuffer iv_stuffer = { 0 };
POSIX_GUARD(s2n_stuffer_init(&iv_stuffer, &iv));
@@ -98,7 +100,8 @@ int s2n_record_parse_aead(
POSIX_ENSURE_NE(en.size, 0);
POSIX_GUARD(cipher_suite->record_alg->cipher->io.aead.decrypt(session_key, &iv, &aad, &en, &en));
- struct s2n_blob seq = { .data = sequence_number, .size = S2N_TLS_SEQUENCE_NUM_LEN };
+ struct s2n_blob seq = { 0 };
+ POSIX_GUARD(s2n_blob_init(&seq, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
POSIX_GUARD(s2n_increment_sequence_number(&seq));
/* O.k., we've successfully read and decrypted the record, now we need to align the stuffer
diff --git a/contrib/restricted/aws/s2n/tls/s2n_record_write.c b/contrib/restricted/aws/s2n/tls/s2n_record_write.c
index 580218e530..224fd21800 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_record_write.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_record_write.c
@@ -157,20 +157,42 @@ S2N_RESULT s2n_record_min_write_payload_size(struct s2n_connection *conn, uint16
int s2n_record_write_protocol_version(struct s2n_connection *conn, struct s2n_stuffer *out)
{
uint8_t record_protocol_version = conn->actual_protocol_version;
+
+ /**
+ *= https://www.rfc-editor.org/rfc/rfc8446#section-5.1
+ *# This version value is historical, deriving from the use of 0x0301 for
+ *# TLS 1.0 and 0x0300 for SSL 3.0. In order to maximize backward
+ *# compatibility, a record containing an initial ClientHello SHOULD have
+ *# version 0x0301 (reflecting TLS 1.0)
+ *
+ * We set actual_protocol_version early for clients, but we do not
+ * use that assumed value here in case we are talking to a legacy
+ * server that expects TLS1.0.
+ *
+ * If we are requesting early data, we can assume that we aren't talking to
+ * a legacy server as a legacy server would not know how to handle early data.
+ **/
if (conn->server_protocol_version == s2n_unknown_protocol_version
&& conn->early_data_state != S2N_EARLY_DATA_REQUESTED) {
- /* Some legacy TLS implementations can't handle records with protocol version higher than TLS1.0.
- * To provide maximum compatibility, send record version as TLS1.0 if server protocol version isn't
- * established yet, which happens only during ClientHello message. Note, this has no effect on
- * protocol version in ClientHello, so we're still able to negotiate protocol versions above TLS1.0 */
record_protocol_version = MIN(record_protocol_version, S2N_TLS10);
}
- /* In accordance to TLS 1.3 spec, https://tools.ietf.org/html/rfc8446#section-5.1
- * tls record version should never be greater than 33 (legacy TLS 1.2 version).
- */
+ /**
+ *= https://www.rfc-editor.org/rfc/rfc8446#section-5.1
+ *# legacy_record_version: MUST be set to 0x0303 for all records
+ *# generated by a TLS 1.3 implementation other than an initial
+ *# ClientHello (i.e., one not generated after a HelloRetryRequest),
+ *# where it MAY also be 0x0301 for compatibility purposes.
+ **/
record_protocol_version = MIN(record_protocol_version, S2N_TLS12);
+ /* Never send an empty protocol version.
+ * If the protocol version is unknown, default to TLS1.0 like we do for initial ClientHellos.
+ */
+ if (record_protocol_version == s2n_unknown_protocol_version) {
+ record_protocol_version = S2N_TLS10;
+ }
+
uint8_t protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN];
protocol_version[0] = record_protocol_version / 10;
protocol_version[1] = record_protocol_version % 10;
diff --git a/contrib/restricted/aws/s2n/tls/s2n_server_key_exchange.c b/contrib/restricted/aws/s2n/tls/s2n_server_key_exchange.c
index dd7c811678..e3593280c2 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_server_key_exchange.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_server_key_exchange.c
@@ -71,7 +71,9 @@ int s2n_server_key_recv(struct s2n_connection *conn)
uint16_t signature_length;
POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_length));
- struct s2n_blob signature = { .size = signature_length, .data = s2n_stuffer_raw_read(in, signature_length) };
+ struct s2n_blob signature = { 0 };
+ POSIX_GUARD(s2n_blob_init(&signature, s2n_stuffer_raw_read(in, signature_length), signature_length));
+
POSIX_ENSURE_REF(signature.data);
POSIX_ENSURE_GT(signature_length, 0);
@@ -164,7 +166,8 @@ int s2n_kem_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_bl
struct s2n_stuffer kem_id_stuffer = { 0 };
uint8_t kem_id_arr[2];
kem_extension_size kem_id;
- struct s2n_blob kem_id_blob = { .data = kem_id_arr, .size = s2n_array_len(kem_id_arr) };
+ struct s2n_blob kem_id_blob = { 0 };
+ POSIX_GUARD(s2n_blob_init(&kem_id_blob, kem_id_arr, s2n_array_len(kem_id_arr)));
POSIX_GUARD(s2n_stuffer_init(&kem_id_stuffer, &kem_id_blob));
POSIX_GUARD(s2n_stuffer_write(&kem_id_stuffer, &(kem_data->kem_name)));
POSIX_GUARD(s2n_stuffer_read_uint16(&kem_id_stuffer, &kem_id));
diff --git a/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c b/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c
index 23805b191f..1c073c7faa 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c
@@ -149,21 +149,6 @@ S2N_RESULT s2n_tls13_server_nst_send(struct s2n_connection *conn, s2n_blocked_st
RESULT_ENSURE(conn->tickets_sent <= conn->tickets_to_send, S2N_ERR_INTEGER_OVERFLOW);
- /* Flush any buffered records to ensure an empty output buffer.
- *
- * This is important when buffering multiple records because we don't:
- * 1) Respect max fragment length for handshake messages
- * 2) Check if there is sufficient space in the output buffer for
- * post-handshake messages.
- *
- * Careful how this flush fits into the ordering of this method:
- * We want to avoid unnecessary work like repeatedly encrypting
- * the ticket if the flush repeatedly blocks, but we also want
- * to avoid unnecessarily flushing if no ticket will actually
- * need to be sent.
- */
- RESULT_GUARD_POSIX(s2n_flush(conn, blocked));
-
size_t session_state_size = 0;
RESULT_GUARD(s2n_connection_get_session_state_size(conn, &session_state_size));
const size_t maximum_nst_size = session_state_size + S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE;
@@ -176,18 +161,9 @@ S2N_RESULT s2n_tls13_server_nst_send(struct s2n_connection *conn, s2n_blocked_st
return S2N_RESULT_OK;
}
- struct s2n_blob nst_blob = { 0 };
- uint16_t nst_size = s2n_stuffer_data_available(nst_stuffer);
- uint8_t *nst_data = s2n_stuffer_raw_read(nst_stuffer, nst_size);
- RESULT_ENSURE_REF(nst_data);
- RESULT_GUARD_POSIX(s2n_blob_init(&nst_blob, nst_data, nst_size));
-
- RESULT_GUARD(s2n_record_write(conn, TLS_HANDSHAKE, &nst_blob));
- RESULT_GUARD_POSIX(s2n_flush(conn, blocked));
- RESULT_GUARD_POSIX(s2n_stuffer_wipe(nst_stuffer));
+ RESULT_GUARD(s2n_post_handshake_write_records(conn, blocked));
}
- RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, 0));
return S2N_RESULT_OK;
}
diff --git a/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.c b/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.c
index 55024f3676..6453862e5a 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.c
@@ -28,6 +28,8 @@
static int s2n_signature_scheme_valid_to_offer(struct s2n_connection *conn, const struct s2n_signature_scheme *scheme)
{
+ POSIX_ENSURE_REF(conn);
+
/* We don't know what protocol version we will eventually negotiate, but we know that it won't be any higher. */
POSIX_ENSURE_GTE(conn->actual_protocol_version, scheme->minimum_protocol_version);
@@ -50,6 +52,7 @@ static int s2n_signature_scheme_valid_to_offer(struct s2n_connection *conn, cons
static int s2n_signature_scheme_valid_to_accept(struct s2n_connection *conn, const struct s2n_signature_scheme *scheme)
{
POSIX_ENSURE_REF(scheme);
+ POSIX_ENSURE_REF(conn);
POSIX_GUARD(s2n_signature_scheme_valid_to_offer(conn, scheme));
@@ -57,6 +60,14 @@ static int s2n_signature_scheme_valid_to_accept(struct s2n_connection *conn, con
POSIX_ENSURE_LTE(conn->actual_protocol_version, scheme->maximum_protocol_version);
}
+ POSIX_ENSURE_NE(conn->actual_protocol_version, S2N_UNKNOWN_PROTOCOL_VERSION);
+ if (conn->actual_protocol_version >= S2N_TLS13) {
+ POSIX_ENSURE_NE(scheme->hash_alg, S2N_HASH_SHA1);
+ POSIX_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA);
+ } else {
+ POSIX_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_PSS);
+ }
+
return 0;
}