aboutsummaryrefslogtreecommitdiffstats
path: root/contrib
diff options
context:
space:
mode:
authorrobot-contrib <robot-contrib@yandex-team.com>2023-02-23 09:38:13 +0300
committerrobot-contrib <robot-contrib@yandex-team.com>2023-02-23 09:38:13 +0300
commit2c97e0c9e48d56f449a3abea7594e3655636c39d (patch)
tree1c2d1e71260ab25e03d403255d5f42cb5ac82675 /contrib
parent6842a88830f54c638160425e8c36af2c057bcf70 (diff)
downloadydb-2c97e0c9e48d56f449a3abea7594e3655636c39d.tar.gz
Update contrib/restricted/aws/s2n to 1.3.36
Diffstat (limited to 'contrib')
-rw-r--r--contrib/restricted/aws/s2n/README.md1
-rw-r--r--contrib/restricted/aws/s2n/api/s2n.h2
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c1
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_cipher.h1
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_config.c1
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_connection.h8
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_handshake_io.c4
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_ktls.h34
8 files changed, 48 insertions, 4 deletions
diff --git a/contrib/restricted/aws/s2n/README.md b/contrib/restricted/aws/s2n/README.md
index 610960e0f9..1271226f3c 100644
--- a/contrib/restricted/aws/s2n/README.md
+++ b/contrib/restricted/aws/s2n/README.md
@@ -5,7 +5,6 @@ s2n-tls is a C99 implementation of the TLS/SSL protocols that is designed to be
[![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiMndlTzJNbHVxWEo3Nm82alp4eGdGNm4rTWdxZDVYU2VTbitIR0ZLbHVtcFFGOW5majk5QnhqaUp3ZEkydG1ueWg0NGlhRE43a1ZnUzZaQTVnSm91TzFFPSIsIml2UGFyYW1ldGVyU3BlYyI6IlJLbW42NENlYXhJNy80QnYiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main)](https://github.com/aws/s2n-tls/)
[![Apache 2 License](https://img.shields.io/github/license/aws/s2n-tls.svg)](http://aws.amazon.com/apache-2-0/)
[![C99](https://img.shields.io/badge/language-C99-blue.svg)](http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf)
-[![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/aws/s2n-tls.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/aws/s2n-tls/context:cpp)
[![codecov](https://codecov.io/gh/aws/s2n-tls/branch/main/graph/badge.svg)](https://codecov.io/gh/aws/s2n-tls)
[![Github forks](https://img.shields.io/github/forks/aws/s2n-tls.svg)](https://github.com/aws/s2n-tls/network)
[![Github stars](https://img.shields.io/github/stars/aws/s2n-tls.svg)](https://github.com/aws/s2n-tls/stargazers)
diff --git a/contrib/restricted/aws/s2n/api/s2n.h b/contrib/restricted/aws/s2n/api/s2n.h
index 19dc7d46df..558d371a03 100644
--- a/contrib/restricted/aws/s2n/api/s2n.h
+++ b/contrib/restricted/aws/s2n/api/s2n.h
@@ -1249,7 +1249,7 @@ typedef int s2n_client_hello_fn(struct s2n_connection *conn, void *ctx);
* - `S2N_CLIENT_HELLO_CB_BLOCKING` (default):
* - In this mode s2n-tls expects the callback to complete its work and return the appropriate response code before the handshake continues. If any of the connection properties were changed based on the server_name extension the callback must either return a value greater than 0 or invoke `s2n_connection_server_name_extension_used`, otherwise the callback returns 0 to continue the handshake.
* - `S2N_CLIENT_HELLO_CB_NONBLOCKING`:
- * - In non-blocking mode, s2n-tls expects the callback to not complete its work. If the callback returns a response code of 0 s2n-tls will return `S2N_FAILURE` with `S2N_ERR_T_BLOCKED` error type and `s2n_blocked_status` set to `S2N_BLOCKED_ON_APPLICATION_INPUT`. The handshake is paused and further calls to `s2n_negotiate` will continue to return the same error until `s2n_client_hello_cb_done` is invoked for the `s2n_connection` to resume the handshake. This allows s2n-tls clients to process client_hello without blocking and then resume the handshake at a later time. If any of the connection properties were changed on the basis of the server_name extension then `s2n_connection_server_name_extension_used` must be invoked before marking the callback done.
+ * - In non-blocking mode, s2n-tls expects the callback to not complete its work. If the callback returns a response code of 0, s2n-tls will return `S2N_FAILURE` with `S2N_ERR_T_BLOCKED` error type and `s2n_blocked_status` set to `S2N_BLOCKED_ON_APPLICATION_INPUT`. The handshake is paused and further calls to `s2n_negotiate` will continue to return the same error until `s2n_client_hello_cb_done` is invoked for the `s2n_connection` to resume the handshake. If any of the connection properties were changed on the basis of the server_name extension then `s2n_connection_server_name_extension_used` must be invoked before marking the callback done.
*/
typedef enum {
S2N_CLIENT_HELLO_CB_BLOCKING,
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c b/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c
index d7127efc72..5fb83b3df7 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c
@@ -390,6 +390,7 @@ const struct s2n_cipher s2n_aes128_gcm = {
.set_encryption_key = s2n_aead_cipher_aes128_gcm_set_encryption_key,
.set_decryption_key = s2n_aead_cipher_aes128_gcm_set_decryption_key,
.destroy_key = s2n_aead_cipher_aes_gcm_destroy_key,
+ .ktls_supported = true,
};
const struct s2n_cipher s2n_aes256_gcm = {
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_cipher.h b/contrib/restricted/aws/s2n/crypto/s2n_cipher.h
index fe728e4f5d..a58163025f 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_cipher.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_cipher.h
@@ -81,6 +81,7 @@ struct s2n_cipher {
struct s2n_composite_cipher comp;
} io;
uint8_t key_material_size;
+ bool ktls_supported;
uint8_t (*is_available)(void);
int (*init)(struct s2n_session_key *key);
int (*set_decryption_key)(struct s2n_session_key *key, struct s2n_blob *in);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_config.c b/contrib/restricted/aws/s2n/tls/s2n_config.c
index 14cabda2e3..71abae5903 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_config.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_config.c
@@ -22,6 +22,7 @@
#include "error/s2n_errno.h"
#include "tls/s2n_cipher_preferences.h"
#include "tls/s2n_internal.h"
+#include "tls/s2n_ktls.h"
#include "tls/s2n_security_policies.h"
#include "tls/s2n_tls13.h"
#include "utils/s2n_blob.h"
diff --git a/contrib/restricted/aws/s2n/tls/s2n_connection.h b/contrib/restricted/aws/s2n/tls/s2n_connection.h
index b0d002693d..1711eb75a5 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_connection.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_connection.h
@@ -134,6 +134,10 @@ struct s2n_connection {
* instead of the ALPN extension */
unsigned npn_negotiated : 1;
+ /* Marks if kTLS has been enabled for this connection. */
+ unsigned ktls_send_enabled : 1;
+ unsigned ktls_recv_enabled : 1;
+
/* The configuration (cert, key .. etc ) */
struct s2n_config *config;
@@ -283,8 +287,8 @@ struct s2n_connection {
*/
uint16_t max_outgoing_fragment_length;
- /* The number of bytes to send before changing the record size.
- * If this value > 0 then dynamic TLS record size is enabled. Otherwise, the feature is disabled (default).
+ /* The number of bytes to send before changing the record size.
+ * If this value > 0 then dynamic TLS record size is enabled. Otherwise, the feature is disabled (default).
*/
uint32_t dynamic_record_resize_threshold;
diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c
index 87aa6efb88..efc92eb625 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c
@@ -1046,12 +1046,16 @@ int s2n_conn_set_handshake_type(struct s2n_connection *conn)
if (conn->config->use_tickets) {
if (conn->session_ticket_status == S2N_DECRYPT_TICKET) {
+ /* We reuse the session if a valid TLS12 ticket is provided.
+ * Otherwise, we will perform a full handshake and then generate
+ * a new session ticket. */
if (s2n_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt) == S2N_SUCCESS) {
return S2N_SUCCESS;
}
POSIX_GUARD_RESULT(s2n_validate_ems_status(conn));
+ /* Set up the handshake to send a session ticket since a valid ticket was not provided */
if (s2n_config_is_encrypt_decrypt_key_available(conn->config) == 1) {
conn->session_ticket_status = S2N_NEW_TICKET;
POSIX_GUARD_RESULT(s2n_handshake_type_set_tls12_flag(conn, WITH_SESSION_TICKET));
diff --git a/contrib/restricted/aws/s2n/tls/s2n_ktls.h b/contrib/restricted/aws/s2n/tls/s2n_ktls.h
new file mode 100644
index 0000000000..117fa3dcae
--- /dev/null
+++ b/contrib/restricted/aws/s2n/tls/s2n_ktls.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ * http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+#pragma once
+
+#include "tls/s2n_config.h"
+
+/* A set of kTLS configurations representing the combination of sending
+ * and receiving.
+ */
+typedef enum {
+ /* Disable kTLS. */
+ S2N_KTLS_MODE_DISABLED,
+ /* Enable kTLS for the send socket. */
+ S2N_KTLS_MODE_SEND,
+ /* Enable kTLS for the receive socket. */
+ S2N_KTLS_MODE_RECV,
+ /* Enable kTLS for both receive and send sockets. */
+ S2N_KTLS_MODE_DUPLEX,
+} s2n_ktls_mode;
+
+int s2n_config_set_ktls_mode(struct s2n_config *config, s2n_ktls_mode ktls_mode);