diff options
author | robot-contrib <robot-contrib@yandex-team.com> | 2023-02-23 09:38:13 +0300 |
---|---|---|
committer | robot-contrib <robot-contrib@yandex-team.com> | 2023-02-23 09:38:13 +0300 |
commit | 2c97e0c9e48d56f449a3abea7594e3655636c39d (patch) | |
tree | 1c2d1e71260ab25e03d403255d5f42cb5ac82675 /contrib/restricted | |
parent | 6842a88830f54c638160425e8c36af2c057bcf70 (diff) | |
download | ydb-2c97e0c9e48d56f449a3abea7594e3655636c39d.tar.gz |
Update contrib/restricted/aws/s2n to 1.3.36
Diffstat (limited to 'contrib/restricted')
-rw-r--r-- | contrib/restricted/aws/s2n/README.md | 1 | ||||
-rw-r--r-- | contrib/restricted/aws/s2n/api/s2n.h | 2 | ||||
-rw-r--r-- | contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c | 1 | ||||
-rw-r--r-- | contrib/restricted/aws/s2n/crypto/s2n_cipher.h | 1 | ||||
-rw-r--r-- | contrib/restricted/aws/s2n/tls/s2n_config.c | 1 | ||||
-rw-r--r-- | contrib/restricted/aws/s2n/tls/s2n_connection.h | 8 | ||||
-rw-r--r-- | contrib/restricted/aws/s2n/tls/s2n_handshake_io.c | 4 | ||||
-rw-r--r-- | contrib/restricted/aws/s2n/tls/s2n_ktls.h | 34 |
8 files changed, 48 insertions, 4 deletions
diff --git a/contrib/restricted/aws/s2n/README.md b/contrib/restricted/aws/s2n/README.md index 610960e0f9..1271226f3c 100644 --- a/contrib/restricted/aws/s2n/README.md +++ b/contrib/restricted/aws/s2n/README.md @@ -5,7 +5,6 @@ s2n-tls is a C99 implementation of the TLS/SSL protocols that is designed to be [![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiMndlTzJNbHVxWEo3Nm82alp4eGdGNm4rTWdxZDVYU2VTbitIR0ZLbHVtcFFGOW5majk5QnhqaUp3ZEkydG1ueWg0NGlhRE43a1ZnUzZaQTVnSm91TzFFPSIsIml2UGFyYW1ldGVyU3BlYyI6IlJLbW42NENlYXhJNy80QnYiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main)](https://github.com/aws/s2n-tls/) [![Apache 2 License](https://img.shields.io/github/license/aws/s2n-tls.svg)](http://aws.amazon.com/apache-2-0/) [![C99](https://img.shields.io/badge/language-C99-blue.svg)](http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf) -[![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/aws/s2n-tls.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/aws/s2n-tls/context:cpp) [![codecov](https://codecov.io/gh/aws/s2n-tls/branch/main/graph/badge.svg)](https://codecov.io/gh/aws/s2n-tls) [![Github forks](https://img.shields.io/github/forks/aws/s2n-tls.svg)](https://github.com/aws/s2n-tls/network) [![Github stars](https://img.shields.io/github/stars/aws/s2n-tls.svg)](https://github.com/aws/s2n-tls/stargazers) diff --git a/contrib/restricted/aws/s2n/api/s2n.h b/contrib/restricted/aws/s2n/api/s2n.h index 19dc7d46df..558d371a03 100644 --- a/contrib/restricted/aws/s2n/api/s2n.h +++ b/contrib/restricted/aws/s2n/api/s2n.h @@ -1249,7 +1249,7 @@ typedef int s2n_client_hello_fn(struct s2n_connection *conn, void *ctx); * - `S2N_CLIENT_HELLO_CB_BLOCKING` (default): * - In this mode s2n-tls expects the callback to complete its work and return the appropriate response code before the handshake continues. If any of the connection properties were changed based on the server_name extension the callback must either return a value greater than 0 or invoke `s2n_connection_server_name_extension_used`, otherwise the callback returns 0 to continue the handshake. * - `S2N_CLIENT_HELLO_CB_NONBLOCKING`: - * - In non-blocking mode, s2n-tls expects the callback to not complete its work. If the callback returns a response code of 0 s2n-tls will return `S2N_FAILURE` with `S2N_ERR_T_BLOCKED` error type and `s2n_blocked_status` set to `S2N_BLOCKED_ON_APPLICATION_INPUT`. The handshake is paused and further calls to `s2n_negotiate` will continue to return the same error until `s2n_client_hello_cb_done` is invoked for the `s2n_connection` to resume the handshake. This allows s2n-tls clients to process client_hello without blocking and then resume the handshake at a later time. If any of the connection properties were changed on the basis of the server_name extension then `s2n_connection_server_name_extension_used` must be invoked before marking the callback done. + * - In non-blocking mode, s2n-tls expects the callback to not complete its work. If the callback returns a response code of 0, s2n-tls will return `S2N_FAILURE` with `S2N_ERR_T_BLOCKED` error type and `s2n_blocked_status` set to `S2N_BLOCKED_ON_APPLICATION_INPUT`. The handshake is paused and further calls to `s2n_negotiate` will continue to return the same error until `s2n_client_hello_cb_done` is invoked for the `s2n_connection` to resume the handshake. If any of the connection properties were changed on the basis of the server_name extension then `s2n_connection_server_name_extension_used` must be invoked before marking the callback done. */ typedef enum { S2N_CLIENT_HELLO_CB_BLOCKING, diff --git a/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c b/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c index d7127efc72..5fb83b3df7 100644 --- a/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c +++ b/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c @@ -390,6 +390,7 @@ const struct s2n_cipher s2n_aes128_gcm = { .set_encryption_key = s2n_aead_cipher_aes128_gcm_set_encryption_key, .set_decryption_key = s2n_aead_cipher_aes128_gcm_set_decryption_key, .destroy_key = s2n_aead_cipher_aes_gcm_destroy_key, + .ktls_supported = true, }; const struct s2n_cipher s2n_aes256_gcm = { diff --git a/contrib/restricted/aws/s2n/crypto/s2n_cipher.h b/contrib/restricted/aws/s2n/crypto/s2n_cipher.h index fe728e4f5d..a58163025f 100644 --- a/contrib/restricted/aws/s2n/crypto/s2n_cipher.h +++ b/contrib/restricted/aws/s2n/crypto/s2n_cipher.h @@ -81,6 +81,7 @@ struct s2n_cipher { struct s2n_composite_cipher comp; } io; uint8_t key_material_size; + bool ktls_supported; uint8_t (*is_available)(void); int (*init)(struct s2n_session_key *key); int (*set_decryption_key)(struct s2n_session_key *key, struct s2n_blob *in); diff --git a/contrib/restricted/aws/s2n/tls/s2n_config.c b/contrib/restricted/aws/s2n/tls/s2n_config.c index 14cabda2e3..71abae5903 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_config.c +++ b/contrib/restricted/aws/s2n/tls/s2n_config.c @@ -22,6 +22,7 @@ #include "error/s2n_errno.h" #include "tls/s2n_cipher_preferences.h" #include "tls/s2n_internal.h" +#include "tls/s2n_ktls.h" #include "tls/s2n_security_policies.h" #include "tls/s2n_tls13.h" #include "utils/s2n_blob.h" diff --git a/contrib/restricted/aws/s2n/tls/s2n_connection.h b/contrib/restricted/aws/s2n/tls/s2n_connection.h index b0d002693d..1711eb75a5 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_connection.h +++ b/contrib/restricted/aws/s2n/tls/s2n_connection.h @@ -134,6 +134,10 @@ struct s2n_connection { * instead of the ALPN extension */ unsigned npn_negotiated : 1; + /* Marks if kTLS has been enabled for this connection. */ + unsigned ktls_send_enabled : 1; + unsigned ktls_recv_enabled : 1; + /* The configuration (cert, key .. etc ) */ struct s2n_config *config; @@ -283,8 +287,8 @@ struct s2n_connection { */ uint16_t max_outgoing_fragment_length; - /* The number of bytes to send before changing the record size. - * If this value > 0 then dynamic TLS record size is enabled. Otherwise, the feature is disabled (default). + /* The number of bytes to send before changing the record size. + * If this value > 0 then dynamic TLS record size is enabled. Otherwise, the feature is disabled (default). */ uint32_t dynamic_record_resize_threshold; diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c index 87aa6efb88..efc92eb625 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c +++ b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c @@ -1046,12 +1046,16 @@ int s2n_conn_set_handshake_type(struct s2n_connection *conn) if (conn->config->use_tickets) { if (conn->session_ticket_status == S2N_DECRYPT_TICKET) { + /* We reuse the session if a valid TLS12 ticket is provided. + * Otherwise, we will perform a full handshake and then generate + * a new session ticket. */ if (s2n_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt) == S2N_SUCCESS) { return S2N_SUCCESS; } POSIX_GUARD_RESULT(s2n_validate_ems_status(conn)); + /* Set up the handshake to send a session ticket since a valid ticket was not provided */ if (s2n_config_is_encrypt_decrypt_key_available(conn->config) == 1) { conn->session_ticket_status = S2N_NEW_TICKET; POSIX_GUARD_RESULT(s2n_handshake_type_set_tls12_flag(conn, WITH_SESSION_TICKET)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_ktls.h b/contrib/restricted/aws/s2n/tls/s2n_ktls.h new file mode 100644 index 0000000000..117fa3dcae --- /dev/null +++ b/contrib/restricted/aws/s2n/tls/s2n_ktls.h @@ -0,0 +1,34 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). + * You may not use this file except in compliance with the License. + * A copy of the License is located at + * + * http://aws.amazon.com/apache2.0 + * + * or in the "license" file accompanying this file. This file is distributed + * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +#pragma once + +#include "tls/s2n_config.h" + +/* A set of kTLS configurations representing the combination of sending + * and receiving. + */ +typedef enum { + /* Disable kTLS. */ + S2N_KTLS_MODE_DISABLED, + /* Enable kTLS for the send socket. */ + S2N_KTLS_MODE_SEND, + /* Enable kTLS for the receive socket. */ + S2N_KTLS_MODE_RECV, + /* Enable kTLS for both receive and send sockets. */ + S2N_KTLS_MODE_DUPLEX, +} s2n_ktls_mode; + +int s2n_config_set_ktls_mode(struct s2n_config *config, s2n_ktls_mode ktls_mode); |