diff options
author | robot-contrib <robot-contrib@yandex-team.com> | 2023-02-08 07:58:31 +0300 |
---|---|---|
committer | robot-contrib <robot-contrib@yandex-team.com> | 2023-02-08 07:58:31 +0300 |
commit | 1e5926b916901f05acb5474e056989b592c011a3 (patch) | |
tree | ae4e3269dfef4e441539d9c8797072d8e21aa168 /contrib/restricted/aws/s2n/tls | |
parent | 3b51ba21855488020df8a45b52e443ef24215ec4 (diff) | |
download | ydb-1e5926b916901f05acb5474e056989b592c011a3.tar.gz |
Update contrib/restricted/aws/s2n to 1.3.33
Diffstat (limited to 'contrib/restricted/aws/s2n/tls')
48 files changed, 120 insertions, 305 deletions
diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c index 5b1c2de5c5..bd8754a44e 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.c @@ -86,15 +86,3 @@ static int s2n_client_alpn_recv(struct s2n_connection *conn, struct s2n_stuffer return S2N_SUCCESS; } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_alpn_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_client_alpn_extension, conn, out); -} - -int s2n_recv_client_alpn(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_alpn_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.h index 50ac98575a..33252a6e61 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_alpn.h @@ -21,8 +21,3 @@ extern const s2n_extension_type s2n_client_alpn_extension; bool s2n_client_alpn_should_send(struct s2n_connection *conn); - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_alpn_send(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_recv_client_alpn(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.c index 739a499ba3..0c3909e7cf 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.c @@ -459,11 +459,6 @@ uint32_t s2n_extensions_client_key_share_size(struct s2n_connection *conn) return s2n_client_key_share_extension_size; } -int s2n_extensions_client_key_share_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_client_key_share_extension, conn, out); -} - int s2n_extensions_client_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension) { return s2n_extension_recv(&s2n_client_key_share_extension, conn, extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.h index 8129ea3265..9da85e789c 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_key_share.h @@ -23,4 +23,3 @@ extern const s2n_extension_type s2n_client_key_share_extension; /* Old-style extension functions -- remove after extensions refactor is complete */ int s2n_extensions_client_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension); uint32_t s2n_extensions_client_key_share_size(struct s2n_connection *conn); -int s2n_extensions_client_key_share_send(struct s2n_connection *conn, struct s2n_stuffer *out); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.c index 634f507e8f..8019d2d3ef 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.c @@ -77,15 +77,3 @@ static int s2n_client_max_frag_len_recv(struct s2n_connection *conn, struct s2n_ POSIX_GUARD_RESULT(s2n_connection_set_max_fragment_length(conn, mfl_code_to_length[mfl_code])); return S2N_SUCCESS; } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_max_frag_len_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_client_max_frag_len_extension, conn, out); -} - -int s2n_recv_client_max_frag_len(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_max_frag_len_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.h index b58b055978..29e8d8347e 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_max_frag_len.h @@ -19,8 +19,3 @@ #include "tls/s2n_connection.h" extern const s2n_extension_type s2n_client_max_frag_len_extension; - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_max_frag_len_send(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_recv_client_max_frag_len(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.c index a2d0a98a02..5ad72e642c 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.c @@ -82,15 +82,3 @@ static int s2n_client_pq_kem_recv(struct s2n_connection *conn, struct s2n_stuffe return S2N_SUCCESS; } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_pq_kem_send(struct s2n_connection *conn, struct s2n_stuffer *out, uint16_t pq_kem_list_size) -{ - return s2n_extension_send(&s2n_client_pq_kem_extension, conn, out); -} - -int s2n_recv_pq_kem_extension(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_pq_kem_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.h index 5e089b7567..ae2374a688 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_pq_kem.h @@ -20,8 +20,3 @@ #include "tls/s2n_connection.h" extern const s2n_extension_type s2n_client_pq_kem_extension; - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_pq_kem_send(struct s2n_connection *conn, struct s2n_stuffer *out, uint16_t pq_kem_list_size); -int s2n_recv_pq_kem_extension(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.c index 120caf47f9..28b9e6c6e4 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.c @@ -189,10 +189,3 @@ static int s2n_client_renegotiation_if_missing(struct s2n_connection *conn) return S2N_SUCCESS; } } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_recv_client_renegotiation_info(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_renegotiation_info_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.h index f67c1bb896..42ca0f3bff 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_renegotiation_info.h @@ -19,7 +19,3 @@ #include "tls/s2n_connection.h" extern const s2n_extension_type s2n_client_renegotiation_info_extension; - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_recv_client_renegotiation_info(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.c index 98891e7017..708de17f9b 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.c @@ -45,15 +45,3 @@ static int s2n_client_sct_list_recv(struct s2n_connection *conn, struct s2n_stuf /* Skip reading the extension, per RFC6962 (3.1.1) it SHOULD be empty anyway */ return S2N_SUCCESS; } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_sct_list_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_client_sct_list_extension, conn, out); -} - -int s2n_recv_client_sct_list(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_sct_list_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.h index cd2be3b1d9..3b2f030d54 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_sct_list.h @@ -19,8 +19,3 @@ #include "tls/s2n_connection.h" extern const s2n_extension_type s2n_client_sct_list_extension; - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_sct_list_send(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_recv_client_sct_list(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c index 0fd0b1ca44..f66c0e6512 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.c @@ -101,13 +101,3 @@ static int s2n_client_server_name_recv(struct s2n_connection *conn, struct s2n_s return S2N_SUCCESS; } - -int s2n_extensions_client_server_name_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_client_server_name_extension, conn, out); -} - -int s2n_parse_client_hello_server_name(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_server_name_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.h index 4e26b33b8a..8eb868cb6b 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_server_name.h @@ -20,7 +20,3 @@ #include "tls/s2n_connection.h" extern const s2n_extension_type s2n_client_server_name_extension; - -/* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_extensions_client_server_name_send(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_parse_client_hello_server_name(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c index 8155f35325..0ca9987c9e 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.c @@ -69,15 +69,3 @@ static int s2n_client_session_ticket_recv(struct s2n_connection *conn, struct s2 return S2N_SUCCESS; } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_session_ticket_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_client_session_ticket_extension, conn, out); -} - -int s2n_recv_client_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_session_ticket_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.h index 58964aaa44..9fd94df00c 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_session_ticket.h @@ -19,7 +19,3 @@ #include "tls/s2n_connection.h" extern const s2n_extension_type s2n_client_session_ticket_extension; - -/* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_extensions_client_session_ticket_send(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_recv_client_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c index 7ee72e6233..876b8a72ad 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.c @@ -44,21 +44,3 @@ static int s2n_client_signature_algorithms_recv(struct s2n_connection *conn, str { return s2n_recv_supported_sig_scheme_list(extension, &conn->handshake_params.client_sig_hash_algs); } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_client_signature_algorithms_extension, conn, out); -} - -int s2n_extensions_client_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_signature_algorithms_extension, conn, extension); -} - -int s2n_extensions_client_signature_algorithms_size(struct s2n_connection *conn) -{ - /* extra 6 = 2 from extension type, 2 from extension size, 2 from list length */ - return s2n_supported_sig_scheme_list_size(conn) + 6; -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.h index 2d2d00ff9b..2eec70493a 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_signature_algorithms.h @@ -20,8 +20,3 @@ #include "tls/s2n_connection.h" extern const s2n_extension_type s2n_client_signature_algorithms_extension; - -/* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_extensions_client_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_extensions_client_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension); -int s2n_extensions_client_signature_algorithms_size(struct s2n_connection *conn); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c index e5d4b1a29a..dec50e3a39 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.c @@ -77,15 +77,3 @@ static int s2n_client_status_request_recv(struct s2n_connection *conn, struct s2 conn->status_type = (s2n_status_request_type) type; return S2N_SUCCESS; } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_extensions_client_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_client_status_request_extension, conn, out); -} - -int s2n_recv_client_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_status_request_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h index 61ee7aea09..526a8f678c 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_status_request.h @@ -20,7 +20,3 @@ #include "tls/s2n_connection.h" extern const s2n_extension_type s2n_client_status_request_extension; - -/* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_extensions_client_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_recv_client_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c index f58cbd3a18..4f7e3e12c4 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.c @@ -185,18 +185,6 @@ static int s2n_client_supported_groups_recv(struct s2n_connection *conn, struct /* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_extensions_client_supported_groups_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - POSIX_GUARD(s2n_extension_send(&s2n_client_supported_groups_extension, conn, out)); - - /* The original send method also sent ec point formats. To avoid breaking - * anything, I'm going to let it continue writing point formats. - */ - POSIX_GUARD(s2n_extension_send(&s2n_client_ec_point_format_extension, conn, out)); - - return S2N_SUCCESS; -} - int s2n_recv_client_supported_groups(struct s2n_connection *conn, struct s2n_stuffer *extension) { return s2n_extension_recv(&s2n_client_supported_groups_extension, conn, extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.h index 611e392a76..322ac14813 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_groups.h @@ -23,5 +23,4 @@ extern const s2n_extension_type s2n_client_supported_groups_extension; bool s2n_extension_should_send_if_ecc_enabled(struct s2n_connection *conn); /* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_extensions_client_supported_groups_send(struct s2n_connection *conn, struct s2n_stuffer *out); int s2n_recv_client_supported_groups(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c index b7a8c72715..1880dd8387 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.c @@ -150,12 +150,8 @@ int s2n_extensions_client_supported_versions_size(struct s2n_connection *conn) return version_list_length * S2N_TLS_PROTOCOL_VERSION_LEN + 5; } +/* still used in fuzz test */ int s2n_extensions_client_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension) { return s2n_extension_recv(&s2n_client_supported_versions_extension, conn, extension); } - -int s2n_extensions_client_supported_versions_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_client_supported_versions_extension, conn, out); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.h index df6a7c41ff..7b69b92895 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_client_supported_versions.h @@ -23,4 +23,3 @@ extern const s2n_extension_type s2n_client_supported_versions_extension; /* Old-style extension functions -- remove after extensions refactor is complete */ int s2n_extensions_client_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension); int s2n_extensions_client_supported_versions_size(struct s2n_connection *conn); -int s2n_extensions_client_supported_versions_send(struct s2n_connection *conn, struct s2n_stuffer *out); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c index 755b2f59cf..ae003c8fc8 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.c @@ -71,21 +71,3 @@ static int s2n_ec_point_format_recv(struct s2n_connection *conn, struct s2n_stuf conn->ec_point_formats = 1; return S2N_SUCCESS; } - -/* Old-style extension functions -- remove after extensions refactor is complete */ - -int s2n_server_ecc_point_format_extension_size(struct s2n_connection *conn) -{ - if (s2n_server_ec_point_format_extension.should_send(conn) && s2n_server_can_send_ec_point_formats(conn)) { - return sizeof(uint16_t) /* extension type */ - + sizeof(uint16_t) /* extension size */ - + sizeof(uint8_t) /* point list size */ - + sizeof(uint8_t); /* point */ - } - return 0; -} - -int s2n_recv_client_ec_point_formats(struct s2n_connection *conn, struct s2n_stuffer *extension) -{ - return s2n_extension_recv(&s2n_client_ec_point_format_extension, conn, extension); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.h index e8c55d369e..d06959d52f 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_ec_point_format.h @@ -23,7 +23,3 @@ extern const s2n_extension_type s2n_client_ec_point_format_extension; extern const s2n_extension_type s2n_server_ec_point_format_extension; - -/* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_server_ecc_point_format_extension_size(struct s2n_connection *conn); -int s2n_recv_client_ec_point_formats(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.c index 7f972064c1..845d573501 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.c @@ -256,18 +256,3 @@ int s2n_recv_server_renegotiation_info_ext(struct s2n_connection *conn, struct s { return s2n_extension_recv(&s2n_server_renegotiation_info_extension, conn, extension); } - -int s2n_send_server_renegotiation_info_ext(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_server_renegotiation_info_extension, conn, out); -} - -int s2n_server_renegotiation_info_ext_size(struct s2n_connection *conn) -{ - if (s2n_renegotiation_info_should_send(conn)) { - /* 2 for ext type, 2 for extension length, 1 for value of 0 */ - return 5; - } - - return 0; -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.h index eb9a862de5..f72394ba66 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_renegotiation_info.h @@ -23,5 +23,3 @@ extern const s2n_extension_type s2n_server_renegotiation_info_extension; /* Old-style extension functions -- remove after extensions refactor is complete */ int s2n_recv_server_renegotiation_info_ext(struct s2n_connection *conn, struct s2n_stuffer *extension); -int s2n_send_server_renegotiation_info_ext(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_server_renegotiation_info_ext_size(struct s2n_connection *conn); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c index 187da6b831..77234a29e1 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.c @@ -51,18 +51,3 @@ int s2n_recv_server_session_ticket_ext(struct s2n_connection *conn, struct s2n_s { return s2n_extension_recv(&s2n_server_session_ticket_extension, conn, extension); } - -int s2n_send_server_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_server_session_ticket_extension, conn, out); -} - -int s2n_server_session_ticket_ext_size(struct s2n_connection *conn) -{ - if (s2n_session_ticket_should_send(conn)) { - /* 2 for extension type. 2 for extension length of 0 */ - return 4; - } - - return 0; -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.h index d6c8ab35e9..78c242adca 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_session_ticket.h @@ -23,5 +23,3 @@ extern const s2n_extension_type s2n_server_session_ticket_extension; /* Old-style extension functions -- remove after extensions refactor is complete */ int s2n_recv_server_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *extension); -int s2n_send_server_session_ticket_ext(struct s2n_connection *conn, struct s2n_stuffer *out); -int s2n_server_session_ticket_ext_size(struct s2n_connection *conn); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c index 4248db8b7c..5752c0a350 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.c @@ -47,20 +47,6 @@ int s2n_server_status_request_recv(struct s2n_connection *conn, struct s2n_stuff /* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_server_extensions_status_request_send_size(struct s2n_connection *conn) -{ - if (s2n_server_can_send_ocsp(conn)) { - return 2 * sizeof(uint16_t); - } - - return 0; -} - -int s2n_server_extensions_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_server_status_request_extension, conn, out); -} - int s2n_recv_server_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension) { return s2n_extension_recv(&s2n_server_status_request_extension, conn, extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h index 4bb46dd4df..205d3964b9 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_status_request.h @@ -22,6 +22,4 @@ extern const s2n_extension_type s2n_server_status_request_extension; /* Old-style extension functions -- remove after extensions refactor is complete */ -int s2n_server_extensions_status_request_send_size(struct s2n_connection *conn); -int s2n_server_extensions_status_request_send(struct s2n_connection *conn, struct s2n_stuffer *out); int s2n_recv_server_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension); diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c index 8dc4179683..d950b166fa 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.c @@ -28,8 +28,8 @@ /** * Specified in https://tools.ietf.org/html/rfc8446#section-4.2.1 * - * "A server which negotiates TLS 1.3 MUST respond by sending a - * "supported_versions" extension containing the selected version value + * "A server which negotiates TLS 1.3 MUST respond by sending a + * "supported_versions" extension containing the selected version value * (0x0304)." * * Structure: @@ -112,8 +112,3 @@ int s2n_extensions_server_supported_versions_recv(struct s2n_connection *conn, s { return s2n_extension_recv(&s2n_server_supported_versions_extension, conn, extension); } - -int s2n_extensions_server_supported_versions_send(struct s2n_connection *conn, struct s2n_stuffer *out) -{ - return s2n_extension_send(&s2n_server_supported_versions_extension, conn, out); -} diff --git a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.h b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.h index 8a5f74579c..aecbc9ed3a 100644 --- a/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.h +++ b/contrib/restricted/aws/s2n/tls/extensions/s2n_server_supported_versions.h @@ -22,5 +22,4 @@ extern const s2n_extension_type s2n_server_supported_versions_extension; /* Old-style extension functions -- remove after extensions refactor is complete */ int s2n_extensions_server_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension); -int s2n_extensions_server_supported_versions_send(struct s2n_connection *conn, struct s2n_stuffer *out); int s2n_extensions_server_supported_versions_size(struct s2n_connection *conn); diff --git a/contrib/restricted/aws/s2n/tls/s2n_alerts.c b/contrib/restricted/aws/s2n/tls/s2n_alerts.c index 49fa3ffbe3..4e1ea5f31a 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_alerts.c +++ b/contrib/restricted/aws/s2n/tls/s2n_alerts.c @@ -253,7 +253,8 @@ int s2n_queue_writer_close_alert_warning(struct s2n_connection *conn) alert[0] = S2N_TLS_ALERT_LEVEL_WARNING; alert[1] = S2N_TLS_ALERT_CLOSE_NOTIFY; - struct s2n_blob out = { .data = alert, .size = sizeof(alert) }; + struct s2n_blob out = { 0 }; + POSIX_GUARD(s2n_blob_init(&out, alert, sizeof(alert))); /* If there is an alert pending or we've already sent a close_notify, do nothing */ if (s2n_stuffer_data_available(&conn->writer_alert_out) || conn->close_notify_queued) { @@ -278,7 +279,8 @@ static int s2n_queue_reader_alert(struct s2n_connection *conn, uint8_t level, ui alert[0] = level; alert[1] = error_code; - struct s2n_blob out = { .data = alert, .size = sizeof(alert) }; + struct s2n_blob out = { 0 }; + POSIX_GUARD(s2n_blob_init(&out, alert, sizeof(alert))); /* If there is an alert pending, do nothing */ if (s2n_stuffer_data_available(&conn->reader_alert_out)) { diff --git a/contrib/restricted/aws/s2n/tls/s2n_change_cipher_spec.c b/contrib/restricted/aws/s2n/tls/s2n_change_cipher_spec.c index d8ba233290..14478e6d29 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_change_cipher_spec.c +++ b/contrib/restricted/aws/s2n/tls/s2n_change_cipher_spec.c @@ -43,7 +43,8 @@ int s2n_client_ccs_recv(struct s2n_connection *conn) POSIX_GUARD(s2n_basic_ccs_recv(conn)); /* Zero the sequence number */ - struct s2n_blob seq = { .data = conn->secure->client_sequence_number, .size = sizeof(conn->secure->client_sequence_number) }; + struct s2n_blob seq = { 0 }; + POSIX_GUARD(s2n_blob_init(&seq, conn->secure->client_sequence_number, sizeof(conn->secure->client_sequence_number))); POSIX_GUARD(s2n_blob_zero(&seq)); /* Update the client to use the cipher-suite */ @@ -65,7 +66,8 @@ int s2n_server_ccs_recv(struct s2n_connection *conn) POSIX_GUARD(s2n_basic_ccs_recv(conn)); /* Zero the sequence number */ - struct s2n_blob seq = { .data = conn->secure->server_sequence_number, .size = sizeof(conn->secure->server_sequence_number) }; + struct s2n_blob seq = { 0 }; + POSIX_GUARD(s2n_blob_init(&seq, conn->secure->server_sequence_number, sizeof(conn->secure->server_sequence_number))); POSIX_GUARD(s2n_blob_zero(&seq)); /* Compute the finished message */ diff --git a/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c b/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c index c2a6e60440..d3a19746ad 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c +++ b/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c @@ -998,7 +998,8 @@ int s2n_cipher_suites_init(void) /* Initialize SSLv3 cipher suite if SSLv3 utilizes a different record algorithm */ if (cur_suite->sslv3_record_alg && cur_suite->sslv3_record_alg->cipher->is_available()) { - struct s2n_blob cur_suite_mem = { .data = (uint8_t *) cur_suite, .size = sizeof(struct s2n_cipher_suite) }; + struct s2n_blob cur_suite_mem = { 0 }; + POSIX_GUARD(s2n_blob_init(&cur_suite_mem, (uint8_t *) cur_suite, sizeof(struct s2n_cipher_suite))); struct s2n_blob new_suite_mem = { 0 }; POSIX_GUARD(s2n_dup(&cur_suite_mem, &new_suite_mem)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_config.c b/contrib/restricted/aws/s2n/tls/s2n_config.c index 02593a25a2..14cabda2e3 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_config.c +++ b/contrib/restricted/aws/s2n/tls/s2n_config.c @@ -841,10 +841,14 @@ int s2n_config_add_ticket_crypto_key(struct s2n_config *config, POSIX_ENSURE(s2n_find_ticket_key(config, name_data) == NULL, S2N_ERR_INVALID_TICKET_KEY_NAME_OR_NAME_LENGTH); uint8_t output_pad[S2N_AES256_KEY_LEN + S2N_TICKET_AAD_IMPLICIT_LEN] = { 0 }; - struct s2n_blob out_key = { .data = output_pad, .size = s2n_array_len(output_pad) }; - struct s2n_blob in_key = { .data = key, .size = key_len }; - struct s2n_blob salt = { .size = 0 }; - struct s2n_blob info = { .size = 0 }; + struct s2n_blob out_key = { 0 }; + POSIX_GUARD(s2n_blob_init(&out_key, output_pad, s2n_array_len(output_pad))); + struct s2n_blob in_key = { 0 }; + POSIX_GUARD(s2n_blob_init(&in_key, key, key_len)); + struct s2n_blob salt = { 0 }; + POSIX_GUARD(s2n_blob_init(&salt, NULL, 0)); + struct s2n_blob info = { 0 }; + POSIX_GUARD(s2n_blob_init(&info, NULL, 0)); struct s2n_ticket_key *session_ticket_key = { 0 }; DEFER_CLEANUP(struct s2n_blob allocator = { 0 }, s2n_free); diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_handshake.c index 0168a758f0..49e5aeea58 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_handshake.c +++ b/contrib/restricted/aws/s2n/tls/s2n_handshake.c @@ -251,11 +251,14 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn) return S2N_SUCCESS; } const char *name = conn->server_name; - struct s2n_blob hostname_blob = { .data = (uint8_t *) (uintptr_t) name, .size = strlen(name) }; + struct s2n_blob hostname_blob = { 0 }; + POSIX_GUARD(s2n_blob_init(&hostname_blob, (uint8_t *) (uintptr_t) name, strlen(name))); POSIX_ENSURE_LTE(hostname_blob.size, S2N_MAX_SERVER_NAME); char normalized_hostname[S2N_MAX_SERVER_NAME + 1] = { 0 }; POSIX_CHECKED_MEMCPY(normalized_hostname, hostname_blob.data, hostname_blob.size); - struct s2n_blob normalized_name = { .data = (uint8_t *) normalized_hostname, .size = hostname_blob.size }; + struct s2n_blob normalized_name = { 0 }; + POSIX_GUARD(s2n_blob_init(&normalized_name, (uint8_t *) normalized_hostname, hostname_blob.size)); + POSIX_GUARD(s2n_blob_char_to_lower(&normalized_name)); struct s2n_stuffer normalized_hostname_stuffer; POSIX_GUARD(s2n_stuffer_init(&normalized_hostname_stuffer, &normalized_name)); @@ -270,7 +273,8 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn) if (!conn->handshake_params.exact_sni_match_exists) { /* We have not yet found an exact domain match. Try to find wildcard matches. */ char wildcard_hostname[S2N_MAX_SERVER_NAME + 1] = { 0 }; - struct s2n_blob wildcard_blob = { .data = (uint8_t *) wildcard_hostname, .size = sizeof(wildcard_hostname) }; + struct s2n_blob wildcard_blob = { 0 }; + POSIX_GUARD(s2n_blob_init(&wildcard_blob, (uint8_t *) wildcard_hostname, sizeof(wildcard_hostname))); struct s2n_stuffer wildcard_stuffer; POSIX_GUARD(s2n_stuffer_init(&wildcard_stuffer, &wildcard_blob)); POSIX_GUARD(s2n_create_wildcard_hostname(&normalized_hostname_stuffer, &wildcard_stuffer)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c index d73e3edbc8..8c24781a9a 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c +++ b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c @@ -900,7 +900,8 @@ static int s2n_advance_message(struct s2n_connection *conn) int s2n_generate_new_client_session_id(struct s2n_connection *conn) { if (conn->mode == S2N_SERVER) { - struct s2n_blob session_id = { .data = conn->session_id, .size = S2N_TLS_SESSION_ID_MAX_LEN }; + struct s2n_blob session_id = { 0 }; + POSIX_GUARD(s2n_blob_init(&session_id, conn->session_id, S2N_TLS_SESSION_ID_MAX_LEN)); /* Generate a new session id */ POSIX_GUARD_RESULT(s2n_get_public_random_data(&session_id)); @@ -1297,7 +1298,8 @@ static int s2n_handshake_handle_sslv2(struct s2n_connection *conn) S2N_ERROR_IF(ACTIVE_MESSAGE(conn) != CLIENT_HELLO, S2N_ERR_BAD_MESSAGE); /* Add the message to our handshake hashes */ - struct s2n_blob hashed = { .data = conn->header_in.blob.data + 2, .size = 3 }; + struct s2n_blob hashed = { 0 }; + POSIX_GUARD(s2n_blob_init(&hashed, conn->header_in.blob.data + 2, 3)); POSIX_GUARD(s2n_conn_update_handshake_hashes(conn, &hashed)); hashed.data = conn->in.blob.data; diff --git a/contrib/restricted/aws/s2n/tls/s2n_kem.c b/contrib/restricted/aws/s2n/tls/s2n_kem.c index d1411baea2..4c830e6960 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_kem.c +++ b/contrib/restricted/aws/s2n/tls/s2n_kem.c @@ -338,7 +338,8 @@ int s2n_kem_send_ciphertext(struct s2n_stuffer *out, struct s2n_kem_params *kem_ POSIX_GUARD(s2n_stuffer_write_uint16(out, kem->ciphertext_length)); /* Ciphertext will get written to *out */ - struct s2n_blob ciphertext = { .data = s2n_stuffer_raw_write(out, kem->ciphertext_length), .size = kem->ciphertext_length }; + struct s2n_blob ciphertext = { 0 }; + POSIX_GUARD(s2n_blob_init(&ciphertext, s2n_stuffer_raw_write(out, kem->ciphertext_length), kem->ciphertext_length)); POSIX_ENSURE_REF(ciphertext.data); /* Saves the shared secret in kem_params */ diff --git a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c index 5b78e129c1..1a74dde55c 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c +++ b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c @@ -167,12 +167,45 @@ S2N_RESULT s2n_post_handshake_recv(struct s2n_connection *conn) return S2N_RESULT_OK; } +S2N_RESULT s2n_post_handshake_write_records(struct s2n_connection *conn, s2n_blocked_status *blocked) +{ + struct s2n_stuffer *message = &conn->handshake.io; + + uint32_t remaining = 0; + while ((remaining = s2n_stuffer_data_available(message)) > 0) { + /* Flush any existing records before we write a new record. + * We do not support buffering multiple handshake records. + */ + if (s2n_stuffer_data_available(&conn->out)) { + RESULT_GUARD_POSIX(s2n_flush(conn, blocked)); + } + + uint16_t max_payload_size = 0; + RESULT_GUARD(s2n_record_max_write_payload_size(conn, &max_payload_size)); + + struct s2n_blob fragment = { 0 }; + uint32_t fragment_size = MIN(remaining, max_payload_size); + uint8_t *fragment_data = s2n_stuffer_raw_read(message, fragment_size); + RESULT_ENSURE_REF(fragment_data); + RESULT_GUARD_POSIX(s2n_blob_init(&fragment, fragment_data, fragment_size)); + + RESULT_GUARD(s2n_record_write(conn, TLS_HANDSHAKE, &fragment)); + RESULT_GUARD_POSIX(s2n_flush(conn, blocked)); + } + + RESULT_GUARD_POSIX(s2n_stuffer_wipe(message)); + return S2N_RESULT_OK; +} + int s2n_post_handshake_send(struct s2n_connection *conn, s2n_blocked_status *blocked) { POSIX_ENSURE_REF(conn); + POSIX_GUARD_RESULT(s2n_post_handshake_write_records(conn, blocked)); + POSIX_GUARD(s2n_key_update_send(conn, blocked)); POSIX_GUARD_RESULT(s2n_tls13_server_nst_send(conn, blocked)); + POSIX_GUARD(s2n_stuffer_resize(&conn->handshake.io, 0)); return S2N_SUCCESS; } diff --git a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h index 57a4f2b4e7..56621df778 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h +++ b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h @@ -30,3 +30,4 @@ struct s2n_post_handshake { S2N_RESULT s2n_post_handshake_recv(struct s2n_connection *conn); int s2n_post_handshake_send(struct s2n_connection *conn, s2n_blocked_status *blocked); +S2N_RESULT s2n_post_handshake_write_records(struct s2n_connection *conn, s2n_blocked_status *blocked); diff --git a/contrib/restricted/aws/s2n/tls/s2n_record_read_aead.c b/contrib/restricted/aws/s2n/tls/s2n_record_read_aead.c index 10a85887b8..a141b4bbd3 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_record_read_aead.c +++ b/contrib/restricted/aws/s2n/tls/s2n_record_read_aead.c @@ -41,13 +41,15 @@ int s2n_record_parse_aead( /* TLS 1.3 record protection uses a different 5 byte associated data than TLS 1.2's */ s2n_stack_blob(aad, is_tls13_record ? S2N_TLS13_AAD_LEN : S2N_TLS_MAX_AAD_LEN, S2N_TLS_MAX_AAD_LEN); - struct s2n_blob en = { .size = encrypted_length, .data = s2n_stuffer_raw_read(&conn->in, encrypted_length) }; + struct s2n_blob en = { 0 }; + POSIX_GUARD(s2n_blob_init(&en, s2n_stuffer_raw_read(&conn->in, encrypted_length), encrypted_length)); POSIX_ENSURE_REF(en.data); /* In AEAD mode, the explicit IV is in the record */ POSIX_ENSURE_GTE(en.size, cipher_suite->record_alg->cipher->io.aead.record_iv_size); uint8_t aad_iv[S2N_TLS_MAX_IV_LEN] = { 0 }; - struct s2n_blob iv = { .data = aad_iv, .size = sizeof(aad_iv) }; + struct s2n_blob iv = { 0 }; + POSIX_GUARD(s2n_blob_init(&iv, aad_iv, sizeof(aad_iv))); struct s2n_stuffer iv_stuffer = { 0 }; POSIX_GUARD(s2n_stuffer_init(&iv_stuffer, &iv)); @@ -98,7 +100,8 @@ int s2n_record_parse_aead( POSIX_ENSURE_NE(en.size, 0); POSIX_GUARD(cipher_suite->record_alg->cipher->io.aead.decrypt(session_key, &iv, &aad, &en, &en)); - struct s2n_blob seq = { .data = sequence_number, .size = S2N_TLS_SEQUENCE_NUM_LEN }; + struct s2n_blob seq = { 0 }; + POSIX_GUARD(s2n_blob_init(&seq, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); POSIX_GUARD(s2n_increment_sequence_number(&seq)); /* O.k., we've successfully read and decrypted the record, now we need to align the stuffer diff --git a/contrib/restricted/aws/s2n/tls/s2n_record_write.c b/contrib/restricted/aws/s2n/tls/s2n_record_write.c index 580218e530..224fd21800 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_record_write.c +++ b/contrib/restricted/aws/s2n/tls/s2n_record_write.c @@ -157,20 +157,42 @@ S2N_RESULT s2n_record_min_write_payload_size(struct s2n_connection *conn, uint16 int s2n_record_write_protocol_version(struct s2n_connection *conn, struct s2n_stuffer *out) { uint8_t record_protocol_version = conn->actual_protocol_version; + + /** + *= https://www.rfc-editor.org/rfc/rfc8446#section-5.1 + *# This version value is historical, deriving from the use of 0x0301 for + *# TLS 1.0 and 0x0300 for SSL 3.0. In order to maximize backward + *# compatibility, a record containing an initial ClientHello SHOULD have + *# version 0x0301 (reflecting TLS 1.0) + * + * We set actual_protocol_version early for clients, but we do not + * use that assumed value here in case we are talking to a legacy + * server that expects TLS1.0. + * + * If we are requesting early data, we can assume that we aren't talking to + * a legacy server as a legacy server would not know how to handle early data. + **/ if (conn->server_protocol_version == s2n_unknown_protocol_version && conn->early_data_state != S2N_EARLY_DATA_REQUESTED) { - /* Some legacy TLS implementations can't handle records with protocol version higher than TLS1.0. - * To provide maximum compatibility, send record version as TLS1.0 if server protocol version isn't - * established yet, which happens only during ClientHello message. Note, this has no effect on - * protocol version in ClientHello, so we're still able to negotiate protocol versions above TLS1.0 */ record_protocol_version = MIN(record_protocol_version, S2N_TLS10); } - /* In accordance to TLS 1.3 spec, https://tools.ietf.org/html/rfc8446#section-5.1 - * tls record version should never be greater than 33 (legacy TLS 1.2 version). - */ + /** + *= https://www.rfc-editor.org/rfc/rfc8446#section-5.1 + *# legacy_record_version: MUST be set to 0x0303 for all records + *# generated by a TLS 1.3 implementation other than an initial + *# ClientHello (i.e., one not generated after a HelloRetryRequest), + *# where it MAY also be 0x0301 for compatibility purposes. + **/ record_protocol_version = MIN(record_protocol_version, S2N_TLS12); + /* Never send an empty protocol version. + * If the protocol version is unknown, default to TLS1.0 like we do for initial ClientHellos. + */ + if (record_protocol_version == s2n_unknown_protocol_version) { + record_protocol_version = S2N_TLS10; + } + uint8_t protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN]; protocol_version[0] = record_protocol_version / 10; protocol_version[1] = record_protocol_version % 10; diff --git a/contrib/restricted/aws/s2n/tls/s2n_server_key_exchange.c b/contrib/restricted/aws/s2n/tls/s2n_server_key_exchange.c index dd7c811678..e3593280c2 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_server_key_exchange.c +++ b/contrib/restricted/aws/s2n/tls/s2n_server_key_exchange.c @@ -71,7 +71,9 @@ int s2n_server_key_recv(struct s2n_connection *conn) uint16_t signature_length; POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_length)); - struct s2n_blob signature = { .size = signature_length, .data = s2n_stuffer_raw_read(in, signature_length) }; + struct s2n_blob signature = { 0 }; + POSIX_GUARD(s2n_blob_init(&signature, s2n_stuffer_raw_read(in, signature_length), signature_length)); + POSIX_ENSURE_REF(signature.data); POSIX_ENSURE_GT(signature_length, 0); @@ -164,7 +166,8 @@ int s2n_kem_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_bl struct s2n_stuffer kem_id_stuffer = { 0 }; uint8_t kem_id_arr[2]; kem_extension_size kem_id; - struct s2n_blob kem_id_blob = { .data = kem_id_arr, .size = s2n_array_len(kem_id_arr) }; + struct s2n_blob kem_id_blob = { 0 }; + POSIX_GUARD(s2n_blob_init(&kem_id_blob, kem_id_arr, s2n_array_len(kem_id_arr))); POSIX_GUARD(s2n_stuffer_init(&kem_id_stuffer, &kem_id_blob)); POSIX_GUARD(s2n_stuffer_write(&kem_id_stuffer, &(kem_data->kem_name))); POSIX_GUARD(s2n_stuffer_read_uint16(&kem_id_stuffer, &kem_id)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c b/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c index 23805b191f..1c073c7faa 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c +++ b/contrib/restricted/aws/s2n/tls/s2n_server_new_session_ticket.c @@ -149,21 +149,6 @@ S2N_RESULT s2n_tls13_server_nst_send(struct s2n_connection *conn, s2n_blocked_st RESULT_ENSURE(conn->tickets_sent <= conn->tickets_to_send, S2N_ERR_INTEGER_OVERFLOW); - /* Flush any buffered records to ensure an empty output buffer. - * - * This is important when buffering multiple records because we don't: - * 1) Respect max fragment length for handshake messages - * 2) Check if there is sufficient space in the output buffer for - * post-handshake messages. - * - * Careful how this flush fits into the ordering of this method: - * We want to avoid unnecessary work like repeatedly encrypting - * the ticket if the flush repeatedly blocks, but we also want - * to avoid unnecessarily flushing if no ticket will actually - * need to be sent. - */ - RESULT_GUARD_POSIX(s2n_flush(conn, blocked)); - size_t session_state_size = 0; RESULT_GUARD(s2n_connection_get_session_state_size(conn, &session_state_size)); const size_t maximum_nst_size = session_state_size + S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE; @@ -176,18 +161,9 @@ S2N_RESULT s2n_tls13_server_nst_send(struct s2n_connection *conn, s2n_blocked_st return S2N_RESULT_OK; } - struct s2n_blob nst_blob = { 0 }; - uint16_t nst_size = s2n_stuffer_data_available(nst_stuffer); - uint8_t *nst_data = s2n_stuffer_raw_read(nst_stuffer, nst_size); - RESULT_ENSURE_REF(nst_data); - RESULT_GUARD_POSIX(s2n_blob_init(&nst_blob, nst_data, nst_size)); - - RESULT_GUARD(s2n_record_write(conn, TLS_HANDSHAKE, &nst_blob)); - RESULT_GUARD_POSIX(s2n_flush(conn, blocked)); - RESULT_GUARD_POSIX(s2n_stuffer_wipe(nst_stuffer)); + RESULT_GUARD(s2n_post_handshake_write_records(conn, blocked)); } - RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, 0)); return S2N_RESULT_OK; } diff --git a/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.c b/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.c index 55024f3676..6453862e5a 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.c +++ b/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.c @@ -28,6 +28,8 @@ static int s2n_signature_scheme_valid_to_offer(struct s2n_connection *conn, const struct s2n_signature_scheme *scheme) { + POSIX_ENSURE_REF(conn); + /* We don't know what protocol version we will eventually negotiate, but we know that it won't be any higher. */ POSIX_ENSURE_GTE(conn->actual_protocol_version, scheme->minimum_protocol_version); @@ -50,6 +52,7 @@ static int s2n_signature_scheme_valid_to_offer(struct s2n_connection *conn, cons static int s2n_signature_scheme_valid_to_accept(struct s2n_connection *conn, const struct s2n_signature_scheme *scheme) { POSIX_ENSURE_REF(scheme); + POSIX_ENSURE_REF(conn); POSIX_GUARD(s2n_signature_scheme_valid_to_offer(conn, scheme)); @@ -57,6 +60,14 @@ static int s2n_signature_scheme_valid_to_accept(struct s2n_connection *conn, con POSIX_ENSURE_LTE(conn->actual_protocol_version, scheme->maximum_protocol_version); } + POSIX_ENSURE_NE(conn->actual_protocol_version, S2N_UNKNOWN_PROTOCOL_VERSION); + if (conn->actual_protocol_version >= S2N_TLS13) { + POSIX_ENSURE_NE(scheme->hash_alg, S2N_HASH_SHA1); + POSIX_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA); + } else { + POSIX_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_PSS); + } + return 0; } |