aboutsummaryrefslogtreecommitdiffstats
path: root/contrib
diff options
context:
space:
mode:
authorrobot-contrib <robot-contrib@yandex-team.com>2022-12-22 08:12:51 +0300
committerrobot-contrib <robot-contrib@yandex-team.com>2022-12-22 08:12:51 +0300
commit5e473ae99515dcc385d93e469a3b5bcce2a316e6 (patch)
tree2069fa52e25be8cdc325780d273ddcff70b4fb8a /contrib
parentfb9ac8a6a226ef5b6aa8fc8d58563d5e69680766 (diff)
downloadydb-5e473ae99515dcc385d93e469a3b5bcce2a316e6.tar.gz
Update contrib/restricted/aws/s2n to 1.3.30
Diffstat (limited to 'contrib')
-rw-r--r--contrib/restricted/aws/s2n/CMakeLists.darwin.txt1
-rw-r--r--contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt1
-rw-r--r--contrib/restricted/aws/s2n/CMakeLists.linux.txt1
-rw-r--r--contrib/restricted/aws/s2n/README.md2
-rw-r--r--contrib/restricted/aws/s2n/api/s2n.h609
-rw-r--r--contrib/restricted/aws/s2n/api/unstable/crl.h30
-rw-r--r--contrib/restricted/aws/s2n/api/unstable/renegotiate.h9
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_hash.c4
-rw-r--r--contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_kem.c6
-rw-r--r--contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c86
-rw-r--r--contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.h22
-rw-r--r--contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c9
-rw-r--r--contrib/restricted/aws/s2n/pq-crypto/s2n_pq.h1
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.c77
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.h2
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c66
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_cipher_suites.h1
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_config.c2
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_connection.c8
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_connection.h3
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_handshake.c10
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_handshake_io.c6
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_kem.c20
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_kem.h12
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_post_handshake.c187
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_post_handshake.h9
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_protocol_preferences.h2
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_quic_support.c2
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_recv.c29
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_security_policies.c15
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.h2
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_tls.h2
-rw-r--r--contrib/restricted/aws/s2n/tls/s2n_x509_validator.c5
33 files changed, 719 insertions, 522 deletions
diff --git a/contrib/restricted/aws/s2n/CMakeLists.darwin.txt b/contrib/restricted/aws/s2n/CMakeLists.darwin.txt
index 8c122d8e34..d07abb6bd6 100644
--- a/contrib/restricted/aws/s2n/CMakeLists.darwin.txt
+++ b/contrib/restricted/aws/s2n/CMakeLists.darwin.txt
@@ -74,6 +74,7 @@ target_sources(restricted-aws-s2n PRIVATE
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_polyvec.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_reduce.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_symmetric-shake.c
+ ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/s2n_pq_random.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer.c
diff --git a/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt b/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt
index 4a102973ee..c6eeac74d2 100644
--- a/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt
+++ b/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt
@@ -69,6 +69,7 @@ target_sources(restricted-aws-s2n PRIVATE
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_polyvec.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_reduce.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_symmetric-shake.c
+ ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/s2n_pq_random.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer.c
diff --git a/contrib/restricted/aws/s2n/CMakeLists.linux.txt b/contrib/restricted/aws/s2n/CMakeLists.linux.txt
index 95c3540d4d..c1c1a63f71 100644
--- a/contrib/restricted/aws/s2n/CMakeLists.linux.txt
+++ b/contrib/restricted/aws/s2n/CMakeLists.linux.txt
@@ -76,6 +76,7 @@ target_sources(restricted-aws-s2n PRIVATE
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_polyvec.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_reduce.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_symmetric-shake.c
+ ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/pq-crypto/s2n_pq_random.c
${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/stuffer/s2n_stuffer.c
diff --git a/contrib/restricted/aws/s2n/README.md b/contrib/restricted/aws/s2n/README.md
index a8e777075b..610960e0f9 100644
--- a/contrib/restricted/aws/s2n/README.md
+++ b/contrib/restricted/aws/s2n/README.md
@@ -19,7 +19,7 @@ git clone https://github.com/${YOUR_GITHUB_ACCOUNT_NAME}/s2n-tls.git
cd s2n-tls
# Pick an "env" line from the codebuild/codebuild.config file and run it, in this case choose the openssl-1.1.1 with GCC 9 build
-S2N_LIBCRYPTO=openssl-1.1.1 BUILD_S2N=true TESTS=integration GCC_VERSION=9
+S2N_LIBCRYPTO=openssl-1.1.1 BUILD_S2N=true TESTS=integrationv2 GCC_VERSION=9
sudo codebuild/bin/s2n_install_test_dependencies.sh
codebuild/bin/s2n_codebuild.sh
diff --git a/contrib/restricted/aws/s2n/api/s2n.h b/contrib/restricted/aws/s2n/api/s2n.h
index 90067edc2b..a1006caf44 100644
--- a/contrib/restricted/aws/s2n/api/s2n.h
+++ b/contrib/restricted/aws/s2n/api/s2n.h
@@ -119,8 +119,7 @@ extern "C" {
*
* @warning To avoid possible confusion, s2n_errno should be cleared after processing an error: `s2n_errno = S2N_ERR_T_OK`
*/
-S2N_API
-extern __thread int s2n_errno;
+S2N_API extern __thread int s2n_errno;
/**
* This function can be used instead of trying to resolve `s2n_errno` directly
@@ -128,8 +127,7 @@ extern __thread int s2n_errno;
*
* @returns The address of the thread-local `s2n_errno` variable
*/
-S2N_API
-extern int *s2n_errno_location(void);
+S2N_API extern int *s2n_errno_location(void);
/**
* Used to help applications determine why an s2n-tls function failed.
@@ -174,8 +172,7 @@ typedef enum {
* @param error The error from s2n. Usually this is `s2n_errno`.
* @returns An s2n_error_type
*/
-S2N_API
-extern int s2n_error_get_type(int error);
+S2N_API extern int s2n_error_get_type(int error);
/**
* An opaque configuration object, used by clients and servers for holding cryptographic certificates, keys and preferences.
@@ -201,8 +198,7 @@ struct s2n_connection;
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_crypto_disable_init(void);
+S2N_API extern int s2n_crypto_disable_init(void);
/**
* Prevents S2N from installing an atexit handler, which allows safe shutdown of S2N from within a
@@ -216,8 +212,7 @@ extern int s2n_crypto_disable_init(void);
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_disable_atexit(void);
+S2N_API extern int s2n_disable_atexit(void);
/**
* Fetches the OpenSSL version s2n-tls was compiled with. This can be used by applications to validate at runtime
@@ -225,8 +220,7 @@ extern int s2n_disable_atexit(void);
*
* @returns the version number of OpenSSL that s2n-tls was compiled with
*/
-S2N_API
-extern unsigned long s2n_get_openssl_version(void);
+S2N_API extern unsigned long s2n_get_openssl_version(void);
/**
* Initializes the s2n-tls library and should be called once in your application, before any other s2n-tls
@@ -236,8 +230,7 @@ extern unsigned long s2n_get_openssl_version(void);
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_init(void);
+S2N_API extern int s2n_init(void);
/**
* Cleans up any internal resources used by s2n-tls. This function should be called from each thread or process
@@ -245,16 +238,14 @@ extern int s2n_init(void);
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_cleanup(void);
+S2N_API extern int s2n_cleanup(void);
/**
* Create a new s2n_config object. This object can (and should) be associated with many connection objects.
*
* @returns returns a new configuration object suitable for associating certs and keys.
*/
-S2N_API
-extern struct s2n_config *s2n_config_new(void);
+S2N_API extern struct s2n_config *s2n_config_new(void);
/**
* Frees the memory associated with an `s2n_config` object.
@@ -262,8 +253,7 @@ extern struct s2n_config *s2n_config_new(void);
* @param config The configuration object being freed
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_free(struct s2n_config *config);
+S2N_API extern int s2n_config_free(struct s2n_config *config);
/**
* Frees the DH params associated with an `s2n_config` object.
@@ -271,8 +261,7 @@ extern int s2n_config_free(struct s2n_config *config);
* @param config The configuration object with DH params being freed
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_free_dhparams(struct s2n_config *config);
+S2N_API extern int s2n_config_free_dhparams(struct s2n_config *config);
/**
* Frees the certificate chain and key associated with an `s2n_config` object.
@@ -280,8 +269,7 @@ extern int s2n_config_free_dhparams(struct s2n_config *config);
* @param config The configuration object with DH params being freed
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_free_cert_chain_and_key(struct s2n_config *config);
+S2N_API extern int s2n_config_free_cert_chain_and_key(struct s2n_config *config);
/**
* Callback function type used to get the system time.
@@ -353,8 +341,7 @@ typedef int (*s2n_cache_delete_callback)(struct s2n_connection *conn, void *, co
* @param ctx An opaque pointer that the callback will be invoked with
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_wall_clock(struct s2n_config *config, s2n_clock_time_nanoseconds clock_fn, void *ctx);
+S2N_API extern int s2n_config_set_wall_clock(struct s2n_config *config, s2n_clock_time_nanoseconds clock_fn, void *ctx);
/**
* Allows the caller to set a callback function that will be used to get
@@ -368,8 +355,7 @@ extern int s2n_config_set_wall_clock(struct s2n_config *config, s2n_clock_time_n
* @param ctx An opaque pointer that the callback will be invoked with
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_monotonic_clock(struct s2n_config *config, s2n_clock_time_nanoseconds clock_fn, void *ctx);
+S2N_API extern int s2n_config_set_monotonic_clock(struct s2n_config *config, s2n_clock_time_nanoseconds clock_fn, void *ctx);
/**
* Translates an s2n_error code to a human readable string explaining the error.
@@ -378,8 +364,7 @@ extern int s2n_config_set_monotonic_clock(struct s2n_config *config, s2n_clock_t
* @param lang The language to explain the error code. Pass "EN" or NULL for English.
* @returns The error string
*/
-S2N_API
-extern const char *s2n_strerror(int error, const char *lang);
+S2N_API extern const char *s2n_strerror(int error, const char *lang);
/**
* Translates an s2n_error code to a human readable string containing internal debug
@@ -390,8 +375,7 @@ extern const char *s2n_strerror(int error, const char *lang);
* @param lang The language to explain the error code. Pass "EN" or NULL for English.
* @returns The error string
*/
-S2N_API
-extern const char *s2n_strerror_debug(int error, const char *lang);
+S2N_API extern const char *s2n_strerror_debug(int error, const char *lang);
/**
* Translates an s2n_error code to a human readable string.
@@ -399,8 +383,7 @@ extern const char *s2n_strerror_debug(int error, const char *lang);
* @param error The error code to explain. Usually this is s2n_errno
* @returns The error string
*/
-S2N_API
-extern const char *s2n_strerror_name(int error);
+S2N_API extern const char *s2n_strerror_name(int error);
/**
* Opaque stack trace structure.
@@ -412,8 +395,7 @@ struct s2n_stacktrace;
*
* @returns True if stack traces are enabled. False if they are disabled.
*/
-S2N_API
-extern bool s2n_stack_traces_enabled(void);
+S2N_API extern bool s2n_stack_traces_enabled(void);
/**
* Configures the s2n stack trace captures option.
@@ -421,16 +403,14 @@ extern bool s2n_stack_traces_enabled(void);
* @param newval Boolean to determine if stack traces should be enabled. True to enable them. False to disable them.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_stack_traces_enabled_set(bool newval);
+S2N_API extern int s2n_stack_traces_enabled_set(bool newval);
/**
* Calculates the s2n stack trace.
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_calculate_stacktrace(void);
+S2N_API extern int s2n_calculate_stacktrace(void);
/**
* Prints the s2n stack trace to a file. The file descriptor is expected to be
@@ -439,16 +419,14 @@ extern int s2n_calculate_stacktrace(void);
* @param fptr A pointer to the file s2n-tls should write the stack trace to.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_print_stacktrace(FILE *fptr);
+S2N_API extern int s2n_print_stacktrace(FILE *fptr);
/**
* Clean up the memory used to contain the stack trace.
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_free_stacktrace(void);
+S2N_API extern int s2n_free_stacktrace(void);
/**
* Export the s2n_stacktrace.
@@ -456,8 +434,7 @@ extern int s2n_free_stacktrace(void);
* @param trace A pointer to the s2n_stacktrace to fill.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_get_stacktrace(struct s2n_stacktrace *trace);
+S2N_API extern int s2n_get_stacktrace(struct s2n_stacktrace *trace);
/**
* Allows the caller to set a callback function that will be used to store SSL
@@ -468,8 +445,7 @@ extern int s2n_get_stacktrace(struct s2n_stacktrace *trace);
* @param data An opaque context pointer that the callback will be invoked with.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_cache_store_callback(struct s2n_config *config, s2n_cache_store_callback cache_store_callback, void *data);
+S2N_API extern int s2n_config_set_cache_store_callback(struct s2n_config *config, s2n_cache_store_callback cache_store_callback, void *data);
/**
* Allows the caller to set a callback function that will be used to retrieve SSL
@@ -480,8 +456,7 @@ extern int s2n_config_set_cache_store_callback(struct s2n_config *config, s2n_ca
* @param data An opaque context pointer that the callback will be invoked with.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_cache_retrieve_callback(struct s2n_config *config, s2n_cache_retrieve_callback cache_retrieve_callback, void *data);
+S2N_API extern int s2n_config_set_cache_retrieve_callback(struct s2n_config *config, s2n_cache_retrieve_callback cache_retrieve_callback, void *data);
/**
* Allows the caller to set a callback function that will be used to delete SSL
@@ -492,8 +467,7 @@ extern int s2n_config_set_cache_retrieve_callback(struct s2n_config *config, s2n
* @param data An opaque context pointer that the callback will be invoked with.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_cache_delete_callback(struct s2n_config *config, s2n_cache_delete_callback cache_delete_callback, void *data);
+S2N_API extern int s2n_config_set_cache_delete_callback(struct s2n_config *config, s2n_cache_delete_callback cache_delete_callback, void *data);
/**
* Called when `s2n_init` is executed.
@@ -531,8 +505,7 @@ typedef int (*s2n_mem_free_callback)(void *ptr, uint32_t size);
* @param mem_free_callback The s2n_mem_free_callback
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_mem_set_callbacks(s2n_mem_init_callback mem_init_callback, s2n_mem_cleanup_callback mem_cleanup_callback,
+S2N_API extern int s2n_mem_set_callbacks(s2n_mem_init_callback mem_init_callback, s2n_mem_cleanup_callback mem_cleanup_callback,
s2n_mem_malloc_callback mem_malloc_callback, s2n_mem_free_callback mem_free_callback);
/**
@@ -568,8 +541,7 @@ typedef int (*s2n_rand_mix_callback)(void *data, uint32_t size);
* @param rand_mix_callback The s2n_rand_mix_callback
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_rand_set_callbacks(s2n_rand_init_callback rand_init_callback, s2n_rand_cleanup_callback rand_cleanup_callback,
+S2N_API extern int s2n_rand_set_callbacks(s2n_rand_init_callback rand_init_callback, s2n_rand_cleanup_callback rand_cleanup_callback,
s2n_rand_seed_callback rand_seed_callback, s2n_rand_mix_callback rand_mix_callback);
/**
@@ -628,8 +600,7 @@ typedef struct s2n_pkey s2n_cert_private_key;
*
* @returns A new object used to represent a certificate-chain/key pair
*/
-S2N_API
-extern struct s2n_cert_chain_and_key *s2n_cert_chain_and_key_new(void);
+S2N_API extern struct s2n_cert_chain_and_key *s2n_cert_chain_and_key_new(void);
/**
* Associates a certificate chain and private key with an `s2n_cert_chain_and_key` object.
@@ -646,8 +617,7 @@ extern struct s2n_cert_chain_and_key *s2n_cert_chain_and_key_new(void);
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_cert_chain_and_key_load_pem(struct s2n_cert_chain_and_key *chain_and_key, const char *chain_pem, const char *private_key_pem);
+S2N_API extern int s2n_cert_chain_and_key_load_pem(struct s2n_cert_chain_and_key *chain_and_key, const char *chain_pem, const char *private_key_pem);
/**
* Associates a certificate chain and private key with an `s2n_cert_chain_and_key` object.
@@ -664,8 +634,7 @@ extern int s2n_cert_chain_and_key_load_pem(struct s2n_cert_chain_and_key *chain_
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_cert_chain_and_key_load_pem_bytes(struct s2n_cert_chain_and_key *chain_and_key, uint8_t *chain_pem, uint32_t chain_pem_len, uint8_t *private_key_pem, uint32_t private_key_pem_len);
+S2N_API extern int s2n_cert_chain_and_key_load_pem_bytes(struct s2n_cert_chain_and_key *chain_and_key, uint8_t *chain_pem, uint32_t chain_pem_len, uint8_t *private_key_pem, uint32_t private_key_pem_len);
/**
* Associates a public certificate chain with a `s2n_cert_chain_and_key` object. It does
@@ -678,8 +647,7 @@ extern int s2n_cert_chain_and_key_load_pem_bytes(struct s2n_cert_chain_and_key *
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_cert_chain_and_key_load_public_pem_bytes(struct s2n_cert_chain_and_key *chain_and_key, uint8_t *chain_pem, uint32_t chain_pem_len);
+S2N_API extern int s2n_cert_chain_and_key_load_public_pem_bytes(struct s2n_cert_chain_and_key *chain_and_key, uint8_t *chain_pem, uint32_t chain_pem_len);
/**
* Frees the memory associated with an `s2n_cert_chain_and_key` object.
@@ -687,8 +655,7 @@ extern int s2n_cert_chain_and_key_load_public_pem_bytes(struct s2n_cert_chain_an
* @param cert_and_key The certificate chain and private key handle
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_cert_chain_and_key_free(struct s2n_cert_chain_and_key *cert_and_key);
+S2N_API extern int s2n_cert_chain_and_key_free(struct s2n_cert_chain_and_key *cert_and_key);
/**
* Adds a context to the `s2n_cert_chain_and_key` object.
@@ -697,8 +664,7 @@ extern int s2n_cert_chain_and_key_free(struct s2n_cert_chain_and_key *cert_and_k
* @param ctx An opaque pointer to user supplied data.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_cert_chain_and_key_set_ctx(struct s2n_cert_chain_and_key *cert_and_key, void *ctx);
+S2N_API extern int s2n_cert_chain_and_key_set_ctx(struct s2n_cert_chain_and_key *cert_and_key, void *ctx);
/**
* Get the user supplied context from the `s2n_cert_chain_and_key` object.
@@ -706,8 +672,7 @@ extern int s2n_cert_chain_and_key_set_ctx(struct s2n_cert_chain_and_key *cert_an
* @param cert_and_key The certificate chain and private key handle
* @returns The user supplied pointer from s2n_cert_chain_and_key_set_ctx()
*/
-S2N_API
-extern void *s2n_cert_chain_and_key_get_ctx(struct s2n_cert_chain_and_key *cert_and_key);
+S2N_API extern void *s2n_cert_chain_and_key_get_ctx(struct s2n_cert_chain_and_key *cert_and_key);
/**
* Get the private key from the `s2n_cert_chain_and_key` object.
@@ -715,8 +680,7 @@ extern void *s2n_cert_chain_and_key_get_ctx(struct s2n_cert_chain_and_key *cert_
* @param cert_and_key The certificate chain and private key handle
* @returns A pointer to the `s2n_cert_private_key`
*/
-S2N_API
-extern s2n_cert_private_key *s2n_cert_chain_and_key_get_private_key(struct s2n_cert_chain_and_key *cert_and_key);
+S2N_API extern s2n_cert_private_key *s2n_cert_chain_and_key_get_private_key(struct s2n_cert_chain_and_key *cert_and_key);
/**
* Set the raw OCSP stapling data for a certificate chain.
@@ -726,8 +690,7 @@ extern s2n_cert_private_key *s2n_cert_chain_and_key_get_private_key(struct s2n_c
* @param length The length of the data bytes.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_cert_chain_and_key_set_ocsp_data(struct s2n_cert_chain_and_key *chain_and_key, const uint8_t *data, uint32_t length);
+S2N_API extern int s2n_cert_chain_and_key_set_ocsp_data(struct s2n_cert_chain_and_key *chain_and_key, const uint8_t *data, uint32_t length);
/**
* Set the signed certificate timestamp (SCT) for a certificate chain.
@@ -738,8 +701,7 @@ extern int s2n_cert_chain_and_key_set_ocsp_data(struct s2n_cert_chain_and_key *c
* @param length The length of the data bytes.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_cert_chain_and_key_set_sct_list(struct s2n_cert_chain_and_key *chain_and_key, const uint8_t *data, uint32_t length);
+S2N_API extern int s2n_cert_chain_and_key_set_sct_list(struct s2n_cert_chain_and_key *chain_and_key, const uint8_t *data, uint32_t length);
/**
* A callback function that is invoked if s2n-tls cannot resolve a conflict between
@@ -764,8 +726,7 @@ typedef struct s2n_cert_chain_and_key *(*s2n_cert_tiebreak_callback)(struct s2n_
*
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_cert_tiebreak_callback(struct s2n_config *config, s2n_cert_tiebreak_callback cert_tiebreak_cb);
+S2N_API extern int s2n_config_set_cert_tiebreak_callback(struct s2n_config *config, s2n_cert_tiebreak_callback cert_tiebreak_cb);
/**
* Associates a certificate chain and private key with an `s2n_config` object.
@@ -781,8 +742,7 @@ extern int s2n_config_set_cert_tiebreak_callback(struct s2n_config *config, s2n_
* @param private_key_pem A byte array of a PEM encoded key.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure.
*/
-S2N_API
-extern int s2n_config_add_cert_chain_and_key(struct s2n_config *config, const char *cert_chain_pem, const char *private_key_pem);
+S2N_API extern int s2n_config_add_cert_chain_and_key(struct s2n_config *config, const char *cert_chain_pem, const char *private_key_pem);
/**
* The preferred method of associating a certificate chain and private key pair with an `s2n_config` object.
@@ -801,8 +761,7 @@ extern int s2n_config_add_cert_chain_and_key(struct s2n_config *config, const ch
* @param cert_key_pair The certificate chain and private key handle
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_add_cert_chain_and_key_to_store(struct s2n_config *config, struct s2n_cert_chain_and_key *cert_key_pair);
+S2N_API extern int s2n_config_add_cert_chain_and_key_to_store(struct s2n_config *config, struct s2n_cert_chain_and_key *cert_key_pair);
/**
* Explicitly sets certificate chain and private key pairs to be used as defaults for each auth
@@ -823,8 +782,7 @@ extern int s2n_config_add_cert_chain_and_key_to_store(struct s2n_config *config,
* @param num_cert_key_pairs The amount of handles in cert_key_pairs
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_cert_chain_and_key_defaults(struct s2n_config *config,
+S2N_API extern int s2n_config_set_cert_chain_and_key_defaults(struct s2n_config *config,
struct s2n_cert_chain_and_key **cert_key_pairs, uint32_t num_cert_key_pairs);
/**
@@ -839,8 +797,7 @@ extern int s2n_config_set_cert_chain_and_key_defaults(struct s2n_config *config,
* @param ca_dir A string for the directory of the CA PEM files.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_verification_ca_location(struct s2n_config *config, const char *ca_pem_filename, const char *ca_dir);
+S2N_API extern int s2n_config_set_verification_ca_location(struct s2n_config *config, const char *ca_pem_filename, const char *ca_dir);
/**
* Adds a PEM to the trust store. This will allocate memory, and load PEM into the
@@ -852,8 +809,7 @@ extern int s2n_config_set_verification_ca_location(struct s2n_config *config, co
* @param pem The string value of the PEM certificate.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_add_pem_to_trust_store(struct s2n_config *config, const char *pem);
+S2N_API extern int s2n_config_add_pem_to_trust_store(struct s2n_config *config, const char *pem);
/**
* Clear the trust store.
@@ -867,8 +823,7 @@ extern int s2n_config_add_pem_to_trust_store(struct s2n_config *config, const ch
*
* @returns 0 on success and -1 on error
*/
-S2N_API
-extern int s2n_config_wipe_trust_store(struct s2n_config *config);
+S2N_API extern int s2n_config_wipe_trust_store(struct s2n_config *config);
typedef enum {
S2N_VERIFY_AFTER_SIGN_DISABLED,
@@ -887,8 +842,7 @@ typedef enum {
* However, this feature will significantly impact handshake latency.
* Additionally, most libcrypto implementations already check for common errors in signatures.
*/
-S2N_API
-extern int s2n_config_set_verify_after_sign(struct s2n_config *config, s2n_verify_after_sign mode);
+S2N_API extern int s2n_config_set_verify_after_sign(struct s2n_config *config, s2n_verify_after_sign mode);
/**
* Set a custom send buffer size.
@@ -912,8 +866,7 @@ extern int s2n_config_set_verify_after_sign(struct s2n_config *config, s2n_verif
* @param size The desired custom buffer size.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_send_buffer_size(struct s2n_config *config, uint32_t size);
+S2N_API extern int s2n_config_set_send_buffer_size(struct s2n_config *config, uint32_t size);
/**
* A callback function invoked (usually multiple times) during X.509 validation for each
@@ -945,8 +898,7 @@ typedef uint8_t (*s2n_verify_host_fn)(const char *host_name, size_t host_name_le
* @param data A user supplied opaque context to pass back to the callback
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_verify_host_callback(struct s2n_config *config, s2n_verify_host_fn, void *data);
+S2N_API extern int s2n_config_set_verify_host_callback(struct s2n_config *config, s2n_verify_host_fn, void *data);
/**
* Toggles whether or not to validate stapled OCSP responses.
@@ -960,8 +912,7 @@ extern int s2n_config_set_verify_host_callback(struct s2n_config *config, s2n_ve
* @param check_ocsp The desired OCSP response check configuration
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_check_stapled_ocsp_response(struct s2n_config *config, uint8_t check_ocsp);
+S2N_API extern int s2n_config_set_check_stapled_ocsp_response(struct s2n_config *config, uint8_t check_ocsp);
/**
* Turns off all X.509 validation during the negotiation phase of the connection. This should only
@@ -970,8 +921,7 @@ extern int s2n_config_set_check_stapled_ocsp_response(struct s2n_config *config,
* @param config The configuration object being updated
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_disable_x509_verification(struct s2n_config *config);
+S2N_API extern int s2n_config_disable_x509_verification(struct s2n_config *config);
/**
* Sets the maximum allowed depth of a cert chain used for X509 validation. The default value is
@@ -983,8 +933,7 @@ extern int s2n_config_disable_x509_verification(struct s2n_config *config);
* @param max_depth The number of allowed certificates in the certificate chain
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_max_cert_chain_depth(struct s2n_config *config, uint16_t max_depth);
+S2N_API extern int s2n_config_set_max_cert_chain_depth(struct s2n_config *config, uint16_t max_depth);
/**
* Associates a set of Diffie-Hellman parameters with an `s2n_config` object.
@@ -994,8 +943,7 @@ extern int s2n_config_set_max_cert_chain_depth(struct s2n_config *config, uint16
* @param dhparams_pem A string containing the PEM encoded DH parameters.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_add_dhparams(struct s2n_config *config, const char *dhparams_pem);
+S2N_API extern int s2n_config_add_dhparams(struct s2n_config *config, const char *dhparams_pem);
/**
* Sets the security policy that includes the cipher/kem/signature/ecc preferences and
@@ -1003,8 +951,7 @@ extern int s2n_config_add_dhparams(struct s2n_config *config, const char *dhpara
*
* See the [USAGE-GUIDE.md](https://github.com/aws/s2n-tls/blob/main/docs/USAGE-GUIDE.md) for how to use security policies.
*/
-S2N_API
-extern int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *version);
+S2N_API extern int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *version);
/**
* Appends the provided application protocol to the preference list
@@ -1015,8 +962,7 @@ extern int s2n_config_set_cipher_preferences(struct s2n_config *config, const ch
* @param protocol A pointer to a byte array value
* @param protocol_len The length of bytes that should be read from `protocol`. Note: this value cannot be 0, otherwise an error will be returned.
*/
-S2N_API
-extern int s2n_config_append_protocol_preference(struct s2n_config *config, const uint8_t *protocol, uint8_t protocol_len);
+S2N_API extern int s2n_config_append_protocol_preference(struct s2n_config *config, const uint8_t *protocol, uint8_t protocol_len);
/**
* Sets the application protocol preferences on an `s2n_config` object.
@@ -1035,8 +981,7 @@ extern int s2n_config_append_protocol_preference(struct s2n_config *config, cons
* @param protocol_count The size of the protocols list
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_protocol_preferences(struct s2n_config *config, const char *const *protocols, int protocol_count);
+S2N_API extern int s2n_config_set_protocol_preferences(struct s2n_config *config, const char *const *protocols, int protocol_count);
/**
* Enum used to define the type, if any, of certificate status request
@@ -1056,8 +1001,7 @@ typedef enum {
* @param type The desired request status type
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_status_request_type(struct s2n_config *config, s2n_status_request_type type);
+S2N_API extern int s2n_config_set_status_request_type(struct s2n_config *config, s2n_status_request_type type);
/**
* Enum to set Certificate Transparency Support level.
@@ -1074,8 +1018,7 @@ typedef enum {
* @param level The desired Certificate Transparency Support configuration
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_ct_support_level(struct s2n_config *config, s2n_ct_support_level level);
+S2N_API extern int s2n_config_set_ct_support_level(struct s2n_config *config, s2n_ct_support_level level);
/**
* Sets whether or not a connection should terminate on receiving a WARNING alert from its peer.
@@ -1099,8 +1042,7 @@ typedef enum {
* @param alert_behavior The desired alert behavior.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_alert_behavior(struct s2n_config *config, s2n_alert_behavior alert_behavior);
+S2N_API extern int s2n_config_set_alert_behavior(struct s2n_config *config, s2n_alert_behavior alert_behavior);
/**
* Sets the extension data in the `s2n_config` object for the specified extension.
@@ -1115,8 +1057,7 @@ extern int s2n_config_set_alert_behavior(struct s2n_config *config, s2n_alert_be
* @param data Data for the extension
* @param length Length of the `data` buffer
*/
-S2N_API
-extern int s2n_config_set_extension_data(struct s2n_config *config, s2n_tls_extension_type type, const uint8_t *data, uint32_t length);
+S2N_API extern int s2n_config_set_extension_data(struct s2n_config *config, s2n_tls_extension_type type, const uint8_t *data, uint32_t length);
/**
* Allows the caller to set a TLS Maximum Fragment Length extension that will be used
@@ -1131,8 +1072,7 @@ extern int s2n_config_set_extension_data(struct s2n_config *config, s2n_tls_exte
* @param mfl_code The selected MFL size
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_send_max_fragment_length(struct s2n_config *config, s2n_max_frag_len mfl_code);
+S2N_API extern int s2n_config_send_max_fragment_length(struct s2n_config *config, s2n_max_frag_len mfl_code);
/**
* Allows the server to opt-in to accept client's TLS maximum fragment length extension
@@ -1144,8 +1084,7 @@ extern int s2n_config_send_max_fragment_length(struct s2n_config *config, s2n_ma
* @param config The configuration object being updated
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_accept_max_fragment_length(struct s2n_config *config);
+S2N_API extern int s2n_config_accept_max_fragment_length(struct s2n_config *config);
/**
* Sets the lifetime of the cached session state. The default value is 15 hours.
@@ -1154,8 +1093,7 @@ extern int s2n_config_accept_max_fragment_length(struct s2n_config *config);
* @param lifetime_in_secs The desired lifetime of the session state in seconds
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_session_state_lifetime(struct s2n_config *config, uint64_t lifetime_in_secs);
+S2N_API extern int s2n_config_set_session_state_lifetime(struct s2n_config *config, uint64_t lifetime_in_secs);
/**
* Enable or disable session resumption using session ticket.
@@ -1164,8 +1102,7 @@ extern int s2n_config_set_session_state_lifetime(struct s2n_config *config, uint
* @param enabled The configuration object being updated. Set to 1 to enable. Set to 0 to disable.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_session_tickets_onoff(struct s2n_config *config, uint8_t enabled);
+S2N_API extern int s2n_config_set_session_tickets_onoff(struct s2n_config *config, uint8_t enabled);
/**
* Enable or disable session caching.
@@ -1177,8 +1114,7 @@ extern int s2n_config_set_session_tickets_onoff(struct s2n_config *config, uint8
* @param enabled The configuration object being updated. Set to 1 to enable. Set to 0 to disable.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_session_cache_onoff(struct s2n_config *config, uint8_t enabled);
+S2N_API extern int s2n_config_set_session_cache_onoff(struct s2n_config *config, uint8_t enabled);
/**
* Sets how long a session ticket key will be in a state where it can be used for both encryption
@@ -1189,8 +1125,7 @@ extern int s2n_config_set_session_cache_onoff(struct s2n_config *config, uint8_t
* @param lifetime_in_secs The desired lifetime of decrypting and encrypting tickets in seconds
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_ticket_encrypt_decrypt_key_lifetime(struct s2n_config *config, uint64_t lifetime_in_secs);
+S2N_API extern int s2n_config_set_ticket_encrypt_decrypt_key_lifetime(struct s2n_config *config, uint64_t lifetime_in_secs);
/**
* Sets how long a session ticket key will be in a state where it can used just for decryption of
@@ -1202,8 +1137,7 @@ extern int s2n_config_set_ticket_encrypt_decrypt_key_lifetime(struct s2n_config
* @param lifetime_in_secs The desired lifetime of decrypting and encrypting tickets in seconds
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_ticket_decrypt_key_lifetime(struct s2n_config *config, uint64_t lifetime_in_secs);
+S2N_API extern int s2n_config_set_ticket_decrypt_key_lifetime(struct s2n_config *config, uint64_t lifetime_in_secs);
/**
* Adds session ticket key on the server side. It would be ideal to add new keys after every
@@ -1218,8 +1152,7 @@ extern int s2n_config_set_ticket_decrypt_key_lifetime(struct s2n_config *config,
* @param intro_time_in_seconds_from_epoch Time at which the session ticket key is introduced. If this is 0, then intro_time_in_seconds_from_epoch is set to now.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_add_ticket_crypto_key(struct s2n_config *config, const uint8_t *name, uint32_t name_len,
+S2N_API extern int s2n_config_add_ticket_crypto_key(struct s2n_config *config, const uint8_t *name, uint32_t name_len,
uint8_t *key, uint32_t key_len, uint64_t intro_time_in_seconds_from_epoch);
/**
* Sets user defined context on the `s2n_config` object.
@@ -1228,8 +1161,7 @@ extern int s2n_config_add_ticket_crypto_key(struct s2n_config *config, const uin
* @param ctx A pointer to the user defined ctx.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_ctx(struct s2n_config *config, void *ctx);
+S2N_API extern int s2n_config_set_ctx(struct s2n_config *config, void *ctx);
/**
* Gets the user defined context from the `s2n_config` object.
@@ -1239,8 +1171,7 @@ extern int s2n_config_set_ctx(struct s2n_config *config, void *ctx);
* @param ctx A pointer to the user defined ctx.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_get_ctx(struct s2n_config *config, void **ctx);
+S2N_API extern int s2n_config_get_ctx(struct s2n_config *config, void **ctx);
/**
* Used to declare connections as server or client type, respectively.
@@ -1266,8 +1197,7 @@ typedef enum {
* @param mode The desired connection type
* @returns A s2n_connection handle
*/
-S2N_API
-extern struct s2n_connection *s2n_connection_new(s2n_mode mode);
+S2N_API extern struct s2n_connection *s2n_connection_new(s2n_mode mode);
/**
* Associates a configuration object with a connection.
@@ -1276,8 +1206,7 @@ extern struct s2n_connection *s2n_connection_new(s2n_mode mode);
* @param config The configuration object being associated
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_config(struct s2n_connection *conn, struct s2n_config *config);
+S2N_API extern int s2n_connection_set_config(struct s2n_connection *conn, struct s2n_config *config);
/**
* Sets user defined context in `s2n_connection` object.
@@ -1286,16 +1215,14 @@ extern int s2n_connection_set_config(struct s2n_connection *conn, struct s2n_con
* @param ctx A pointer to the user defined context
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_ctx(struct s2n_connection *conn, void *ctx);
+S2N_API extern int s2n_connection_set_ctx(struct s2n_connection *conn, void *ctx);
/**
* Gets user defined context from a `s2n_connection` object.
*
* @param conn The connection object that contains the desired context
*/
-S2N_API
-extern void *s2n_connection_get_ctx(struct s2n_connection *conn);
+S2N_API extern void *s2n_connection_get_ctx(struct s2n_connection *conn);
/**
* The callback function takes a s2n-tls connection as input, which receives the ClientHello
@@ -1325,8 +1252,7 @@ typedef enum {
* @param ctx A pointer to a user defined context that the Client Hello callback will be invoked with.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_client_hello_cb(struct s2n_config *config, s2n_client_hello_fn client_hello_callback, void *ctx);
+S2N_API extern int s2n_config_set_client_hello_cb(struct s2n_config *config, s2n_client_hello_fn client_hello_callback, void *ctx);
/**
* Sets the callback execution mode.
@@ -1337,8 +1263,7 @@ extern int s2n_config_set_client_hello_cb(struct s2n_config *config, s2n_client_
* @param cb_mode The desired callback mode
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_client_hello_cb_mode(struct s2n_config *config, s2n_client_hello_cb_mode cb_mode);
+S2N_API extern int s2n_config_set_client_hello_cb_mode(struct s2n_config *config, s2n_client_hello_cb_mode cb_mode);
/**
* Marks the non-blocking callback as complete. Can be invoked from within the callback when
@@ -1347,8 +1272,7 @@ extern int s2n_config_set_client_hello_cb_mode(struct s2n_config *config, s2n_cl
* @param conn The connection object being updated
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_client_hello_cb_done(struct s2n_connection *conn);
+S2N_API extern int s2n_client_hello_cb_done(struct s2n_connection *conn);
/**
* Must be invoked if any of the connection properties were changed on the basis of the server_name
@@ -1357,8 +1281,7 @@ extern int s2n_client_hello_cb_done(struct s2n_connection *conn);
* @param conn The connection object being updated
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_server_name_extension_used(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_server_name_extension_used(struct s2n_connection *conn);
/**
* Opaque client hello handle
@@ -1374,8 +1297,7 @@ struct s2n_client_hello;
* @param conn The connection object containing the client hello
* @returns A handle to the s2n_client_hello structure holding the client hello message sent by the client during the handshake. NULL is returned if a Client Hello has not yet been received and parsed.
*/
-S2N_API
-extern struct s2n_client_hello *s2n_connection_get_client_hello(struct s2n_connection *conn);
+S2N_API extern struct s2n_client_hello *s2n_connection_get_client_hello(struct s2n_connection *conn);
/**
* Function to determine the size of the raw Client Hello buffer.
@@ -1386,8 +1308,7 @@ extern struct s2n_client_hello *s2n_connection_get_client_hello(struct s2n_conne
* @param ch The Client Hello handle
* @returns The size of the ClientHello message received by the server
*/
-S2N_API
-extern ssize_t s2n_client_hello_get_raw_message_length(struct s2n_client_hello *ch);
+S2N_API extern ssize_t s2n_client_hello_get_raw_message_length(struct s2n_client_hello *ch);
/**
* Copies `max_length` bytes of the ClientHello message into the `out` buffer.
@@ -1404,8 +1325,7 @@ extern ssize_t s2n_client_hello_get_raw_message_length(struct s2n_client_hello *
* @param max_length The size of out in bytes
* @returns The number of copied bytes
*/
-S2N_API
-extern ssize_t s2n_client_hello_get_raw_message(struct s2n_client_hello *ch, uint8_t *out, uint32_t max_length);
+S2N_API extern ssize_t s2n_client_hello_get_raw_message(struct s2n_client_hello *ch, uint8_t *out, uint32_t max_length);
/**
* Function to determine the size of the Client Hello cipher suites.
@@ -1414,8 +1334,7 @@ extern ssize_t s2n_client_hello_get_raw_message(struct s2n_client_hello *ch, uin
* @param ch The Client Hello handle
* @returns the number of bytes the cipher_suites takes on the ClientHello message received by the server
*/
-S2N_API
-extern ssize_t s2n_client_hello_get_cipher_suites_length(struct s2n_client_hello *ch);
+S2N_API extern ssize_t s2n_client_hello_get_cipher_suites_length(struct s2n_client_hello *ch);
/**
* Copies into the `out` buffer `max_length` bytes of the cipher_suites on the ClientHello.
@@ -1425,8 +1344,7 @@ extern ssize_t s2n_client_hello_get_cipher_suites_length(struct s2n_client_hello
* @param max_length The size of out in bytes
* @returns The number of copied bytes
*/
-S2N_API
-extern ssize_t s2n_client_hello_get_cipher_suites(struct s2n_client_hello *ch, uint8_t *out, uint32_t max_length);
+S2N_API extern ssize_t s2n_client_hello_get_cipher_suites(struct s2n_client_hello *ch, uint8_t *out, uint32_t max_length);
/**
* Function to determine the size of the Client Hello extensions.
@@ -1435,8 +1353,7 @@ extern ssize_t s2n_client_hello_get_cipher_suites(struct s2n_client_hello *ch, u
* @param ch The Client Hello handle
* @returns the number of bytes the extensions take in the ClientHello message received by the server
*/
-S2N_API
-extern ssize_t s2n_client_hello_get_extensions_length(struct s2n_client_hello *ch);
+S2N_API extern ssize_t s2n_client_hello_get_extensions_length(struct s2n_client_hello *ch);
/**
* Copies into the `out` buffer `max_length` bytes of the extensions in the ClientHello.
@@ -1446,8 +1363,7 @@ extern ssize_t s2n_client_hello_get_extensions_length(struct s2n_client_hello *c
* @param max_length The size of out in bytes
* @returns The number of copied bytes
*/
-S2N_API
-extern ssize_t s2n_client_hello_get_extensions(struct s2n_client_hello *ch, uint8_t *out, uint32_t max_length);
+S2N_API extern ssize_t s2n_client_hello_get_extensions(struct s2n_client_hello *ch, uint8_t *out, uint32_t max_length);
/**
* Query the ClientHello message received by the server. Use this function to allocate the `out` buffer for
@@ -1457,8 +1373,7 @@ extern ssize_t s2n_client_hello_get_extensions(struct s2n_client_hello *ch, uint
* @param extension_type Indicates the desired extension
* @returns The number of bytes the given extension type takes
*/
-S2N_API
-extern ssize_t s2n_client_hello_get_extension_length(struct s2n_client_hello *ch, s2n_tls_extension_type extension_type);
+S2N_API extern ssize_t s2n_client_hello_get_extension_length(struct s2n_client_hello *ch, s2n_tls_extension_type extension_type);
/**
* Copies into the `out` buffer `max_length` bytes of a given extension type on the ClientHello
@@ -1471,8 +1386,7 @@ extern ssize_t s2n_client_hello_get_extension_length(struct s2n_client_hello *ch
* @param max_length The size of `out`.
* @returns The number of copied bytes
*/
-S2N_API
-extern ssize_t s2n_client_hello_get_extension_by_id(struct s2n_client_hello *ch, s2n_tls_extension_type extension_type, uint8_t *out, uint32_t max_length);
+S2N_API extern ssize_t s2n_client_hello_get_extension_by_id(struct s2n_client_hello *ch, s2n_tls_extension_type extension_type, uint8_t *out, uint32_t max_length);
/**
* Used to check if a particular extension exists in the client hello.
@@ -1483,8 +1397,7 @@ extern ssize_t s2n_client_hello_get_extension_by_id(struct s2n_client_hello *ch,
* @param extension_iana The iana value of the extension
* @param exists A pointer that will be set to whether or not the extension exists
*/
-S2N_API
-extern int s2n_client_hello_has_extension(struct s2n_client_hello *ch, uint16_t extension_iana, bool *exists);
+S2N_API extern int s2n_client_hello_has_extension(struct s2n_client_hello *ch, uint16_t extension_iana, bool *exists);
/**
* Get the the ClientHello session id length in bytes
@@ -1495,8 +1408,7 @@ extern int s2n_client_hello_has_extension(struct s2n_client_hello *ch, uint16_t
* @param out_length An out pointer. s2n will set it's value to the size of the session_id in bytes.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_client_hello_get_session_id_length(struct s2n_client_hello *ch, uint32_t *out_length);
+S2N_API extern int s2n_client_hello_get_session_id_length(struct s2n_client_hello *ch, uint32_t *out_length);
/**
* Copies up to `max_length` bytes of the ClientHello session_id into the `out` buffer and stores the number of copied bytes in `out_length`.
@@ -1513,8 +1425,7 @@ extern int s2n_client_hello_get_session_id_length(struct s2n_client_hello *ch, u
* @param max_length The size of `out`.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_client_hello_get_session_id(struct s2n_client_hello *ch, uint8_t *out, uint32_t *out_length, uint32_t max_length);
+S2N_API extern int s2n_client_hello_get_session_id(struct s2n_client_hello *ch, uint8_t *out, uint32_t *out_length, uint32_t max_length);
/**
* Sets the file descriptor for a s2n connection.
@@ -1527,8 +1438,7 @@ extern int s2n_client_hello_get_session_id(struct s2n_client_hello *ch, uint8_t
* @param fd The new file descriptor
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_fd(struct s2n_connection *conn, int fd);
+S2N_API extern int s2n_connection_set_fd(struct s2n_connection *conn, int fd);
/**
* Sets the file descriptor for the read channel of an s2n connection.
@@ -1541,8 +1451,7 @@ extern int s2n_connection_set_fd(struct s2n_connection *conn, int fd);
* @param readfd The new read file descriptor
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_read_fd(struct s2n_connection *conn, int readfd);
+S2N_API extern int s2n_connection_set_read_fd(struct s2n_connection *conn, int readfd);
/**
* Sets the assigned file descriptor for the write channel of an s2n connection.
@@ -1552,8 +1461,7 @@ extern int s2n_connection_set_read_fd(struct s2n_connection *conn, int readfd);
* @param writefd The new write file descriptor
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_write_fd(struct s2n_connection *conn, int writefd);
+S2N_API extern int s2n_connection_set_write_fd(struct s2n_connection *conn, int writefd);
/**
* Gets the assigned file descriptor for the read channel of an s2n connection.
@@ -1562,8 +1470,7 @@ extern int s2n_connection_set_write_fd(struct s2n_connection *conn, int writefd)
* @param readfd pointer to place the used file descriptor.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_get_read_fd(struct s2n_connection *conn, int *readfd);
+S2N_API extern int s2n_connection_get_read_fd(struct s2n_connection *conn, int *readfd);
/**
* Gets the assigned file descriptor for the write channel of an s2n connection.
@@ -1572,8 +1479,7 @@ extern int s2n_connection_get_read_fd(struct s2n_connection *conn, int *readfd);
* @param writefd pointer to place the used file descriptor.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_get_write_fd(struct s2n_connection *conn, int *writefd);
+S2N_API extern int s2n_connection_get_write_fd(struct s2n_connection *conn, int *writefd);
/**
* Indicates to s2n that the connection is using corked IO.
@@ -1583,8 +1489,7 @@ extern int s2n_connection_get_write_fd(struct s2n_connection *conn, int *writefd
* @param conn The connection object being updated
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_use_corked_io(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_use_corked_io(struct s2n_connection *conn);
/**
* Function pointer for a user provided send callback.
@@ -1606,8 +1511,7 @@ typedef int s2n_send_fn(void *io_context, const uint8_t *buf, uint32_t len);
* @param ctx A user provided context that the callback will be invoked with
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_recv_ctx(struct s2n_connection *conn, void *ctx);
+S2N_API extern int s2n_connection_set_recv_ctx(struct s2n_connection *conn, void *ctx);
/**
* Set a context containing anything needed in the send callback function (for example,
@@ -1619,8 +1523,7 @@ extern int s2n_connection_set_recv_ctx(struct s2n_connection *conn, void *ctx);
* @param ctx A user provided context that the callback will be invoked with
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_send_ctx(struct s2n_connection *conn, void *ctx);
+S2N_API extern int s2n_connection_set_send_ctx(struct s2n_connection *conn, void *ctx);
/**
* Configure a connection to use a recv callback to receive data.
@@ -1633,8 +1536,7 @@ extern int s2n_connection_set_send_ctx(struct s2n_connection *conn, void *ctx);
* @param recv A recv callback function pointer
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_recv_cb(struct s2n_connection *conn, s2n_recv_fn recv);
+S2N_API extern int s2n_connection_set_recv_cb(struct s2n_connection *conn, s2n_recv_fn recv);
/**
* Configure a connection to use a send callback to send data.
@@ -1647,8 +1549,7 @@ extern int s2n_connection_set_recv_cb(struct s2n_connection *conn, s2n_recv_fn r
* @param send A send callback function pointer
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_send_cb(struct s2n_connection *conn, s2n_send_fn send);
+S2N_API extern int s2n_connection_set_send_cb(struct s2n_connection *conn, s2n_send_fn send);
/**
* Change the behavior of s2n-tls when sending data to prefer high throughput.
@@ -1659,8 +1560,7 @@ extern int s2n_connection_set_send_cb(struct s2n_connection *conn, s2n_send_fn s
* @param conn The connection object being updated
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_prefer_throughput(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_prefer_throughput(struct s2n_connection *conn);
/**
* Change the behavior of s2n-tls when sending data to prefer low latency.
@@ -1671,8 +1571,7 @@ extern int s2n_connection_prefer_throughput(struct s2n_connection *conn);
* @param conn The connection object being updated
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_prefer_low_latency(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_prefer_low_latency(struct s2n_connection *conn);
/**
* Configure the connection to free IO buffers when they are not currently in use.
@@ -1685,8 +1584,7 @@ extern int s2n_connection_prefer_low_latency(struct s2n_connection *conn);
* @param enabled Set to `true` if dynamic buffers are enabled; `false` if disabled
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_dynamic_buffers(struct s2n_connection *conn, bool enabled);
+S2N_API extern int s2n_connection_set_dynamic_buffers(struct s2n_connection *conn, bool enabled);
/**
* Changes the behavior of s2n-tls when sending data to initially prefer records
@@ -1704,8 +1602,7 @@ extern int s2n_connection_set_dynamic_buffers(struct s2n_connection *conn, bool
* @param timeout_threshold Reset record size back to a single segment after threshold seconds of inactivity
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_dynamic_record_threshold(struct s2n_connection *conn, uint32_t resize_threshold, uint16_t timeout_threshold);
+S2N_API extern int s2n_connection_set_dynamic_record_threshold(struct s2n_connection *conn, uint32_t resize_threshold, uint16_t timeout_threshold);
/**
* Sets the callback to use for verifying that a hostname from an X.509 certificate is trusted.
@@ -1720,8 +1617,7 @@ extern int s2n_connection_set_dynamic_record_threshold(struct s2n_connection *co
* @param data Opaque pointer to data that the verify host function will be invoked with
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_verify_host_callback(struct s2n_connection *conn, s2n_verify_host_fn host_fn, void *data);
+S2N_API extern int s2n_connection_set_verify_host_callback(struct s2n_connection *conn, s2n_verify_host_fn host_fn, void *data);
/**
* Used to opt-out of s2n-tls's built-in blinding. Blinding is a
@@ -1749,16 +1645,14 @@ typedef enum {
* @param blinding The desired blinding mode for the connection
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_blinding(struct s2n_connection *conn, s2n_blinding blinding);
+S2N_API extern int s2n_connection_set_blinding(struct s2n_connection *conn, s2n_blinding blinding);
/**
* Query the connection object for the configured blinding delay.
* @param conn The connection object being updated
* @returns the number of nanoseconds an application using self-service blinding should pause before calling close() or shutdown().
*/
-S2N_API
-extern uint64_t s2n_connection_get_delay(struct s2n_connection *conn);
+S2N_API extern uint64_t s2n_connection_get_delay(struct s2n_connection *conn);
/**
* Sets the cipher preference override for the s2n_connection. Calling this function is not necessary
@@ -1768,8 +1662,7 @@ extern uint64_t s2n_connection_get_delay(struct s2n_connection *conn);
* @param version The human readable string representation of the security policy version.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_cipher_preferences(struct s2n_connection *conn, const char *version);
+S2N_API extern int s2n_connection_set_cipher_preferences(struct s2n_connection *conn, const char *version);
/**
* Appends the provided application protocol to the preference list
@@ -1781,8 +1674,7 @@ extern int s2n_connection_set_cipher_preferences(struct s2n_connection *conn, co
* @param protocol_len The length of bytes that should be read from `protocol`. Note: this value cannot be 0, otherwise an error will be returned.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_append_protocol_preference(struct s2n_connection *conn, const uint8_t *protocol, uint8_t protocol_len);
+S2N_API extern int s2n_connection_append_protocol_preference(struct s2n_connection *conn, const uint8_t *protocol, uint8_t protocol_len);
/**
* Sets the protocol preference override for the s2n_connection. Calling this function is not necessary unless you want
@@ -1793,8 +1685,7 @@ extern int s2n_connection_append_protocol_preference(struct s2n_connection *conn
* @param protocol_count The number of protocols contained in protocols
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_protocol_preferences(struct s2n_connection *conn, const char *const *protocols, int protocol_count);
+S2N_API extern int s2n_connection_set_protocol_preferences(struct s2n_connection *conn, const char *const *protocols, int protocol_count);
/**
* Sets the server name for the connection.
@@ -1809,8 +1700,7 @@ extern int s2n_connection_set_protocol_preferences(struct s2n_connection *conn,
* @warning `server_name` must be a NULL terminated string.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_set_server_name(struct s2n_connection *conn, const char *server_name);
+S2N_API extern int s2n_set_server_name(struct s2n_connection *conn, const char *server_name);
/**
* Query the connection for the selected server name.
@@ -1821,8 +1711,7 @@ extern int s2n_set_server_name(struct s2n_connection *conn, const char *server_n
* @param conn The connection object being queried
* @returns The server name associated with a connection, or NULL if none is found.
*/
-S2N_API
-extern const char *s2n_get_server_name(struct s2n_connection *conn);
+S2N_API extern const char *s2n_get_server_name(struct s2n_connection *conn);
/**
* Query the connection for the selected application protocol.
@@ -1830,8 +1719,7 @@ extern const char *s2n_get_server_name(struct s2n_connection *conn);
* @param conn The connection object being queried
* @returns The negotiated application protocol for a `s2n_connection`. In the event of no protocol being negotiated, NULL is returned.
*/
-S2N_API
-extern const char *s2n_get_application_protocol(struct s2n_connection *conn);
+S2N_API extern const char *s2n_get_application_protocol(struct s2n_connection *conn);
/**
* Query the connection for a buffer containing the OCSP response.
@@ -1840,8 +1728,7 @@ extern const char *s2n_get_application_protocol(struct s2n_connection *conn);
* @param length A pointer that is set to the certificate transparency response buffer's size
* @returns A pointer to the OCSP response sent by a server during the handshake. If no status response is received, NULL is returned.
*/
-S2N_API
-extern const uint8_t *s2n_connection_get_ocsp_response(struct s2n_connection *conn, uint32_t *length);
+S2N_API extern const uint8_t *s2n_connection_get_ocsp_response(struct s2n_connection *conn, uint32_t *length);
/**
* Query the connection for a buffer containing the Certificate Transparency response.
@@ -1850,8 +1737,7 @@ extern const uint8_t *s2n_connection_get_ocsp_response(struct s2n_connection *co
* @param length A pointer that is set to the certificate transparency response buffer's size
* @returns A pointer to the certificate transparency response buffer.
*/
-S2N_API
-extern const uint8_t *s2n_connection_get_sct_list(struct s2n_connection *conn, uint32_t *length);
+S2N_API extern const uint8_t *s2n_connection_get_sct_list(struct s2n_connection *conn, uint32_t *length);
/**
* Used in non-blocking mode to indicate in which direction s2n-tls became blocked on I/O before it
@@ -1873,8 +1759,7 @@ typedef enum {
* @param blocked A pointer which will be set to the blocked status.
* @returns S2N_SUCCESS if the handshake completed. S2N_FAILURE if the handshake encountered an error or is blocked.
*/
-S2N_API
-extern int s2n_negotiate(struct s2n_connection *conn, s2n_blocked_status *blocked);
+S2N_API extern int s2n_negotiate(struct s2n_connection *conn, s2n_blocked_status *blocked);
/**
* Writes and encrypts `size` of `buf` data to the associated connection. s2n_send() will return the number of bytes
@@ -1902,8 +1787,7 @@ extern int s2n_negotiate(struct s2n_connection *conn, s2n_blocked_status *blocke
* @param blocked A pointer which will be set to the blocked status, as in s2n_negotiate()
* @returns The number of bytes written, and may indicate a partial write
*/
-S2N_API
-extern ssize_t s2n_send(struct s2n_connection *conn, const void *buf, ssize_t size, s2n_blocked_status *blocked);
+S2N_API extern ssize_t s2n_send(struct s2n_connection *conn, const void *buf, ssize_t size, s2n_blocked_status *blocked);
/**
* Works in the same way as s2n_sendv_with_offset() except that the latter's `offs` parameter is implicitly assumed to be 0.
@@ -1916,8 +1800,7 @@ extern ssize_t s2n_send(struct s2n_connection *conn, const void *buf, ssize_t si
* @param blocked A pointer which will be set to the blocked status, as in s2n_negotiate()
* @returns The number of bytes written, and may indicate a partial write.
*/
-S2N_API
-extern ssize_t s2n_sendv(struct s2n_connection *conn, const struct iovec *bufs, ssize_t count, s2n_blocked_status *blocked);
+S2N_API extern ssize_t s2n_sendv(struct s2n_connection *conn, const struct iovec *bufs, ssize_t count, s2n_blocked_status *blocked);
/**
* Works in the same way as s2n_send() except that it accepts vectorized buffers. Will return the number of bytes written, and may indicate a partial write. Partial writes are possible not just for non-blocking I/O, but also for connections aborted while active.
@@ -1949,8 +1832,7 @@ extern ssize_t s2n_sendv(struct s2n_connection *conn, const struct iovec *bufs,
* @param blocked A pointer which will be set to the blocked status, as in s2n_negotiate()
* @returns The number of bytes written, and may indicate a partial write.
*/
-S2N_API
-extern ssize_t s2n_sendv_with_offset(struct s2n_connection *conn, const struct iovec *bufs, ssize_t count, ssize_t offs, s2n_blocked_status *blocked);
+S2N_API extern ssize_t s2n_sendv_with_offset(struct s2n_connection *conn, const struct iovec *bufs, ssize_t count, ssize_t offs, s2n_blocked_status *blocked);
/**
* Decrypts and reads **size* to `buf` data from the associated
@@ -1976,8 +1858,7 @@ extern ssize_t s2n_sendv_with_offset(struct s2n_connection *conn, const struct i
* @param blocked A pointer which will be set to the blocked status, as in s2n_negotiate()
* @returns number of bytes read. 0 if the connection was shutdown by peer.
*/
-S2N_API
-extern ssize_t s2n_recv(struct s2n_connection *conn, void *buf, ssize_t size, s2n_blocked_status *blocked);
+S2N_API extern ssize_t s2n_recv(struct s2n_connection *conn, void *buf, ssize_t size, s2n_blocked_status *blocked);
/**
* Allows users of s2n-tls to peek inside the data buffer of an s2n-tls connection to see if there more data to be read without actually reading it.
@@ -1990,8 +1871,7 @@ extern ssize_t s2n_recv(struct s2n_connection *conn, void *buf, ssize_t size, s2
* @param conn A pointer to the s2n_connection object
* @returns The number of bytes that can be read from the connection
*/
-S2N_API
-extern uint32_t s2n_peek(struct s2n_connection *conn);
+S2N_API extern uint32_t s2n_peek(struct s2n_connection *conn);
/**
* Wipes and releases buffers and memory allocated during the TLS handshake.
@@ -2001,8 +1881,7 @@ extern uint32_t s2n_peek(struct s2n_connection *conn);
* @param conn A pointer to the s2n_connection object
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_free_handshake(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_free_handshake(struct s2n_connection *conn);
/**
* Wipes and free the `in` and `out` buffers associated with a connection.
@@ -2013,8 +1892,7 @@ extern int s2n_connection_free_handshake(struct s2n_connection *conn);
* @param conn A pointer to the s2n_connection object
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_release_buffers(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_release_buffers(struct s2n_connection *conn);
/**
* Wipes an existing connection and allows it to be reused. Erases all data associated with a connection including
@@ -2026,8 +1904,7 @@ extern int s2n_connection_release_buffers(struct s2n_connection *conn);
* @param conn A pointer to the s2n_connection object
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_wipe(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_wipe(struct s2n_connection *conn);
/**
* Frees the memory associated with an s2n_connection
@@ -2038,8 +1915,7 @@ extern int s2n_connection_wipe(struct s2n_connection *conn);
* @param conn A pointer to the s2n_connection object
* @returns 0 on success. -1 on failure
*/
-S2N_API
-extern int s2n_connection_free(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_free(struct s2n_connection *conn);
/**
* Attempts a closure at the TLS layer. Does not close the underlying transport. This call may block in either direction.
@@ -2056,8 +1932,7 @@ extern int s2n_connection_free(struct s2n_connection *conn);
* @param blocked A pointer which will be set to the blocked status, as in s2n_negotiate()
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_shutdown(struct s2n_connection *conn, s2n_blocked_status *blocked);
+S2N_API extern int s2n_shutdown(struct s2n_connection *conn, s2n_blocked_status *blocked);
/**
* Used to declare what type of client certificate authentication to use.
@@ -2077,8 +1952,7 @@ typedef enum {
* @param client_auth_type A pointer to a client auth policy. This will be updated to the s2n_config value.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_get_client_auth_type(struct s2n_config *config, s2n_cert_auth_type *client_auth_type);
+S2N_API extern int s2n_config_get_client_auth_type(struct s2n_config *config, s2n_cert_auth_type *client_auth_type);
/**
* Sets whether or not a Client Certificate should be required to complete the TLS Connection.
@@ -2090,8 +1964,7 @@ extern int s2n_config_get_client_auth_type(struct s2n_config *config, s2n_cert_a
* @param client_auth_type The client auth policy for the connection
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_client_auth_type(struct s2n_config *config, s2n_cert_auth_type client_auth_type);
+S2N_API extern int s2n_config_set_client_auth_type(struct s2n_config *config, s2n_cert_auth_type client_auth_type);
/**
* Gets Client Certificate authentication method the s2n_connection object is using.
@@ -2100,8 +1973,7 @@ extern int s2n_config_set_client_auth_type(struct s2n_config *config, s2n_cert_a
* @param client_auth_type A pointer to a client auth policy. This will be updated to the s2n_connection value.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_get_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type *client_auth_type);
+S2N_API extern int s2n_connection_get_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type *client_auth_type);
/**
* Sets whether or not a Client Certificate should be required to complete the TLS Connection.
@@ -2113,8 +1985,7 @@ extern int s2n_connection_get_client_auth_type(struct s2n_connection *conn, s2n_
* @param client_auth_type The client auth policy for the connection
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type client_auth_type);
+S2N_API extern int s2n_connection_set_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type client_auth_type);
/**
* Gets the client certificate chain and places it in the `der_cert_chain_out` buffer. `cert_chain_len` is updated
@@ -2127,8 +1998,7 @@ extern int s2n_connection_set_client_auth_type(struct s2n_connection *conn, s2n_
* @param cert_chain_len A pointer to a uint32_t. This will be updated to match the size of the buffer `der_cert_chain_out` points to.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **der_cert_chain_out, uint32_t *cert_chain_len);
+S2N_API extern int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **der_cert_chain_out, uint32_t *cert_chain_len);
/**
* Sets the initial number of session tickets to send after a >=TLS1.3 handshake. The default value is one ticket.
@@ -2137,8 +2007,7 @@ extern int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uin
* @param num The number of session tickets that will be sent.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_config_set_initial_ticket_count(struct s2n_config *config, uint8_t num);
+S2N_API extern int s2n_config_set_initial_ticket_count(struct s2n_config *config, uint8_t num);
/**
* Increases the number of session tickets to send after a >=TLS1.3 handshake.
@@ -2147,8 +2016,7 @@ extern int s2n_config_set_initial_ticket_count(struct s2n_config *config, uint8_
* @param num The number of additional session tickets to send.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_add_new_tickets_to_send(struct s2n_connection *conn, uint8_t num);
+S2N_API extern int s2n_connection_add_new_tickets_to_send(struct s2n_connection *conn, uint8_t num);
/**
* Returns the number of session tickets issued by the server.
@@ -2162,8 +2030,7 @@ extern int s2n_connection_add_new_tickets_to_send(struct s2n_connection *conn, u
* @param num The number of additional session tickets sent.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_get_tickets_sent(struct s2n_connection *conn, uint16_t *num);
+S2N_API extern int s2n_connection_get_tickets_sent(struct s2n_connection *conn, uint16_t *num);
/**
* Sets the keying material lifetime for >=TLS1.3 session tickets so that one session doesn't get re-used ad infinitum.
@@ -2173,8 +2040,7 @@ extern int s2n_connection_get_tickets_sent(struct s2n_connection *conn, uint16_t
* @param lifetime_in_secs Lifetime of keying material in seconds.
* @returns S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-extern int s2n_connection_set_server_keying_material_lifetime(struct s2n_connection *conn, uint32_t lifetime_in_secs);
+S2N_API extern int s2n_connection_set_server_keying_material_lifetime(struct s2n_connection *conn, uint32_t lifetime_in_secs);
struct s2n_session_ticket;
@@ -2206,8 +2072,7 @@ typedef int (*s2n_session_ticket_fn)(struct s2n_connection *conn, void *ctx, str
* @param callback The function that should be called when the callback is triggered.
* @param ctx The context to be passed when the callback is called.
*/
-S2N_API
-extern int s2n_config_set_session_ticket_cb(struct s2n_config *config, s2n_session_ticket_fn callback, void *ctx);
+S2N_API extern int s2n_config_set_session_ticket_cb(struct s2n_config *config, s2n_session_ticket_fn callback, void *ctx);
/**
* Gets the length of the session ticket from a session ticket object.
@@ -2215,8 +2080,7 @@ extern int s2n_config_set_session_ticket_cb(struct s2n_config *config, s2n_sessi
* @param ticket Pointer to the session ticket object.
* @param data_len Pointer to be set to the length of the session ticket on success.
*/
-S2N_API
-extern int s2n_session_ticket_get_data_len(struct s2n_session_ticket *ticket, size_t *data_len);
+S2N_API extern int s2n_session_ticket_get_data_len(struct s2n_session_ticket *ticket, size_t *data_len);
/**
* Gets the session ticket data from a session ticket object.
@@ -2229,8 +2093,7 @@ extern int s2n_session_ticket_get_data_len(struct s2n_session_ticket *ticket, si
* @param max_data_len Maximum length of data that can be written to the 'data' pointer.
* @param data Pointer to where the session ticket data will be stored.
*/
-S2N_API
-extern int s2n_session_ticket_get_data(struct s2n_session_ticket *ticket, size_t max_data_len, uint8_t *data);
+S2N_API extern int s2n_session_ticket_get_data(struct s2n_session_ticket *ticket, size_t max_data_len, uint8_t *data);
/**
* Gets the lifetime in seconds of the session ticket from a session ticket object.
@@ -2238,8 +2101,7 @@ extern int s2n_session_ticket_get_data(struct s2n_session_ticket *ticket, size_t
* @param ticket Pointer to the session ticket object.
* @param session_lifetime Pointer to a variable where the lifetime of the session ticket will be stored.
*/
-S2N_API
-extern int s2n_session_ticket_get_lifetime(struct s2n_session_ticket *ticket, uint32_t *session_lifetime);
+S2N_API extern int s2n_session_ticket_get_lifetime(struct s2n_session_ticket *ticket, uint32_t *session_lifetime);
/**
* De-serializes the session state and updates the connection accordingly.
@@ -2250,8 +2112,7 @@ extern int s2n_session_ticket_get_lifetime(struct s2n_session_ticket *ticket, ui
*
* @returns The number of copied bytes
*/
-S2N_API
-extern int s2n_connection_set_session(struct s2n_connection *conn, const uint8_t *session, size_t length);
+S2N_API extern int s2n_connection_set_session(struct s2n_connection *conn, const uint8_t *session, size_t length);
/**
* Serializes the session state from connection and copies into the `session` buffer and returns the number of copied bytes
@@ -2266,8 +2127,7 @@ extern int s2n_connection_set_session(struct s2n_connection *conn, const uint8_t
*
* @returns The number of copied bytes
*/
-S2N_API
-extern int s2n_connection_get_session(struct s2n_connection *conn, uint8_t *session, size_t max_length);
+S2N_API extern int s2n_connection_get_session(struct s2n_connection *conn, uint8_t *session, size_t max_length);
/**
* Retrieves a hint from the server indicating how long this ticket's lifetime is.
@@ -2280,8 +2140,7 @@ extern int s2n_connection_get_session(struct s2n_connection *conn, uint8_t *sess
*
* @returns The session ticket lifetime hint in seconds from the server or -1 when session ticket was not used for resumption.
*/
-S2N_API
-extern int s2n_connection_get_session_ticket_lifetime_hint(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_get_session_ticket_lifetime_hint(struct s2n_connection *conn);
/**
* Use this to query the serialized session state size before copying it into a buffer.
@@ -2290,8 +2149,7 @@ extern int s2n_connection_get_session_ticket_lifetime_hint(struct s2n_connection
*
* @returns number of bytes needed to store serialized session state
*/
-S2N_API
-extern int s2n_connection_get_session_length(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_get_session_length(struct s2n_connection *conn);
/**
* Gets the latest session id's length from the connection.
@@ -2302,8 +2160,7 @@ extern int s2n_connection_get_session_length(struct s2n_connection *conn);
*
* @returns The latest session id length from the connection. Session id length will be 0 for TLS versions >= TLS1.3 as stateful session resumption has not yet been implemented in TLS1.3.
*/
-S2N_API
-extern int s2n_connection_get_session_id_length(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_get_session_id_length(struct s2n_connection *conn);
/**
* Gets the latest session id from the connection, copies it into the `session_id` buffer, and returns the number of copied bytes.
@@ -2318,8 +2175,7 @@ extern int s2n_connection_get_session_id_length(struct s2n_connection *conn);
*
* @returns The number of copied bytes.
*/
-S2N_API
-extern int s2n_connection_get_session_id(struct s2n_connection *conn, uint8_t *session_id, size_t max_length);
+S2N_API extern int s2n_connection_get_session_id(struct s2n_connection *conn, uint8_t *session_id, size_t max_length);
/**
* Check if the connection was resumed from an earlier handshake.
@@ -2328,8 +2184,7 @@ extern int s2n_connection_get_session_id(struct s2n_connection *conn, uint8_t *s
*
* @returns returns 1 if the handshake was abbreviated, otherwise returns 0
*/
-S2N_API
-extern int s2n_connection_is_session_resumed(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_is_session_resumed(struct s2n_connection *conn);
/**
* Check is the connection is OCSP stapled.
@@ -2338,8 +2193,7 @@ extern int s2n_connection_is_session_resumed(struct s2n_connection *conn);
*
* @returns 1 if OCSP response was sent (if connection is in S2N_SERVER mode) or received (if connection is in S2N_CLIENT mode) during handshake, otherwise it returns 0.
*/
-S2N_API
-extern int s2n_connection_is_ocsp_stapled(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_is_ocsp_stapled(struct s2n_connection *conn);
/**
* TLS Signature Algorithms - RFC 5246 7.4.1.4.1
@@ -2379,8 +2233,7 @@ typedef enum {
*
* @returns S2N_SUCCESS on success. S2N_FAILURE if bad parameters are received.
*/
-S2N_API
-extern int s2n_connection_get_selected_signature_algorithm(struct s2n_connection *conn, s2n_tls_signature_algorithm *chosen_alg);
+S2N_API extern int s2n_connection_get_selected_signature_algorithm(struct s2n_connection *conn, s2n_tls_signature_algorithm *chosen_alg);
/**
* Get the connection's selected digest algorithm.
@@ -2390,8 +2243,7 @@ extern int s2n_connection_get_selected_signature_algorithm(struct s2n_connection
*
* @returns S2N_SUCCESS on success. S2N_FAILURE if bad parameters are received.
*/
-S2N_API
-extern int s2n_connection_get_selected_digest_algorithm(struct s2n_connection *conn, s2n_tls_hash_algorithm *chosen_alg);
+S2N_API extern int s2n_connection_get_selected_digest_algorithm(struct s2n_connection *conn, s2n_tls_hash_algorithm *chosen_alg);
/**
* Get the client certificate's signature algorithm.
@@ -2401,8 +2253,7 @@ extern int s2n_connection_get_selected_digest_algorithm(struct s2n_connection *c
*
* @returns S2N_SUCCESS on success. S2N_FAILURE if bad parameters are received.
*/
-S2N_API
-extern int s2n_connection_get_selected_client_cert_signature_algorithm(struct s2n_connection *conn, s2n_tls_signature_algorithm *chosen_alg);
+S2N_API extern int s2n_connection_get_selected_client_cert_signature_algorithm(struct s2n_connection *conn, s2n_tls_signature_algorithm *chosen_alg);
/**
* Get the client certificate's digest algorithm.
@@ -2412,8 +2263,7 @@ extern int s2n_connection_get_selected_client_cert_signature_algorithm(struct s2
*
* @returns S2N_SUCCESS on success. S2N_FAILURE if bad parameters are received.
*/
-S2N_API
-extern int s2n_connection_get_selected_client_cert_digest_algorithm(struct s2n_connection *conn, s2n_tls_hash_algorithm *chosen_alg);
+S2N_API extern int s2n_connection_get_selected_client_cert_digest_algorithm(struct s2n_connection *conn, s2n_tls_hash_algorithm *chosen_alg);
/**
* Get the certificate used during the TLS handshake
@@ -2428,16 +2278,14 @@ extern int s2n_connection_get_selected_client_cert_digest_algorithm(struct s2n_c
*
* @returns NULL if the certificate selection phase of the handshake has not completed or if a certificate was not requested by the peer
*/
-S2N_API
-extern struct s2n_cert_chain_and_key *s2n_connection_get_selected_cert(struct s2n_connection *conn);
+S2N_API extern struct s2n_cert_chain_and_key *s2n_connection_get_selected_cert(struct s2n_connection *conn);
/**
* @param chain_and_key A pointer to the s2n_cert_chain_and_key object being read.
* @param cert_length This return value represents the length of the s2n certificate chain `chain_and_key`.
* @returns the length of the s2n certificate chain `chain_and_key`.
*/
-S2N_API
-extern int s2n_cert_chain_get_length(const struct s2n_cert_chain_and_key *chain_and_key, uint32_t *cert_length);
+S2N_API extern int s2n_cert_chain_get_length(const struct s2n_cert_chain_and_key *chain_and_key, uint32_t *cert_length);
/**
* Returns the certificate `out_cert` present at the index `cert_idx` of the certificate chain `chain_and_key`.
@@ -2457,8 +2305,7 @@ extern int s2n_cert_chain_get_length(const struct s2n_cert_chain_and_key *chain_
* @param out_cert A pointer to the output s2n_cert `out_cert` present at the index `cert_idx` of the certificate chain `chain_and_key`.
* @param cert_idx The certificate index for the requested certificate within the s2n certificate chain.
*/
-S2N_API
-extern int s2n_cert_chain_get_cert(const struct s2n_cert_chain_and_key *chain_and_key, struct s2n_cert **out_cert, const uint32_t cert_idx);
+S2N_API extern int s2n_cert_chain_get_cert(const struct s2n_cert_chain_and_key *chain_and_key, struct s2n_cert **out_cert, const uint32_t cert_idx);
/**
* Returns the s2n certificate in DER format along with its length.
@@ -2485,8 +2332,7 @@ extern int s2n_cert_chain_get_cert(const struct s2n_cert_chain_and_key *chain_an
* @param out_cert_der A pointer to the output buffer which will hold the s2n certificate `cert` in DER format.
* @param cert_length This return value represents the length of the certificate.
*/
-S2N_API
-extern int s2n_cert_get_der(const struct s2n_cert *cert, const uint8_t **out_cert_der, uint32_t *cert_length);
+S2N_API extern int s2n_cert_get_der(const struct s2n_cert *cert, const uint8_t **out_cert_der, uint32_t *cert_length);
/**
* Returns the validated peer certificate chain as a `s2n_cert_chain_and_key` opaque object.
@@ -2498,8 +2344,7 @@ extern int s2n_cert_get_der(const struct s2n_cert *cert, const uint8_t **out_cer
* @param conn A pointer to the s2n_connection object being read.
* @param cert_chain The returned validated peer certificate chain `cert_chain` retrieved from the s2n connection.
*/
-S2N_API
-extern int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn, struct s2n_cert_chain_and_key *cert_chain);
+S2N_API extern int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn, struct s2n_cert_chain_and_key *cert_chain);
/**
* Returns the length of the DER encoded extension value of the ASN.1 X.509 certificate extension.
@@ -2508,8 +2353,7 @@ extern int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn,
* @param oid A null-terminated cstring that contains the OID of the X.509 certificate extension to be read.
* @param ext_value_len This return value contains the length of DER encoded extension value of the ASN.1 X.509 certificate extension.
*/
-S2N_API
-extern int s2n_cert_get_x509_extension_value_length(struct s2n_cert *cert, const uint8_t *oid, uint32_t *ext_value_len);
+S2N_API extern int s2n_cert_get_x509_extension_value_length(struct s2n_cert *cert, const uint8_t *oid, uint32_t *ext_value_len);
/**
* Returns the DER encoding of an ASN.1 X.509 certificate extension value, it's length and a boolean critical.
@@ -2522,8 +2366,7 @@ extern int s2n_cert_get_x509_extension_value_length(struct s2n_cert *cert, const
* When used as an output parameter, `ext_value_len` holds the actual length of the DER encoding of the ASN.1 X.509 certificate extension value returned.
* @param critical This return value contains the boolean value for `critical`.
*/
-S2N_API
-extern int s2n_cert_get_x509_extension_value(struct s2n_cert *cert, const uint8_t *oid, uint8_t *ext_value, uint32_t *ext_value_len, bool *critical);
+S2N_API extern int s2n_cert_get_x509_extension_value(struct s2n_cert *cert, const uint8_t *oid, uint8_t *ext_value, uint32_t *ext_value_len, bool *critical);
/**
* Returns the UTF8 String length of the ASN.1 X.509 certificate extension data.
@@ -2532,8 +2375,7 @@ extern int s2n_cert_get_x509_extension_value(struct s2n_cert *cert, const uint8_
* @param extension_len represents the length of the input buffer `extension_data`.
* @param utf8_str_len This return value contains the UTF8 String length of the ASN.1 X.509 certificate extension data.
*/
-S2N_API
-extern int s2n_cert_get_utf8_string_from_extension_data_length(const uint8_t *extension_data, uint32_t extension_len, uint32_t *utf8_str_len);
+S2N_API extern int s2n_cert_get_utf8_string_from_extension_data_length(const uint8_t *extension_data, uint32_t extension_len, uint32_t *utf8_str_len);
/**
* Returns the UTF8 String representation of the DER encoded ASN.1 X.509 certificate extension data.
@@ -2546,8 +2388,7 @@ extern int s2n_cert_get_utf8_string_from_extension_data_length(const uint8_t *ex
* When used as an input parameter, the caller must use this parameter to convey the maximum length of `out_data`.
* When used as an output parameter, `out_len` holds the actual length of UTF8 String returned.
*/
-S2N_API
-extern int s2n_cert_get_utf8_string_from_extension_data(const uint8_t *extension_data, uint32_t extension_len, uint8_t *out_data, uint32_t *out_len);
+S2N_API extern int s2n_cert_get_utf8_string_from_extension_data(const uint8_t *extension_data, uint32_t extension_len, uint8_t *out_data, uint32_t *out_len);
/**
* Pre-shared key (PSK) Hash Algorithm - RFC 8446 Section-2.2
@@ -2570,16 +2411,14 @@ struct s2n_psk;
*
* @returns struct s2n_psk* Returns a pointer to the newly created external PSK object.
*/
-S2N_API
-struct s2n_psk *s2n_external_psk_new(void);
+S2N_API struct s2n_psk *s2n_external_psk_new(void);
/**
* Frees the memory associated with the external PSK object.
*
* @param psk Pointer to the PSK object to be freed.
*/
-S2N_API
-int s2n_psk_free(struct s2n_psk **psk);
+S2N_API int s2n_psk_free(struct s2n_psk **psk);
/**
* Sets the identity for a given external PSK object.
@@ -2598,8 +2437,7 @@ int s2n_psk_free(struct s2n_psk **psk);
* @param identity The identity in raw bytes format to be copied.
* @param identity_size The length of the PSK identity being set.
*/
-S2N_API
-int s2n_psk_set_identity(struct s2n_psk *psk, const uint8_t *identity, uint16_t identity_size);
+S2N_API int s2n_psk_set_identity(struct s2n_psk *psk, const uint8_t *identity, uint16_t identity_size);
/**
* Sets the out-of-band/externally provisioned secret for a given external PSK object.
@@ -2617,8 +2455,7 @@ int s2n_psk_set_identity(struct s2n_psk *psk, const uint8_t *identity, uint16_t
* @param secret The secret in raw bytes format to be copied.
* @param secret_size The length of the pre-shared secret being set.
*/
-S2N_API
-int s2n_psk_set_secret(struct s2n_psk *psk, const uint8_t *secret, uint16_t secret_size);
+S2N_API int s2n_psk_set_secret(struct s2n_psk *psk, const uint8_t *secret, uint16_t secret_size);
/**
* Sets the hash algorithm for a given external PSK object. The supported PSK hash
@@ -2627,8 +2464,7 @@ int s2n_psk_set_secret(struct s2n_psk *psk, const uint8_t *secret, uint16_t secr
* @param psk A pointer to the external PSK object to be updated with the PSK hash algorithm.
* @param hmac The PSK hash algorithm being set.
*/
-S2N_API
-int s2n_psk_set_hmac(struct s2n_psk *psk, s2n_psk_hmac hmac);
+S2N_API int s2n_psk_set_hmac(struct s2n_psk *psk, s2n_psk_hmac hmac);
/**
* Appends a PSK object to the list of PSKs supported by the s2n connection.
@@ -2639,8 +2475,7 @@ int s2n_psk_set_hmac(struct s2n_psk *psk, s2n_psk_hmac hmac);
* @param conn A pointer to the s2n_connection object that contains the list of PSKs supported.
* @param psk A pointer to the `s2n_psk` object to be appended to the list of PSKs on the s2n connection.
*/
-S2N_API
-int s2n_connection_append_psk(struct s2n_connection *conn, struct s2n_psk *psk);
+S2N_API int s2n_connection_append_psk(struct s2n_connection *conn, struct s2n_psk *psk);
/**
* The list of PSK modes supported by s2n-tls for TLS versions >= TLS1.3.
@@ -2660,8 +2495,7 @@ typedef enum {
* @param config A pointer to the s2n_config object being updated.
* @param mode The PSK mode to be set.
*/
-S2N_API
-int s2n_config_set_psk_mode(struct s2n_config *config, s2n_psk_mode mode);
+S2N_API int s2n_config_set_psk_mode(struct s2n_config *config, s2n_psk_mode mode);
/**
* Sets the PSK mode on the s2n connection object.
@@ -2671,8 +2505,7 @@ int s2n_config_set_psk_mode(struct s2n_config *config, s2n_psk_mode mode);
* @param conn A pointer to the s2n_connection object being updated.
* @param mode The PSK mode to be set.
*/
-S2N_API
-int s2n_connection_set_psk_mode(struct s2n_connection *conn, s2n_psk_mode mode);
+S2N_API int s2n_connection_set_psk_mode(struct s2n_connection *conn, s2n_psk_mode mode);
/**
* Gets the negotiated PSK identity length from the s2n connection object. The negotiated PSK
@@ -2685,8 +2518,7 @@ int s2n_connection_set_psk_mode(struct s2n_connection *conn, s2n_psk_mode mode);
* @param conn A pointer to the s2n_connection object that successfully negotiated a PSK connection.
* @param identity_length The length of the negotiated PSK identity.
*/
-S2N_API
-int s2n_connection_get_negotiated_psk_identity_length(struct s2n_connection *conn, uint16_t *identity_length);
+S2N_API int s2n_connection_get_negotiated_psk_identity_length(struct s2n_connection *conn, uint16_t *identity_length);
/**
* Gets the negotiated PSK identity from the s2n connection object.
@@ -2704,8 +2536,7 @@ int s2n_connection_get_negotiated_psk_identity_length(struct s2n_connection *con
* @param max_identity_length The maximum length for the PSK identity. If the negotiated psk_identity length is
* greater than this `max_identity_length` value an error will be returned.
*/
-S2N_API
-int s2n_connection_get_negotiated_psk_identity(struct s2n_connection *conn, uint8_t *identity, uint16_t max_identity_length);
+S2N_API int s2n_connection_get_negotiated_psk_identity(struct s2n_connection *conn, uint8_t *identity, uint16_t max_identity_length);
struct s2n_offered_psk;
@@ -2719,16 +2550,14 @@ struct s2n_offered_psk;
*
* @returns struct s2n_offered_psk* Returns a pointer to the newly created offered PSK object.
*/
-S2N_API
-struct s2n_offered_psk *s2n_offered_psk_new(void);
+S2N_API struct s2n_offered_psk *s2n_offered_psk_new(void);
/**
* Frees the memory associated with the `s2n_offered_psk` object.
*
* @param psk A pointer to the `s2n_offered_psk` object to be freed.
*/
-S2N_API
-int s2n_offered_psk_free(struct s2n_offered_psk **psk);
+S2N_API int s2n_offered_psk_free(struct s2n_offered_psk **psk);
/**
* Gets the PSK identity and PSK identity length for a given offered PSK object.
@@ -2737,8 +2566,7 @@ int s2n_offered_psk_free(struct s2n_offered_psk **psk);
* @param identity The PSK identity being obtained.
* @param size The length of the PSK identity being obtained.
*/
-S2N_API
-int s2n_offered_psk_get_identity(struct s2n_offered_psk *psk, uint8_t **identity, uint16_t *size);
+S2N_API int s2n_offered_psk_get_identity(struct s2n_offered_psk *psk, uint8_t **identity, uint16_t *size);
struct s2n_offered_psk_list;
@@ -2754,8 +2582,7 @@ struct s2n_offered_psk_list;
* @param psk_list A pointer to the offered PSK list being read.
* @returns bool A boolean value representing whether an offered psk object is present next in line in the offered PSK list.
*/
-S2N_API
-bool s2n_offered_psk_list_has_next(struct s2n_offered_psk_list *psk_list);
+S2N_API bool s2n_offered_psk_list_has_next(struct s2n_offered_psk_list *psk_list);
/**
* Obtains the next offered PSK object from the list of offered PSKs. Use `s2n_offered_psk_list_has_next`
@@ -2764,8 +2591,7 @@ bool s2n_offered_psk_list_has_next(struct s2n_offered_psk_list *psk_list);
* @param psk_list A pointer to the offered PSK list being read.
* @param psk A pointer to the next offered PSK object being obtained.
*/
-S2N_API
-int s2n_offered_psk_list_next(struct s2n_offered_psk_list *psk_list, struct s2n_offered_psk *psk);
+S2N_API int s2n_offered_psk_list_next(struct s2n_offered_psk_list *psk_list, struct s2n_offered_psk *psk);
/**
* Returns the offered PSK list to its original read state.
@@ -2775,8 +2601,7 @@ int s2n_offered_psk_list_next(struct s2n_offered_psk_list *psk_list, struct s2n_
*
* @param psk_list A pointer to the offered PSK list being reread.
*/
-S2N_API
-int s2n_offered_psk_list_reread(struct s2n_offered_psk_list *psk_list);
+S2N_API int s2n_offered_psk_list_reread(struct s2n_offered_psk_list *psk_list);
/**
* Chooses a PSK from the offered PSK list to be used for the connection.
@@ -2817,8 +2642,7 @@ typedef int (*s2n_psk_selection_callback)(struct s2n_connection *conn, void *con
* @param cb The function that should be called when the callback is triggered.
* @param context A pointer to a context for the caller to pass state to the callback, if needed.
*/
-S2N_API
-int s2n_config_set_psk_selection_callback(struct s2n_config *config, s2n_psk_selection_callback cb, void *context);
+S2N_API int s2n_config_set_psk_selection_callback(struct s2n_config *config, s2n_psk_selection_callback cb, void *context);
/**
* Get the number of bytes the connection has received.
@@ -2826,8 +2650,7 @@ int s2n_config_set_psk_selection_callback(struct s2n_config *config, s2n_psk_sel
* @param conn A pointer to the connection
* @returns return the number of bytes received by s2n-tls "on the wire"
*/
-S2N_API
-extern uint64_t s2n_connection_get_wire_bytes_in(struct s2n_connection *conn);
+S2N_API extern uint64_t s2n_connection_get_wire_bytes_in(struct s2n_connection *conn);
/**
* Get the number of bytes the connection has transmitted out.
@@ -2835,8 +2658,7 @@ extern uint64_t s2n_connection_get_wire_bytes_in(struct s2n_connection *conn);
* @param conn A pointer to the connection
* @returns return the number of bytes transmitted out by s2n-tls "on the wire"
*/
-S2N_API
-extern uint64_t s2n_connection_get_wire_bytes_out(struct s2n_connection *conn);
+S2N_API extern uint64_t s2n_connection_get_wire_bytes_out(struct s2n_connection *conn);
/**
* Access the protocol version supported by the client.
@@ -2847,8 +2669,7 @@ extern uint64_t s2n_connection_get_wire_bytes_out(struct s2n_connection *conn);
* @param conn A pointer to the connection
* @returns returns the highest protocol version supported by the client
*/
-S2N_API
-extern int s2n_connection_get_client_protocol_version(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_get_client_protocol_version(struct s2n_connection *conn);
/**
* Access the protocol version supported by the server.
@@ -2859,8 +2680,7 @@ extern int s2n_connection_get_client_protocol_version(struct s2n_connection *con
* @param conn A pointer to the connection
* @returns Returns the highest protocol version supported by the server
*/
-S2N_API
-extern int s2n_connection_get_server_protocol_version(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_get_server_protocol_version(struct s2n_connection *conn);
/**
* Access the protocol version selected for the connection.
@@ -2871,8 +2691,7 @@ extern int s2n_connection_get_server_protocol_version(struct s2n_connection *con
* @param conn A pointer to the connection
* @returns The protocol version actually negotiated by the handshake
*/
-S2N_API
-extern int s2n_connection_get_actual_protocol_version(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_get_actual_protocol_version(struct s2n_connection *conn);
/**
* Access the client hello protocol version for the connection.
@@ -2883,8 +2702,7 @@ extern int s2n_connection_get_actual_protocol_version(struct s2n_connection *con
* @param conn A pointer to the connection
* @returns The protocol version used to send the initial client hello message.
*/
-S2N_API
-extern int s2n_connection_get_client_hello_version(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_get_client_hello_version(struct s2n_connection *conn);
/**
* Check if Client Auth was used for a connection.
@@ -2893,8 +2711,7 @@ extern int s2n_connection_get_client_hello_version(struct s2n_connection *conn);
* @returns 1 if the handshake completed and Client Auth was negotiated during then
* handshake.
*/
-S2N_API
-extern int s2n_connection_client_cert_used(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_client_cert_used(struct s2n_connection *conn);
/**
* A function that provides a human readable string of the cipher suite that was chosen
@@ -2909,8 +2726,7 @@ extern int s2n_connection_client_cert_used(struct s2n_connection *conn);
* @param conn A pointer to the connection
* @returns A string indicating the cipher suite negotiated by s2n in OpenSSL format.
*/
-S2N_API
-extern const char *s2n_connection_get_cipher(struct s2n_connection *conn);
+S2N_API extern const char *s2n_connection_get_cipher(struct s2n_connection *conn);
/**
* Returns the IANA value for the connection's negotiated cipher suite.
@@ -2927,8 +2743,7 @@ extern const char *s2n_connection_get_cipher(struct s2n_connection *conn);
* @param second A pointer to a single byte, which will be updated with the second byte in the registered IANA value.
* @returns A POSIX error signal. If an error was returned, the values contained in `first` and `second` should be considered invalid.
*/
-S2N_API
-extern int s2n_connection_get_cipher_iana_value(struct s2n_connection *conn, uint8_t *first, uint8_t *second);
+S2N_API extern int s2n_connection_get_cipher_iana_value(struct s2n_connection *conn, uint8_t *first, uint8_t *second);
/**
* Function to check if the cipher used by current connection is supported by the current
@@ -2937,8 +2752,7 @@ extern int s2n_connection_get_cipher_iana_value(struct s2n_connection *conn, uin
* @param version A string representing the security policy to check against.
* @returns 1 if the connection satisfies the cipher suite. 0 if the connection does not satisfy the cipher suite. -1 if there is an error.
*/
-S2N_API
-extern int s2n_connection_is_valid_for_cipher_preferences(struct s2n_connection *conn, const char *version);
+S2N_API extern int s2n_connection_is_valid_for_cipher_preferences(struct s2n_connection *conn, const char *version);
/**
* Function to get the human readable elliptic curve name for the connection.
@@ -2946,8 +2760,7 @@ extern int s2n_connection_is_valid_for_cipher_preferences(struct s2n_connection
* @param conn A pointer to the s2n connection
* @returns A string indicating the elliptic curve used during ECDHE key exchange. The string "NONE" is returned if no curve was used.
*/
-S2N_API
-extern const char *s2n_connection_get_curve(struct s2n_connection *conn);
+S2N_API extern const char *s2n_connection_get_curve(struct s2n_connection *conn);
/**
* Function to get the human readable KEM name for the connection.
@@ -2955,8 +2768,7 @@ extern const char *s2n_connection_get_curve(struct s2n_connection *conn);
* @param conn A pointer to the s2n connection
* @returns A human readable string for the KEM group. If there is no KEM configured returns "NONE"
*/
-S2N_API
-extern const char *s2n_connection_get_kem_name(struct s2n_connection *conn);
+S2N_API extern const char *s2n_connection_get_kem_name(struct s2n_connection *conn);
/**
* Function to get the human readable KEM group name for the connection.
@@ -2964,8 +2776,7 @@ extern const char *s2n_connection_get_kem_name(struct s2n_connection *conn);
* @param conn A pointer to the s2n connection
* @returns A human readable string for the KEM group. If the connection is < TLS1.3 or there is no KEM group configured returns "NONE"
*/
-S2N_API
-extern const char *s2n_connection_get_kem_group_name(struct s2n_connection *conn);
+S2N_API extern const char *s2n_connection_get_kem_group_name(struct s2n_connection *conn);
/**
* Function to get the alert that caused a connection to close. s2n-tls considers all
@@ -2974,8 +2785,7 @@ extern const char *s2n_connection_get_kem_group_name(struct s2n_connection *conn
* @param conn A pointer to the s2n connection
* @returns The TLS alert code that caused a connection to be shut down
*/
-S2N_API
-extern int s2n_connection_get_alert(struct s2n_connection *conn);
+S2N_API extern int s2n_connection_get_alert(struct s2n_connection *conn);
/**
* Function to return the last TLS handshake type that was processed. The returned format is a human readable string.
@@ -2983,16 +2793,14 @@ extern int s2n_connection_get_alert(struct s2n_connection *conn);
* @param conn A pointer to the s2n connection
* @returns A human-readable handshake type name, e.g. "NEGOTIATED|FULL_HANDSHAKE|PERFECT_FORWARD_SECRECY"
*/
-S2N_API
-extern const char *s2n_connection_get_handshake_type_name(struct s2n_connection *conn);
+S2N_API extern const char *s2n_connection_get_handshake_type_name(struct s2n_connection *conn);
/**
* Function to return the last TLS message that was processed. The returned format is a human readable string.
* @param conn A pointer to the s2n connection
* @returns The last message name in the TLS state machine, e.g. "SERVER_HELLO", "APPLICATION_DATA".
*/
-S2N_API
-extern const char *s2n_connection_get_last_message_name(struct s2n_connection *conn);
+S2N_API extern const char *s2n_connection_get_last_message_name(struct s2n_connection *conn);
/**
* Opaque async private key operation handle
@@ -3040,8 +2848,7 @@ typedef int (*s2n_async_pkey_fn)(struct s2n_connection *conn, struct s2n_async_p
* @param config Config to set the callback
* @param fn The function that should be called for each private key operation
*/
-S2N_API
-extern int s2n_config_set_async_pkey_callback(struct s2n_config *config, s2n_async_pkey_fn fn);
+S2N_API extern int s2n_config_set_async_pkey_callback(struct s2n_config *config, s2n_async_pkey_fn fn);
/**
* Performs a private key operation using the given private key.
@@ -3055,8 +2862,7 @@ extern int s2n_config_set_async_pkey_callback(struct s2n_config *config, s2n_asy
* @param key The private key used for the operation. It can be extracted from
* `conn` through the `s2n_connection_get_selected_cert` and `s2n_cert_chain_and_key_get_private_key` calls
*/
-S2N_API
-extern int s2n_async_pkey_op_perform(struct s2n_async_pkey_op *op, s2n_cert_private_key *key);
+S2N_API extern int s2n_async_pkey_op_perform(struct s2n_async_pkey_op *op, s2n_cert_private_key *key);
/**
* Finalizes a private key operation and unblocks the connection.
@@ -3071,8 +2877,7 @@ extern int s2n_async_pkey_op_perform(struct s2n_async_pkey_op *op, s2n_cert_priv
* @param op An opaque object representing the private key operation
* @param conn The connection associated with the operation that should be unblocked
*/
-S2N_API
-extern int s2n_async_pkey_op_apply(struct s2n_async_pkey_op *op, struct s2n_connection *conn);
+S2N_API extern int s2n_async_pkey_op_apply(struct s2n_async_pkey_op *op, struct s2n_connection *conn);
/**
* Frees the opaque structure representing a private key operation.
@@ -3083,8 +2888,7 @@ extern int s2n_async_pkey_op_apply(struct s2n_async_pkey_op *op, struct s2n_conn
*
* @param op An opaque object representing the private key operation
*/
-S2N_API
-extern int s2n_async_pkey_op_free(struct s2n_async_pkey_op *op);
+S2N_API extern int s2n_async_pkey_op_free(struct s2n_async_pkey_op *op);
/**
* Configures whether or not s2n-tls will perform potentially expensive validation of
@@ -3093,8 +2897,7 @@ extern int s2n_async_pkey_op_free(struct s2n_async_pkey_op *op);
* @param config Config to set the validation mode for
* @param mode What level of validation to perform
*/
-S2N_API
-extern int s2n_config_set_async_pkey_validation_mode(struct s2n_config *config, s2n_async_pkey_validation_mode mode);
+S2N_API extern int s2n_config_set_async_pkey_validation_mode(struct s2n_config *config, s2n_async_pkey_validation_mode mode);
/**
* Returns the type of the private key operation.
@@ -3102,8 +2905,7 @@ extern int s2n_config_set_async_pkey_validation_mode(struct s2n_config *config,
* @param op An opaque object representing the private key operation
* @param type A pointer to be set to the type
*/
-S2N_API
-extern int s2n_async_pkey_op_get_op_type(struct s2n_async_pkey_op *op, s2n_async_pkey_op_type *type);
+S2N_API extern int s2n_async_pkey_op_get_op_type(struct s2n_async_pkey_op *op, s2n_async_pkey_op_type *type);
/**
* Returns the size of the input to the private key operation.
@@ -3111,8 +2913,7 @@ extern int s2n_async_pkey_op_get_op_type(struct s2n_async_pkey_op *op, s2n_async
* @param op An opaque object representing the private key operation
* @param data_len A pointer to be set to the size
*/
-S2N_API
-extern int s2n_async_pkey_op_get_input_size(struct s2n_async_pkey_op *op, uint32_t *data_len);
+S2N_API extern int s2n_async_pkey_op_get_input_size(struct s2n_async_pkey_op *op, uint32_t *data_len);
/**
* Returns the input to the private key operation.
@@ -3130,8 +2931,7 @@ extern int s2n_async_pkey_op_get_input_size(struct s2n_async_pkey_op *op, uint32
* @param data A pointer to a buffer to copy the input into
* @param data_len The maximum size of the `data` buffer
*/
-S2N_API
-extern int s2n_async_pkey_op_get_input(struct s2n_async_pkey_op *op, uint8_t *data, uint32_t data_len);
+S2N_API extern int s2n_async_pkey_op_get_input(struct s2n_async_pkey_op *op, uint8_t *data, uint32_t data_len);
/**
* Sets the output of the private key operation.
@@ -3144,8 +2944,7 @@ extern int s2n_async_pkey_op_get_input(struct s2n_async_pkey_op *op, uint8_t *da
* @param data A pointer to a buffer containing the output
* @param data_len The size of the `data` buffer
*/
-S2N_API
-extern int s2n_async_pkey_op_set_output(struct s2n_async_pkey_op *op, const uint8_t *data, uint32_t data_len);
+S2N_API extern int s2n_async_pkey_op_set_output(struct s2n_async_pkey_op *op, const uint8_t *data, uint32_t data_len);
/**
* Callback function for handling key log events
@@ -3185,8 +2984,7 @@ typedef int (*s2n_key_log_fn)(void *ctx, struct s2n_connection *conn, uint8_t *l
* @param callback The function that should be called for each secret log entry
* @param ctx The context to be passed when the callback is called
*/
-S2N_API
-extern int s2n_config_set_key_log_cb(struct s2n_config *config, s2n_key_log_fn callback, void *ctx);
+S2N_API extern int s2n_config_set_key_log_cb(struct s2n_config *config, s2n_key_log_fn callback, void *ctx);
/**
* s2n_config_enable_cert_req_dss_legacy_compat adds a dss cert type in the server certificate request when being called.
@@ -3194,8 +2992,7 @@ extern int s2n_config_set_key_log_cb(struct s2n_config *config, s2n_key_log_fn c
* Please DO NOT call this api unless you know you actually need legacy DSS certificate type compatibility
* @param config Config to enable legacy DSS certificates for
*/
-S2N_API
-extern int s2n_config_enable_cert_req_dss_legacy_compat(struct s2n_config *config);
+S2N_API extern int s2n_config_enable_cert_req_dss_legacy_compat(struct s2n_config *config);
/**
* Sets the maximum bytes of early data the server will accept.
diff --git a/contrib/restricted/aws/s2n/api/unstable/crl.h b/contrib/restricted/aws/s2n/api/unstable/crl.h
index 149dd84697..aafd141517 100644
--- a/contrib/restricted/aws/s2n/api/unstable/crl.h
+++ b/contrib/restricted/aws/s2n/api/unstable/crl.h
@@ -55,8 +55,7 @@ typedef int (*s2n_crl_lookup_callback)(struct s2n_crl_lookup *lookup, void *cont
* @param context Context to be passed to the callback function.
* @return S2N_SUCCESS on success, S2N_FAILURE on failure
*/
-S2N_API
-int s2n_config_set_crl_lookup_cb(struct s2n_config *config, s2n_crl_lookup_callback callback, void *context);
+S2N_API int s2n_config_set_crl_lookup_cb(struct s2n_config *config, s2n_crl_lookup_callback callback, void *context);
/**
* Allocates a new `s2n_crl` struct.
@@ -67,8 +66,7 @@ int s2n_config_set_crl_lookup_cb(struct s2n_config *config, s2n_crl_lookup_callb
*
* @return A pointer to the allocated `s2n_crl` struct.
*/
-S2N_API
-struct s2n_crl *s2n_crl_new(void);
+S2N_API struct s2n_crl *s2n_crl_new(void);
/**
* Loads a CRL with pem data.
@@ -78,8 +76,7 @@ struct s2n_crl *s2n_crl_new(void);
* @param len The length of the pem data.
* @return S2N_SUCCESS on success, S2N_FAILURE on error.
*/
-S2N_API
-int s2n_crl_load_pem(struct s2n_crl *crl, uint8_t *pem, size_t len);
+S2N_API int s2n_crl_load_pem(struct s2n_crl *crl, uint8_t *pem, size_t len);
/**
* Frees a CRL.
@@ -89,8 +86,7 @@ int s2n_crl_load_pem(struct s2n_crl *crl, uint8_t *pem, size_t len);
* @param crl The CRL to free.
* @return S2N_SUCCESS on success, S2N_FAILURE on error.
*/
-S2N_API
-int s2n_crl_free(struct s2n_crl **crl);
+S2N_API int s2n_crl_free(struct s2n_crl **crl);
/**
* Retrieves the issuer hash of a CRL.
@@ -103,8 +99,7 @@ int s2n_crl_free(struct s2n_crl **crl);
* @param hash A pointer that will be set to the hash value.
* @return S2N_SUCCESS on success. S2N_FAILURE on failure
*/
-S2N_API
-int s2n_crl_get_issuer_hash(struct s2n_crl *crl, uint64_t *hash);
+S2N_API int s2n_crl_get_issuer_hash(struct s2n_crl *crl, uint64_t *hash);
/**
* Determines if the CRL is currently active.
@@ -116,8 +111,7 @@ int s2n_crl_get_issuer_hash(struct s2n_crl *crl, uint64_t *hash);
* @param crl The CRL to validate.
* @return S2N_SUCCESS if `crl` is active, S2N_FAILURE if `crl` is not active, or the active status cannot be determined.
*/
-S2N_API
-int s2n_crl_validate_active(struct s2n_crl *crl);
+S2N_API int s2n_crl_validate_active(struct s2n_crl *crl);
/**
* Determines if the CRL has expired.
@@ -131,8 +125,7 @@ int s2n_crl_validate_active(struct s2n_crl *crl);
* @param crl The CRL to validate.
* @return S2N_SUCCESS if `crl` has not expired, S2N_FAILURE if `crl` has expired, or the expiration status cannot be determined.
*/
-S2N_API
-int s2n_crl_validate_not_expired(struct s2n_crl *crl);
+S2N_API int s2n_crl_validate_not_expired(struct s2n_crl *crl);
/**
* Retrieves the issuer hash of the certificate.
@@ -145,8 +138,7 @@ int s2n_crl_validate_not_expired(struct s2n_crl *crl);
* @param hash A pointer that will be set to the hash value.
* @return S2N_SUCCESS on success, S2N_FAILURE on failure.
*/
-S2N_API
-int s2n_crl_lookup_get_cert_issuer_hash(struct s2n_crl_lookup *lookup, uint64_t *hash);
+S2N_API int s2n_crl_lookup_get_cert_issuer_hash(struct s2n_crl_lookup *lookup, uint64_t *hash);
/**
* Provide s2n-tls with a CRL from the CRL lookup callback.
@@ -161,8 +153,7 @@ int s2n_crl_lookup_get_cert_issuer_hash(struct s2n_crl_lookup *lookup, uint64_t
* @param crl The CRL to include in the list of CRLs used to validate the certificate chain.
* @return S2N_SUCCESS on success, S2N_FAILURE on failure.
*/
-S2N_API
-int s2n_crl_lookup_set(struct s2n_crl_lookup *lookup, struct s2n_crl *crl);
+S2N_API int s2n_crl_lookup_set(struct s2n_crl_lookup *lookup, struct s2n_crl *crl);
/**
* Skip providing a CRL from the CRL lookup callback.
@@ -177,5 +168,4 @@ int s2n_crl_lookup_set(struct s2n_crl_lookup *lookup, struct s2n_crl *crl);
* @param lookup The CRL lookup for the given certificate.
* @return S2N_SUCCESS on success, S2N_FAILURE on failure.
*/
-S2N_API
-int s2n_crl_lookup_ignore(struct s2n_crl_lookup *lookup);
+S2N_API int s2n_crl_lookup_ignore(struct s2n_crl_lookup *lookup);
diff --git a/contrib/restricted/aws/s2n/api/unstable/renegotiate.h b/contrib/restricted/aws/s2n/api/unstable/renegotiate.h
index c605988cb8..b3e8e04d1a 100644
--- a/contrib/restricted/aws/s2n/api/unstable/renegotiate.h
+++ b/contrib/restricted/aws/s2n/api/unstable/renegotiate.h
@@ -81,8 +81,7 @@ typedef int (*s2n_renegotiate_request_cb)(struct s2n_connection *conn, void *con
* @param context Context to be passed to the callback function.
* @returns S2N_SUCCESS on success, S2N_FAILURE on error.
*/
-S2N_API
-int s2n_config_set_renegotiate_request_cb(struct s2n_config *config, s2n_renegotiate_request_cb callback, void *context);
+S2N_API int s2n_config_set_renegotiate_request_cb(struct s2n_config *config, s2n_renegotiate_request_cb callback, void *context);
/**
* Reset the connection so that it can be renegotiated.
@@ -115,8 +114,7 @@ int s2n_config_set_renegotiate_request_cb(struct s2n_config *config, s2n_renegot
* @param conn A pointer to the connection object.
* @returns S2N_SUCCESS on success, S2N_FAILURE on error.
*/
-S2N_API
-int s2n_renegotiate_wipe(struct s2n_connection *conn);
+S2N_API int s2n_renegotiate_wipe(struct s2n_connection *conn);
/**
* Perform a new handshake on an already established connection.
@@ -140,6 +138,5 @@ int s2n_renegotiate_wipe(struct s2n_connection *conn);
* @param blocked A pointer which will be set to the blocked status.
* @returns S2N_SUCCESS if the handshake completed. S2N_FAILURE if the handshake encountered an error or is blocked.
*/
-S2N_API
-int s2n_renegotiate(struct s2n_connection *conn, uint8_t *app_data_buf, ssize_t app_data_buf_size,
+S2N_API int s2n_renegotiate(struct s2n_connection *conn, uint8_t *app_data_buf, ssize_t app_data_buf_size,
ssize_t *app_data_size, s2n_blocked_status *blocked);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_hash.c b/contrib/restricted/aws/s2n/crypto/s2n_hash.c
index b2d817851d..96dae1424c 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_hash.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_hash.c
@@ -165,8 +165,8 @@ static int s2n_low_level_hash_init(struct s2n_hash_state *state, s2n_hash_algori
POSIX_GUARD_OSSL(SHA512_Init(&state->digest.low_level.sha512), S2N_ERR_HASH_INIT_FAILED);
break;
case S2N_HASH_MD5_SHA1:
- POSIX_GUARD_OSSL(SHA1_Init(&state->digest.low_level.md5_sha1.sha1), S2N_ERR_HASH_INIT_FAILED);;
- POSIX_GUARD_OSSL(MD5_Init(&state->digest.low_level.md5_sha1.md5), S2N_ERR_HASH_INIT_FAILED);;
+ POSIX_GUARD_OSSL(SHA1_Init(&state->digest.low_level.md5_sha1.sha1), S2N_ERR_HASH_INIT_FAILED);
+ POSIX_GUARD_OSSL(MD5_Init(&state->digest.low_level.md5_sha1.md5), S2N_ERR_HASH_INIT_FAILED);
break;
default:
diff --git a/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_kem.c b/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_kem.c
index e35b3df805..06c86ccad2 100644
--- a/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_kem.c
+++ b/contrib/restricted/aws/s2n/pq-crypto/kyber_r3/kyber512r3_kem.c
@@ -24,7 +24,7 @@ S2N_ENSURE_PORTABLE_OPTIMIZATIONS
*
* Returns 0 (success)
**************************************************/
-int s2n_kyber_512_r3_crypto_kem_keypair(unsigned char *pk, unsigned char *sk)
+int s2n_kyber_512_r3_crypto_kem_keypair(uint8_t *pk, uint8_t *sk)
{
POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED);
#if defined(S2N_KYBER512R3_AVX2_BMI2)
@@ -60,7 +60,7 @@ int s2n_kyber_512_r3_crypto_kem_keypair(unsigned char *pk, unsigned char *sk)
*
* Returns 0 (success)
**************************************************/
-int s2n_kyber_512_r3_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk)
+int s2n_kyber_512_r3_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk)
{
POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED);
uint8_t buf[2*S2N_KYBER_512_R3_SYMBYTES];
@@ -109,7 +109,7 @@ int s2n_kyber_512_r3_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const
*
* On failure, ss will contain a pseudo-random value.
**************************************************/
-int s2n_kyber_512_r3_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk)
+int s2n_kyber_512_r3_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk)
{
POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED);
uint8_t buf[2*S2N_KYBER_512_R3_SYMBYTES];
diff --git a/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c b/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c
new file mode 100644
index 0000000000..36e6d3d85e
--- /dev/null
+++ b/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c
@@ -0,0 +1,86 @@
+/*
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*
+* Licensed under the Apache License, Version 2.0 (the "License").
+* You may not use this file except in compliance with the License.
+* A copy of the License is located at
+*
+* http://aws.amazon.com/apache2.0
+*
+* or in the "license" file accompanying this file. This file is distributed
+* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+* express or implied. See the License for the specific language governing
+* permissions and limitations under the License.
+*/
+
+#include "s2n_kyber_512_evp.h"
+
+#include <openssl/evp.h>
+#include <stddef.h>
+
+#include "error/s2n_errno.h"
+#include "tls/s2n_kem.h"
+#include "utils/s2n_safety_macros.h"
+
+#if defined(S2N_LIBCRYPTO_SUPPORTS_KYBER512)
+int s2n_kyber_512_evp_generate_keypair(uint8_t *public_key, uint8_t *private_key) {
+ EVP_PKEY_CTX *kyber_pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_KYBER512, NULL);
+ POSIX_GUARD_PTR(kyber_pkey_ctx);
+ POSIX_ENSURE(EVP_PKEY_keygen_init(kyber_pkey_ctx), S2N_FAILURE);
+
+ EVP_PKEY *kyber_pkey = NULL;
+ POSIX_ENSURE(EVP_PKEY_keygen(kyber_pkey_ctx, &kyber_pkey), S2N_FAILURE);
+
+ size_t public_key_size = S2N_KYBER_512_R3_PUBLIC_KEY_BYTES;
+ size_t private_key_size = S2N_KYBER_512_R3_SECRET_KEY_BYTES;
+ POSIX_ENSURE(EVP_PKEY_get_raw_public_key(kyber_pkey, public_key, &public_key_size), S2N_FAILURE);
+ POSIX_ENSURE(EVP_PKEY_get_raw_private_key(kyber_pkey, private_key, &private_key_size), S2N_FAILURE);
+
+ return S2N_SUCCESS;
+}
+
+int s2n_kyber_512_evp_encapsulate(uint8_t *ciphertext, uint8_t *shared_secret,
+ const uint8_t *public_key) {
+ size_t public_key_size = S2N_KYBER_512_R3_PUBLIC_KEY_BYTES;
+ EVP_PKEY *kyber_pkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_KYBER512, NULL, public_key, public_key_size);
+ POSIX_GUARD_PTR(kyber_pkey);
+
+ EVP_PKEY_CTX *kyber_pkey_ctx = EVP_PKEY_CTX_new(kyber_pkey, NULL);
+ POSIX_GUARD_PTR(kyber_pkey_ctx);
+
+ size_t cipher_text_size = S2N_KYBER_512_R3_CIPHERTEXT_BYTES;
+ size_t shared_secret_size = S2N_KYBER_512_R3_SHARED_SECRET_BYTES;
+ POSIX_ENSURE(EVP_PKEY_encapsulate(kyber_pkey_ctx, ciphertext, &cipher_text_size, shared_secret,
+ &shared_secret_size), S2N_FAILURE);
+ return S2N_SUCCESS;
+}
+
+int s2n_kyber_512_evp_decapsulate(uint8_t *shared_secret, const uint8_t *ciphertext,
+ const uint8_t *private_key) {
+ size_t private_key_size = S2N_KYBER_512_R3_SECRET_KEY_BYTES;
+ EVP_PKEY *kyber_pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_KYBER512, NULL, private_key, private_key_size);
+ POSIX_GUARD_PTR(kyber_pkey);
+
+ EVP_PKEY_CTX *kyber_pkey_ctx = EVP_PKEY_CTX_new(kyber_pkey, NULL);
+ POSIX_GUARD_PTR(kyber_pkey_ctx);
+
+ size_t shared_secret_size = S2N_KYBER_512_R3_SHARED_SECRET_BYTES;
+ POSIX_ENSURE(EVP_PKEY_decapsulate(kyber_pkey_ctx, shared_secret, &shared_secret_size, (uint8_t *) ciphertext,
+ S2N_KYBER_512_R3_CIPHERTEXT_BYTES), S2N_FAILURE);
+ return S2N_SUCCESS;
+}
+#else
+int s2n_kyber_512_evp_generate_keypair(OUT uint8_t *public_key, OUT uint8_t *private_key) {
+ POSIX_BAIL(S2N_ERR_UNIMPLEMENTED);
+}
+
+int s2n_kyber_512_evp_encapsulate(OUT uint8_t *ciphertext, OUT uint8_t *shared_secret,
+ IN const uint8_t *public_key) {
+ POSIX_BAIL(S2N_ERR_UNIMPLEMENTED);
+}
+
+int s2n_kyber_512_evp_decapsulate(OUT uint8_t *shared_secret, IN const uint8_t *ciphertext,
+ IN const uint8_t *private_key) {
+ POSIX_BAIL(S2N_ERR_UNIMPLEMENTED);
+}
+#endif
diff --git a/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.h b/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.h
new file mode 100644
index 0000000000..1a62a7cc92
--- /dev/null
+++ b/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.h
@@ -0,0 +1,22 @@
+/*
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*
+* Licensed under the Apache License, Version 2.0 (the "License").
+* You may not use this file except in compliance with the License.
+* A copy of the License is located at
+*
+* http://aws.amazon.com/apache2.0
+*
+* or in the "license" file accompanying this file. This file is distributed
+* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+* express or implied. See the License for the specific language governing
+* permissions and limitations under the License.
+*/
+
+#pragma once
+
+#include "tls/s2n_kem.h"
+
+int s2n_kyber_512_evp_generate_keypair(OUT uint8_t *public_key, OUT uint8_t *private_key);
+int s2n_kyber_512_evp_encapsulate(OUT uint8_t *ciphertext, OUT uint8_t *shared_secret, IN const uint8_t *public_key);
+int s2n_kyber_512_evp_decapsulate(OUT uint8_t *shared_secret, IN const uint8_t *ciphertext, IN const uint8_t *private_key);
diff --git a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c
index e684aed377..abaf8f2d65 100644
--- a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c
+++ b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.c
@@ -14,7 +14,9 @@
*/
#include "s2n_pq.h"
+
#include "crypto/s2n_openssl.h"
+#include "s2n_kyber_512_evp.h"
static bool kyber512r3_avx2_bmi2_enabled = false;
@@ -97,6 +99,13 @@ bool s2n_pq_is_enabled() {
#endif
}
+bool s2n_libcrypto_supports_kyber_512() {
+#if defined(S2N_LIBCRYPTO_SUPPORTS_KYBER512)
+ return true;
+#else
+ return false;
+#endif
+}
S2N_RESULT s2n_disable_kyber512r3_opt_avx2_bmi2() {
kyber512r3_avx2_bmi2_enabled = false;
diff --git a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.h b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.h
index 1c9ca37812..6ac074dc49 100644
--- a/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.h
+++ b/contrib/restricted/aws/s2n/pq-crypto/s2n_pq.h
@@ -26,4 +26,5 @@ S2N_RESULT s2n_try_enable_kyber512r3_opt_avx2_bmi2(void);
S2N_RESULT s2n_disable_kyber512r3_opt_avx2_bmi2(void);
bool s2n_pq_is_enabled(void);
+bool s2n_libcrypto_supports_kyber_512(void);
S2N_RESULT s2n_pq_init(void);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.c b/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.c
index 3690338fd3..62d5951e99 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.c
@@ -55,6 +55,7 @@ struct s2n_cipher_suite *cipher_suites_20190801[] = {
const struct s2n_cipher_preferences cipher_preferences_20190801 = {
.count = s2n_array_len(cipher_suites_20190801),
.suites = cipher_suites_20190801,
+ .allow_chacha20_boosting = false,
};
/* Same as 20190801, but with ECDSA for TLS 1.2 added */
@@ -80,6 +81,7 @@ struct s2n_cipher_suite *cipher_suites_20210831[] = {
const struct s2n_cipher_preferences cipher_preferences_20210831 = {
.count = s2n_array_len(cipher_suites_20210831),
.suites = cipher_suites_20210831,
+ .allow_chacha20_boosting = false,
};
/*
@@ -107,6 +109,7 @@ struct s2n_cipher_suite *cipher_suites_default_fips[] = {
const struct s2n_cipher_preferences cipher_preferences_default_fips = {
.count = s2n_array_len(cipher_suites_default_fips),
.suites = cipher_suites_default_fips,
+ .allow_chacha20_boosting = false,
};
/* s2n's list of cipher suites, in order of preference, as of 2014-06-01 */
@@ -124,12 +127,14 @@ struct s2n_cipher_suite *cipher_suites_20140601[] = {
const struct s2n_cipher_preferences cipher_preferences_20140601 = {
.count = s2n_array_len(cipher_suites_20140601),
.suites = cipher_suites_20140601,
+ .allow_chacha20_boosting = false,
};
/* Disable SSLv3 due to POODLE */
const struct s2n_cipher_preferences cipher_preferences_20141001 = {
.count = s2n_array_len(cipher_suites_20140601),
.suites = cipher_suites_20140601,
+ .allow_chacha20_boosting = false,
};
/* Disable RC4 */
@@ -145,6 +150,7 @@ struct s2n_cipher_suite *cipher_suites_20150202[] = {
const struct s2n_cipher_preferences cipher_preferences_20150202 = {
.count = s2n_array_len(cipher_suites_20150202),
.suites = cipher_suites_20150202,
+ .allow_chacha20_boosting = false,
};
/* Support AES-GCM modes */
@@ -162,6 +168,7 @@ struct s2n_cipher_suite *cipher_suites_20150214[] = {
const struct s2n_cipher_preferences cipher_preferences_20150214 = {
.count = s2n_array_len(cipher_suites_20150214),
.suites = cipher_suites_20150214,
+ .allow_chacha20_boosting = false,
};
/* Make a CBC cipher #1 to avoid negotiating GCM with buggy Java clients */
@@ -184,6 +191,7 @@ struct s2n_cipher_suite *cipher_suites_20160411[] = {
const struct s2n_cipher_preferences cipher_preferences_20160411 = {
.count = s2n_array_len(cipher_suites_20160411),
.suites = cipher_suites_20160411,
+ .allow_chacha20_boosting = false,
};
/* Use ECDHE instead of plain DHE. Prioritize ECDHE in favour of non ECDHE; GCM in favour of CBC; AES128 in favour of AES256. */
@@ -203,6 +211,7 @@ struct s2n_cipher_suite *cipher_suites_20150306[] = {
const struct s2n_cipher_preferences cipher_preferences_20150306 = {
.count = s2n_array_len(cipher_suites_20150306),
.suites = cipher_suites_20150306,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_20160804[] = {
@@ -224,6 +233,7 @@ struct s2n_cipher_suite *cipher_suites_20160804[] = {
const struct s2n_cipher_preferences cipher_preferences_20160804 = {
.count = s2n_array_len(cipher_suites_20160804),
.suites = cipher_suites_20160804,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_20160824[] = {
@@ -240,6 +250,7 @@ struct s2n_cipher_suite *cipher_suites_20160824[] = {
const struct s2n_cipher_preferences cipher_preferences_20160824 = {
.count = s2n_array_len(cipher_suites_20160824),
.suites = cipher_suites_20160824,
+ .allow_chacha20_boosting = false,
};
/* Add ChaCha20 suite */
@@ -258,6 +269,7 @@ struct s2n_cipher_suite *cipher_suites_20170210[] = {
const struct s2n_cipher_preferences cipher_preferences_20170210 = {
.count = s2n_array_len(cipher_suites_20170210),
.suites = cipher_suites_20170210,
+ .allow_chacha20_boosting = false,
};
/* Same as 20160411, but with ChaCha20 added as 1st in Preference List */
@@ -281,6 +293,7 @@ struct s2n_cipher_suite *cipher_suites_20190122[] = {
const struct s2n_cipher_preferences cipher_preferences_20190122 = {
.count = s2n_array_len(cipher_suites_20190122),
.suites = cipher_suites_20190122,
+ .allow_chacha20_boosting = false,
};
/* Same as 20160804, but with ChaCha20 added as 2nd in Preference List */
@@ -304,6 +317,7 @@ struct s2n_cipher_suite *cipher_suites_20190121[] = {
const struct s2n_cipher_preferences cipher_preferences_20190121 = {
.count = s2n_array_len(cipher_suites_20190121),
.suites = cipher_suites_20190121,
+ .allow_chacha20_boosting = false,
};
/* Same as 20160411, but with ChaCha20 in 3rd Place after CBC and GCM */
@@ -327,6 +341,7 @@ struct s2n_cipher_suite *cipher_suites_20190120[] = {
const struct s2n_cipher_preferences cipher_preferences_20190120 = {
.count = s2n_array_len(cipher_suites_20190120),
.suites = cipher_suites_20190120,
+ .allow_chacha20_boosting = false,
};
/* Preferences optimized for interop, includes ECDSA priortitized. DHE and 3DES are added(at the lowest preference). */
@@ -361,6 +376,7 @@ struct s2n_cipher_suite *cipher_suites_20190214[] = {
const struct s2n_cipher_preferences cipher_preferences_20190214 = {
.count = s2n_array_len(cipher_suites_20190214),
.suites = cipher_suites_20190214,
+ .allow_chacha20_boosting = false,
};
/* 20190214 with aes-gcm prioritized above aes-cbc */
@@ -395,6 +411,7 @@ struct s2n_cipher_suite *cipher_suites_20190214_gcm[] = {
const struct s2n_cipher_preferences cipher_preferences_20190214_gcm = {
.count = s2n_array_len(cipher_suites_20190214_gcm),
.suites = cipher_suites_20190214_gcm,
+ .allow_chacha20_boosting = false,
};
/* Same as cipher_suites_20190214, but with TLS 1.3 Ciphers */
@@ -430,6 +447,7 @@ struct s2n_cipher_suite *cipher_suites_20210825[] = {
const struct s2n_cipher_preferences cipher_preferences_20210825 = {
.count = s2n_array_len(cipher_suites_20210825),
.suites = cipher_suites_20210825,
+ .allow_chacha20_boosting = false,
};
/* Same as cipher_suites_20190214_gcm, but with TLS 1.3 Ciphers */
@@ -465,6 +483,7 @@ struct s2n_cipher_suite *cipher_suites_20210825_gcm[] = {
const struct s2n_cipher_preferences cipher_preferences_20210825_gcm = {
.count = s2n_array_len(cipher_suites_20210825_gcm),
.suites = cipher_suites_20210825_gcm,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_null[] = {
@@ -474,6 +493,7 @@ struct s2n_cipher_suite *cipher_suites_null[] = {
const struct s2n_cipher_preferences cipher_preferences_null = {
.count = s2n_array_len(cipher_suites_null),
.suites = cipher_suites_null,
+ .allow_chacha20_boosting = false,
};
/* Preferences optimized for interop. DHE and 3DES are added(at the lowest preference). */
@@ -502,6 +522,7 @@ struct s2n_cipher_suite *cipher_suites_20170328[] = {
const struct s2n_cipher_preferences cipher_preferences_20170328 = {
.count = s2n_array_len(cipher_suites_20170328),
.suites = cipher_suites_20170328,
+ .allow_chacha20_boosting = false,
};
/* Equivalent to cipher_suites_20170328 with aes-gcm prioritized above aes-cbc */
@@ -530,6 +551,7 @@ struct s2n_cipher_suite *cipher_suites_20170328_gcm[] = {
const struct s2n_cipher_preferences cipher_preferences_20170328_gcm = {
.count = s2n_array_len(cipher_suites_20170328_gcm),
.suites = cipher_suites_20170328_gcm,
+ .allow_chacha20_boosting = false,
};
/* Preferences optimized for FIPS compatibility. */
@@ -550,6 +572,7 @@ struct s2n_cipher_suite *cipher_suites_20170405[] = {
const struct s2n_cipher_preferences cipher_preferences_20170405 = {
.count = s2n_array_len(cipher_suites_20170405),
.suites = cipher_suites_20170405,
+ .allow_chacha20_boosting = false,
};
/* Preferences optimized for FIPS compatibility with GCM prioritized */
@@ -570,6 +593,7 @@ struct s2n_cipher_suite *cipher_suites_20170405_gcm[] = {
const struct s2n_cipher_preferences cipher_preferences_20170405_gcm = {
.count = s2n_array_len(cipher_suites_20170405_gcm),
.suites = cipher_suites_20170405_gcm,
+ .allow_chacha20_boosting = false,
};
/* Equivalent to cipher_suite_20160411 with 3DES removed.
@@ -592,6 +616,7 @@ struct s2n_cipher_suite *cipher_suites_20170718[] = {
const struct s2n_cipher_preferences cipher_preferences_20170718 = {
.count = s2n_array_len(cipher_suites_20170718),
.suites = cipher_suites_20170718,
+ .allow_chacha20_boosting = false,
};
/* Equivalent to cipher_suites_20170718 with aes-gcm prioritized above aes-cbc */
@@ -613,6 +638,7 @@ struct s2n_cipher_suite *cipher_suites_20170718_gcm[] = {
const struct s2n_cipher_preferences cipher_preferences_20170718_gcm = {
.count = s2n_array_len(cipher_suites_20170718_gcm),
.suites = cipher_suites_20170718_gcm,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_elb_security_policy_2015_04[] = {
@@ -640,6 +666,7 @@ struct s2n_cipher_suite *cipher_suites_elb_security_policy_2015_04[] = {
const struct s2n_cipher_preferences elb_security_policy_2015_04 = {
.count = s2n_array_len(cipher_suites_elb_security_policy_2015_04),
.suites = cipher_suites_elb_security_policy_2015_04,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_elb_security_policy_2016_08[] = {
@@ -666,6 +693,7 @@ struct s2n_cipher_suite *cipher_suites_elb_security_policy_2016_08[] = {
const struct s2n_cipher_preferences elb_security_policy_2016_08 = {
.count = s2n_array_len(cipher_suites_elb_security_policy_2016_08),
.suites = cipher_suites_elb_security_policy_2016_08,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_elb_security_policy_tls_1_2_2017_01[] = {
@@ -686,6 +714,7 @@ struct s2n_cipher_suite *cipher_suites_elb_security_policy_tls_1_2_2017_01[] = {
const struct s2n_cipher_preferences elb_security_policy_tls_1_2_2017_01 = {
.count = s2n_array_len(cipher_suites_elb_security_policy_tls_1_2_2017_01),
.suites = cipher_suites_elb_security_policy_tls_1_2_2017_01,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_elb_security_policy_tls_1_1_2017_01[] = {
@@ -712,6 +741,7 @@ struct s2n_cipher_suite *cipher_suites_elb_security_policy_tls_1_1_2017_01[] = {
const struct s2n_cipher_preferences elb_security_policy_tls_1_1_2017_01 = {
.count = s2n_array_len(cipher_suites_elb_security_policy_tls_1_1_2017_01),
.suites = cipher_suites_elb_security_policy_tls_1_1_2017_01,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_elb_security_policy_tls_1_2_ext_2018_06[] = {
@@ -738,6 +768,7 @@ struct s2n_cipher_suite *cipher_suites_elb_security_policy_tls_1_2_ext_2018_06[]
const struct s2n_cipher_preferences elb_security_policy_tls_1_2_ext_2018_06 = {
.count = s2n_array_len(cipher_suites_elb_security_policy_tls_1_2_ext_2018_06),
.suites = cipher_suites_elb_security_policy_tls_1_2_ext_2018_06,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_elb_security_policy_fs_2018_06[] = {
@@ -758,6 +789,7 @@ struct s2n_cipher_suite *cipher_suites_elb_security_policy_fs_2018_06[] = {
const struct s2n_cipher_preferences elb_security_policy_fs_2018_06 = {
.count = s2n_array_len(cipher_suites_elb_security_policy_fs_2018_06),
.suites = cipher_suites_elb_security_policy_fs_2018_06,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_elb_security_policy_fs_1_2_2019_08[] = {
@@ -778,6 +810,7 @@ struct s2n_cipher_suite *cipher_suites_elb_security_policy_fs_1_2_2019_08[] = {
const struct s2n_cipher_preferences elb_security_policy_fs_1_2_2019_08 = {
.count = s2n_array_len(cipher_suites_elb_security_policy_fs_1_2_2019_08),
.suites = cipher_suites_elb_security_policy_fs_1_2_2019_08,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_elb_security_policy_fs_1_1_2019_08[] = {
@@ -798,6 +831,7 @@ struct s2n_cipher_suite *cipher_suites_elb_security_policy_fs_1_1_2019_08[] = {
const struct s2n_cipher_preferences elb_security_policy_fs_1_1_2019_08 = {
.count = s2n_array_len(cipher_suites_elb_security_policy_fs_1_1_2019_08),
.suites = cipher_suites_elb_security_policy_fs_1_1_2019_08,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_elb_security_policy_fs_1_2_Res_2019_08[] = {
@@ -814,6 +848,7 @@ struct s2n_cipher_suite *cipher_suites_elb_security_policy_fs_1_2_Res_2019_08[]
const struct s2n_cipher_preferences elb_security_policy_fs_1_2_Res_2019_08 = {
.count = s2n_array_len(cipher_suites_elb_security_policy_fs_1_2_Res_2019_08),
.suites = cipher_suites_elb_security_policy_fs_1_2_Res_2019_08,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_upstream[] = {
@@ -841,6 +876,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_upstream[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream = {
.count = s2n_array_len(cipher_suites_cloudfront_upstream),
.suites = cipher_suites_cloudfront_upstream,
+ .allow_chacha20_boosting = false,
};
/* CloudFront viewer facing (with TLS 1.3) */
@@ -865,6 +901,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_ssl_v_3[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_ssl_v_3 = {
.count = s2n_array_len(cipher_suites_cloudfront_ssl_v_3),
.suites = cipher_suites_cloudfront_ssl_v_3,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2014[] = {
@@ -894,6 +931,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2014[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2014 = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_0_2014),
.suites = cipher_suites_cloudfront_tls_1_0_2014,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2016[] = {
@@ -922,6 +960,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2016[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2016 = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_0_2016),
.suites = cipher_suites_cloudfront_tls_1_0_2016,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_1_2016[] = {
@@ -950,6 +989,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_1_2016[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_1_2016 = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_1_2016),
.suites = cipher_suites_cloudfront_tls_1_1_2016,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2018[] = {
@@ -972,6 +1012,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2018[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2018 = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_2_2018),
.suites = cipher_suites_cloudfront_tls_1_2_2018,
+ .allow_chacha20_boosting = false,
};
/* CloudFront viewer facing legacy TLS 1.2 policies */
@@ -1000,6 +1041,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_ssl_v_3_legacy[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_ssl_v_3_legacy = {
.count = s2n_array_len(cipher_suites_cloudfront_ssl_v_3_legacy),
.suites = cipher_suites_cloudfront_ssl_v_3_legacy,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2014_legacy[] = {
@@ -1026,6 +1068,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2014_legacy[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2014_legacy = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_0_2014_legacy),
.suites = cipher_suites_cloudfront_tls_1_0_2014_legacy,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2016_legacy[] = {
@@ -1051,6 +1094,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_0_2016_legacy[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_0_2016_legacy = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_0_2016_legacy),
.suites = cipher_suites_cloudfront_tls_1_0_2016_legacy,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_1_2016_legacy[] = {
@@ -1076,6 +1120,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_1_2016_legacy[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_1_2016_legacy = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_1_2016_legacy),
.suites = cipher_suites_cloudfront_tls_1_1_2016_legacy,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2018_legacy[] = {
@@ -1095,6 +1140,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2018_legacy[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2018_legacy = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_2_2018_legacy),
.suites = cipher_suites_cloudfront_tls_1_2_2018_legacy,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2019_legacy[] = {
@@ -1111,6 +1157,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2019_legacy[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2019_legacy = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_2_2019_legacy),
.suites = cipher_suites_cloudfront_tls_1_2_2019_legacy,
+ .allow_chacha20_boosting = false,
};
/* CloudFront upstream */
@@ -1139,6 +1186,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_upstream_tls10[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream_tls10 = {
.count = s2n_array_len(cipher_suites_cloudfront_upstream_tls10),
.suites = cipher_suites_cloudfront_upstream_tls10,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_upstream_tls11[] = {
@@ -1166,6 +1214,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_upstream_tls11[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream_tls11 = {
.count = s2n_array_len(cipher_suites_cloudfront_upstream_tls11),
.suites = cipher_suites_cloudfront_upstream_tls11,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_upstream_tls12[] = {
@@ -1193,6 +1242,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_upstream_tls12[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_upstream_tls12 = {
.count = s2n_array_len(cipher_suites_cloudfront_upstream_tls12),
.suites = cipher_suites_cloudfront_upstream_tls12,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2019[] = {
@@ -1212,6 +1262,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2019[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2019 = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_2_2019),
.suites = cipher_suites_cloudfront_tls_1_2_2019,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2021[] = {
@@ -1227,6 +1278,7 @@ struct s2n_cipher_suite *cipher_suites_cloudfront_tls_1_2_2021[] = {
const struct s2n_cipher_preferences cipher_preferences_cloudfront_tls_1_2_2021 = {
.count = s2n_array_len(cipher_suites_cloudfront_tls_1_2_2021),
.suites = cipher_suites_cloudfront_tls_1_2_2021,
+ .allow_chacha20_boosting = false,
};
/* Based on cipher_preferences_cloudfront_tls_1_0_2016, but with ordering changed and AES256-SHA256, DES-CBC3-SHA, and
@@ -1260,6 +1312,7 @@ struct s2n_cipher_suite *cipher_suites_aws_crt_sdk_ssl_v3[] = {
const struct s2n_cipher_preferences cipher_preferences_aws_crt_sdk_ssl_v3 = {
.count = s2n_array_len(cipher_suites_aws_crt_sdk_ssl_v3),
.suites = cipher_suites_aws_crt_sdk_ssl_v3,
+ .allow_chacha20_boosting = false,
};
/* Based on cipher_preferences_cloudfront_tls_1_0_2016, but with ordering changed and AES256-SHA256 added for
@@ -1291,6 +1344,7 @@ struct s2n_cipher_suite *cipher_suites_aws_crt_sdk_default[] = {
const struct s2n_cipher_preferences cipher_preferences_aws_crt_sdk_default = {
.count = s2n_array_len(cipher_suites_aws_crt_sdk_default),
.suites = cipher_suites_aws_crt_sdk_default,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_aws_crt_sdk_tls_13[] = {
@@ -1300,6 +1354,7 @@ struct s2n_cipher_suite *cipher_suites_aws_crt_sdk_tls_13[] = {
const struct s2n_cipher_preferences cipher_preferences_aws_crt_sdk_tls_13 = {
.count = s2n_array_len(cipher_suites_aws_crt_sdk_tls_13),
.suites = cipher_suites_aws_crt_sdk_tls_13,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_kms_tls_1_0_2018_10[] = {
@@ -1318,6 +1373,7 @@ struct s2n_cipher_suite *cipher_suites_kms_tls_1_0_2018_10[] = {
const struct s2n_cipher_preferences cipher_preferences_kms_tls_1_0_2018_10 = {
.count = s2n_array_len(cipher_suites_kms_tls_1_0_2018_10),
.suites = cipher_suites_kms_tls_1_0_2018_10,
+ .allow_chacha20_boosting = false,
};
@@ -1338,6 +1394,7 @@ struct s2n_cipher_suite *cipher_suites_kms_tls_1_0_2021_08[] = {
const struct s2n_cipher_preferences cipher_preferences_kms_tls_1_0_2021_08 = {
.count = s2n_array_len(cipher_suites_kms_tls_1_0_2021_08),
.suites = cipher_suites_kms_tls_1_0_2021_08,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_kms_pq_tls_1_0_2019_06[] = {
@@ -1357,6 +1414,7 @@ struct s2n_cipher_suite *cipher_suites_kms_pq_tls_1_0_2019_06[] = {
const struct s2n_cipher_preferences cipher_preferences_kms_pq_tls_1_0_2019_06 = {
.count = s2n_array_len(cipher_suites_kms_pq_tls_1_0_2019_06),
.suites = cipher_suites_kms_pq_tls_1_0_2019_06,
+ .allow_chacha20_boosting = false,
};
/* Includes round 1 and round 2 PQ KEM params. The cipher suite list is the same
@@ -1364,6 +1422,7 @@ const struct s2n_cipher_preferences cipher_preferences_kms_pq_tls_1_0_2019_06 =
const struct s2n_cipher_preferences cipher_preferences_kms_pq_tls_1_0_2020_02 = {
.count = s2n_array_len(cipher_suites_kms_pq_tls_1_0_2019_06),
.suites = cipher_suites_kms_pq_tls_1_0_2019_06,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_pq_sike_test_tls_1_0_2019_11[] = {
@@ -1383,6 +1442,7 @@ struct s2n_cipher_suite *cipher_suites_pq_sike_test_tls_1_0_2019_11[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_sike_test_tls_1_0_2019_11 = {
.count = s2n_array_len(cipher_suites_pq_sike_test_tls_1_0_2019_11),
.suites = cipher_suites_pq_sike_test_tls_1_0_2019_11,
+ .allow_chacha20_boosting = false,
};
/* Previously included SIKE round 1 and round 2 (for integration tests). The cipher suite list
@@ -1390,6 +1450,7 @@ const struct s2n_cipher_preferences cipher_preferences_pq_sike_test_tls_1_0_2019
const struct s2n_cipher_preferences cipher_preferences_pq_sike_test_tls_1_0_2020_02 = {
.count = s2n_array_len(cipher_suites_pq_sike_test_tls_1_0_2019_11),
.suites = cipher_suites_pq_sike_test_tls_1_0_2019_11,
+ .allow_chacha20_boosting = false,
};
/* Includes Kyber PQ algorithm */
@@ -1410,6 +1471,7 @@ struct s2n_cipher_suite *cipher_suites_kms_pq_tls_1_0_2020_07[] = {
const struct s2n_cipher_preferences cipher_preferences_kms_pq_tls_1_0_2020_07 = {
.count = s2n_array_len(cipher_suites_kms_pq_tls_1_0_2020_07),
.suites = cipher_suites_kms_pq_tls_1_0_2020_07,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_pq_tls_1_0_2020_12[] = {
@@ -1430,6 +1492,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_0_2020_12[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2020_12 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_0_2020_12),
.suites = cipher_suites_pq_tls_1_0_2020_12,
+ .allow_chacha20_boosting = false,
};
/* Same as ELBSecurityPolicy-TLS-1-1-2017-01, but with PQ Ciphers appended to top of preference list */
@@ -1458,6 +1521,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_1_2021_05_17[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_1_2021_05_17 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_1_2021_05_17),
.suites = cipher_suites_pq_tls_1_1_2021_05_17,
+ .allow_chacha20_boosting = false,
};
/* Same as cipher_preferences_20190214, but with PQ Ciphers appended to top of preference list */
@@ -1493,6 +1557,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_0_2021_05_18[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05_18 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_0_2021_05_18),
.suites = cipher_suites_pq_tls_1_0_2021_05_18,
+ .allow_chacha20_boosting = false,
};
/* Same as ELBSecurityPolicy-2016-08, but with PQ Ciphers appended to top of preference list */
@@ -1521,6 +1586,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_0_2021_05_19[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05_19 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_0_2021_05_19),
.suites = cipher_suites_pq_tls_1_0_2021_05_19,
+ .allow_chacha20_boosting = false,
};
/* Same as ELBSecurityPolicy-TLS-1-1-2017-01, but with TLS 1.3 and PQ Ciphers appended to top of preference list */
@@ -1551,6 +1617,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_1_2021_05_21[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_1_2021_05_21 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_1_2021_05_21),
.suites = cipher_suites_pq_tls_1_1_2021_05_21,
+ .allow_chacha20_boosting = false,
};
/* Same as cipher_preferences_20190214, but with TLS 1.3 and PQ Ciphers appended to top of preference list */
@@ -1588,6 +1655,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_0_2021_05_22[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05_22 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_0_2021_05_22),
.suites = cipher_suites_pq_tls_1_0_2021_05_22,
+ .allow_chacha20_boosting = false,
};
/* Same as ELBSecurityPolicy-2016-08, but with TLS 1.3 and PQ Ciphers appended to top of preference list */
@@ -1618,6 +1686,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_0_2021_05_23[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05_23 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_0_2021_05_23),
.suites = cipher_suites_pq_tls_1_0_2021_05_23,
+ .allow_chacha20_boosting = false,
};
/* Same as cipher_preferences_kms_pq_tls_1_0_2020_07, but with TLS 1.3 appended to top of preference list */
@@ -1640,6 +1709,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_0_2021_05_24[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05_24 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_0_2021_05_24),
.suites = cipher_suites_pq_tls_1_0_2021_05_24,
+ .allow_chacha20_boosting = false,
};
/* Same as 20190214_gcm, but with PQ Ciphers appended to top of preference list */
@@ -1675,6 +1745,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_0_2021_05_25[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05_25 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_0_2021_05_25),
.suites = cipher_suites_pq_tls_1_0_2021_05_25,
+ .allow_chacha20_boosting = false,
};
/* Same as 20190214_gcm, but with TLS 1.3 and PQ Ciphers appended to top of preference list */
@@ -1712,6 +1783,7 @@ struct s2n_cipher_suite *cipher_suites_pq_tls_1_0_2021_05_26[] = {
const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05_26 = {
.count = s2n_array_len(cipher_suites_pq_tls_1_0_2021_05_26),
.suites = cipher_suites_pq_tls_1_0_2021_05_26,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_kms_fips_tls_1_2_2018_10[] = {
@@ -1726,6 +1798,7 @@ struct s2n_cipher_suite *cipher_suites_kms_fips_tls_1_2_2018_10[] = {
const struct s2n_cipher_preferences cipher_preferences_kms_fips_tls_1_2_2018_10 = {
.count = s2n_array_len(cipher_suites_kms_fips_tls_1_2_2018_10),
.suites = cipher_suites_kms_fips_tls_1_2_2018_10,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_kms_fips_tls_1_2_2021_08[] = {
@@ -1742,6 +1815,7 @@ struct s2n_cipher_suite *cipher_suites_kms_fips_tls_1_2_2021_08[] = {
const struct s2n_cipher_preferences cipher_preferences_kms_fips_tls_1_2_2021_08 = {
.count = s2n_array_len(cipher_suites_kms_fips_tls_1_2_2021_08),
.suites = cipher_suites_kms_fips_tls_1_2_2021_08,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_20210816[] = {
@@ -1754,6 +1828,7 @@ struct s2n_cipher_suite *cipher_suites_20210816[] = {
const struct s2n_cipher_preferences cipher_preferences_20210816 = {
.count = s2n_array_len(cipher_suites_20210816),
.suites = cipher_suites_20210816,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_20210816_gcm[] = {
@@ -1766,6 +1841,7 @@ struct s2n_cipher_suite *cipher_suites_20210816_gcm[] = {
const struct s2n_cipher_preferences cipher_preferences_20210816_gcm = {
.count = s2n_array_len(cipher_suites_20210816_gcm),
.suites = cipher_suites_20210816_gcm,
+ .allow_chacha20_boosting = false,
};
struct s2n_cipher_suite *cipher_suites_rfc9151[] = {
@@ -1782,6 +1858,7 @@ struct s2n_cipher_suite *cipher_suites_rfc9151[] = {
const struct s2n_cipher_preferences cipher_preferences_rfc9151 = {
.count = s2n_array_len(cipher_suites_rfc9151),
.suites = cipher_suites_rfc9151,
+ .allow_chacha20_boosting = false,
};
/* clang-format on */
diff --git a/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.h b/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.h
index 455c8a71f2..6cfa6700a8 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.h
@@ -23,6 +23,7 @@
struct s2n_cipher_preferences {
uint8_t count;
struct s2n_cipher_suite **suites;
+ bool allow_chacha20_boosting;
};
extern const struct s2n_cipher_preferences cipher_preferences_20140601;
@@ -125,4 +126,3 @@ extern const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05
extern const struct s2n_cipher_preferences cipher_preferences_pq_tls_1_0_2021_05_26;
extern const struct s2n_cipher_preferences cipher_preferences_null;
-
diff --git a/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c b/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c
index f16304a6ce..f6f3cce710 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.c
@@ -1169,6 +1169,30 @@ static int s2n_wire_ciphers_contain(const uint8_t *match, const uint8_t *wire, u
return 0;
}
+bool s2n_cipher_suite_uses_chacha20_alg(struct s2n_cipher_suite *cipher_suite) {
+ return cipher_suite && cipher_suite->record_alg && cipher_suite->record_alg->cipher == &s2n_chacha20_poly1305;
+}
+
+/* Iff the server has enabled allow_chacha20_boosting and the client has a chacha20 cipher suite as its most
+ * preferred cipher suite, then we have mutual chacha20 boosting support.
+ */
+static S2N_RESULT s2n_validate_chacha20_boosting(const struct s2n_cipher_preferences *cipher_preferences, const uint8_t *wire,
+ uint32_t cipher_suite_len) {
+ RESULT_ENSURE_REF(cipher_preferences);
+ RESULT_ENSURE_REF(wire);
+
+ RESULT_ENSURE_EQ(cipher_preferences->allow_chacha20_boosting, true);
+
+ const uint8_t *clients_first_cipher_iana = wire + cipher_suite_len - S2N_TLS_CIPHER_SUITE_LEN;
+
+ struct s2n_cipher_suite *client_first_cipher_suite = NULL;
+ RESULT_GUARD(s2n_cipher_suite_from_iana(clients_first_cipher_iana, S2N_TLS_CIPHER_SUITE_LEN, &client_first_cipher_suite));
+ RESULT_ENSURE_REF(client_first_cipher_suite);
+
+ RESULT_ENSURE_EQ(s2n_cipher_suite_uses_chacha20_alg(client_first_cipher_suite), true);
+ return S2N_RESULT_OK;
+}
+
static int s2n_set_cipher_as_server(struct s2n_connection *conn, uint8_t *wire, uint32_t count, uint32_t cipher_suite_len)
{
POSIX_ENSURE_REF(conn);
@@ -1176,6 +1200,7 @@ static int s2n_set_cipher_as_server(struct s2n_connection *conn, uint8_t *wire,
uint8_t renegotiation_info_scsv[S2N_TLS_CIPHER_SUITE_LEN] = { TLS_EMPTY_RENEGOTIATION_INFO_SCSV };
struct s2n_cipher_suite *higher_vers_match = NULL;
+ struct s2n_cipher_suite *non_chacha20_match = NULL;
/* RFC 7507 - If client is attempting to negotiate a TLS Version that is lower than the highest supported server
* version, and the client cipher list contains TLS_FALLBACK_SCSV, then the server must abort the connection since
@@ -1210,13 +1235,27 @@ static int s2n_set_cipher_as_server(struct s2n_connection *conn, uint8_t *wire,
const struct s2n_security_policy *security_policy;
POSIX_GUARD(s2n_connection_get_security_policy(conn, &security_policy));
- /* s2n supports only server order */
- for (int i = 0; i < security_policy->cipher_preferences->count; i++) {
- const uint8_t *ours = security_policy->cipher_preferences->suites[i]->iana_value;
+ const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
+ POSIX_ENSURE_REF(cipher_preferences);
+
+ bool try_chacha20_boosting = s2n_result_is_ok(s2n_validate_chacha20_boosting(cipher_preferences, wire, cipher_suite_len));
+
+ /*
+ * s2n only respects server preference order and chooses the server's
+ * most preferred mutually supported cipher suite.
+ *
+ * If chacha20 boosting is enabled, we prefer chacha20 cipher suites over all
+ * other cipher suites.
+ *
+ * If no mutually supported cipher suites are found, we choose one with a version
+ * too high for the current connection (higher_vers_match).
+ */
+ for (size_t i = 0; i < cipher_preferences->count; i++) {
+ const uint8_t *ours = cipher_preferences->suites[i]->iana_value;
if (s2n_wire_ciphers_contain(ours, wire, count, cipher_suite_len)) {
/* We have a match */
- struct s2n_cipher_suite *match = security_policy->cipher_preferences->suites[i];
+ struct s2n_cipher_suite *match = cipher_preferences->suites[i];
/* Never use TLS1.3 ciphers on a pre-TLS1.3 connection, and vice versa */
if ((conn->actual_protocol_version >= S2N_TLS13) != (match->minimum_required_tls_version >= S2N_TLS13)) {
@@ -1272,11 +1311,30 @@ static int s2n_set_cipher_as_server(struct s2n_connection *conn, uint8_t *wire,
continue;
}
+ /* The server and client have chacha20 boosting support enabled AND the server identified a negotiable match */
+ if (try_chacha20_boosting) {
+ if (s2n_cipher_suite_uses_chacha20_alg(match)) {
+ conn->secure->cipher_suite = match;
+ return S2N_SUCCESS;
+ }
+
+ /* Save the valid non-chacha20 match in case no valid chacha20 match is found */
+ if (!non_chacha20_match) {
+ non_chacha20_match = match;
+ }
+ continue;
+ }
+
conn->secure->cipher_suite = match;
return S2N_SUCCESS;
}
}
+ if (non_chacha20_match) {
+ conn->secure->cipher_suite = non_chacha20_match;
+ return S2N_SUCCESS;
+ }
+
/* Settle for a cipher with a higher required proto version, if it was set */
if (higher_vers_match) {
conn->secure->cipher_suite = higher_vers_match;
diff --git a/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.h b/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.h
index 08d878575e..f00fa19a14 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_cipher_suites.h
@@ -161,6 +161,7 @@ extern struct s2n_cipher_suite s2n_tls13_chacha20_poly1305_sha256;
extern int s2n_cipher_suites_init(void);
S2N_RESULT s2n_cipher_suites_cleanup(void);
S2N_RESULT s2n_cipher_suite_from_iana(const uint8_t *iana, size_t iana_len, struct s2n_cipher_suite **cipher_suite);
+bool s2n_cipher_suite_uses_chacha20_alg(struct s2n_cipher_suite *cipher_suite);
extern int s2n_set_cipher_as_client(struct s2n_connection *conn, uint8_t wire[S2N_TLS_CIPHER_SUITE_LEN]);
extern int s2n_set_cipher_as_sslv2_server(struct s2n_connection *conn, uint8_t * wire, uint16_t count);
extern int s2n_set_cipher_as_tls_server(struct s2n_connection *conn, uint8_t * wire, uint16_t count);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_config.c b/contrib/restricted/aws/s2n/tls/s2n_config.c
index 75ea75dd79..48fb0f0ece 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_config.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_config.c
@@ -160,7 +160,7 @@ static int s2n_config_update_domain_name_to_cert_map(struct s2n_config *config,
POSIX_GUARD_RESULT(s2n_map_add(domain_name_to_cert_map, name, &s2n_map_value));
POSIX_GUARD_RESULT(s2n_map_complete(domain_name_to_cert_map));
} else {
- struct certs_by_type *value = (void *) s2n_map_value.data;;
+ struct certs_by_type *value = (void *) s2n_map_value.data;
if (value->certs[cert_type] == NULL) {
value->certs[cert_type] = cert_key_pair;
} else if (config->cert_tiebreak_cb) {
diff --git a/contrib/restricted/aws/s2n/tls/s2n_connection.c b/contrib/restricted/aws/s2n/tls/s2n_connection.c
index f0bb3c4888..c7b5e69951 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_connection.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_connection.c
@@ -271,6 +271,7 @@ int s2n_connection_free(struct s2n_connection *conn)
POSIX_GUARD(s2n_stuffer_free(&conn->in));
POSIX_GUARD(s2n_stuffer_free(&conn->out));
POSIX_GUARD(s2n_stuffer_free(&conn->handshake.io));
+ POSIX_GUARD(s2n_stuffer_free(&conn->post_handshake.in));
s2n_x509_validator_wipe(&conn->x509_validator);
POSIX_GUARD(s2n_client_hello_free(&conn->client_hello));
POSIX_GUARD(s2n_free(&conn->application_protocols_overridden));
@@ -397,6 +398,9 @@ int s2n_connection_release_buffers(struct s2n_connection *conn)
POSIX_ENSURE(s2n_stuffer_is_consumed(&conn->in), S2N_ERR_STUFFER_HAS_UNPROCESSED_DATA);
POSIX_GUARD(s2n_stuffer_resize(&conn->in, 0));
+ POSIX_ENSURE(s2n_stuffer_is_consumed(&conn->post_handshake.in), S2N_ERR_STUFFER_HAS_UNPROCESSED_DATA);
+ POSIX_GUARD(s2n_stuffer_free(&conn->post_handshake.in));
+
POSIX_POSTCONDITION(s2n_stuffer_validate(&conn->out));
POSIX_POSTCONDITION(s2n_stuffer_validate(&conn->in));
return S2N_SUCCESS;
@@ -487,11 +491,15 @@ int s2n_connection_wipe(struct s2n_connection *conn)
POSIX_GUARD(s2n_stuffer_wipe(&conn->writer_alert_out));
POSIX_GUARD(s2n_stuffer_wipe(&conn->client_ticket_to_decrypt));
POSIX_GUARD(s2n_stuffer_wipe(&conn->handshake.io));
+ POSIX_GUARD(s2n_stuffer_wipe(&conn->post_handshake.in));
POSIX_GUARD(s2n_blob_zero(&conn->client_hello.raw_message));
POSIX_GUARD(s2n_stuffer_wipe(&conn->header_in));
POSIX_GUARD(s2n_stuffer_wipe(&conn->in));
POSIX_GUARD(s2n_stuffer_wipe(&conn->out));
+ /* Free stuffers we plan to just recreate */
+ POSIX_GUARD(s2n_stuffer_free(&conn->post_handshake.in));
+
POSIX_GUARD_RESULT(s2n_psk_parameters_wipe(&conn->psk_params));
/* Wipe the I/O-related info and restore the original socket if necessary */
diff --git a/contrib/restricted/aws/s2n/tls/s2n_connection.h b/contrib/restricted/aws/s2n/tls/s2n_connection.h
index deacc58d82..aed7d56314 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_connection.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_connection.h
@@ -30,6 +30,7 @@
#include "tls/s2n_handshake.h"
#include "tls/s2n_kem_preferences.h"
#include "tls/s2n_key_update.h"
+#include "tls/s2n_post_handshake.h"
#include "tls/s2n_prf.h"
#include "tls/s2n_quic_support.h"
#include "tls/s2n_record.h"
@@ -382,6 +383,8 @@ struct s2n_connection {
uint32_t server_max_early_data_size;
struct s2n_blob server_early_data_context;
uint32_t server_keying_material_lifetime;
+
+ struct s2n_post_handshake post_handshake;
};
S2N_CLEANUP_RESULT s2n_connection_ptr_free(struct s2n_connection **s2n_connection);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_handshake.c
index cc343d622d..e622fb8f51 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_handshake.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_handshake.c
@@ -57,15 +57,15 @@ int s2n_handshake_finish_header(struct s2n_stuffer *out)
return S2N_SUCCESS;
}
-int s2n_handshake_parse_header(struct s2n_connection *conn, uint8_t * message_type, uint32_t * length)
+S2N_RESULT s2n_handshake_parse_header(struct s2n_stuffer *io, uint8_t * message_type, uint32_t * length)
{
- S2N_ERROR_IF(s2n_stuffer_data_available(&conn->handshake.io) < TLS_HANDSHAKE_HEADER_LENGTH, S2N_ERR_SIZE_MISMATCH);
+ RESULT_ENSURE(s2n_stuffer_data_available(io) >= TLS_HANDSHAKE_HEADER_LENGTH, S2N_ERR_SIZE_MISMATCH);
/* read the message header */
- POSIX_GUARD(s2n_stuffer_read_uint8(&conn->handshake.io, message_type));
- POSIX_GUARD(s2n_stuffer_read_uint24(&conn->handshake.io, length));
+ RESULT_GUARD_POSIX(s2n_stuffer_read_uint8(io, message_type));
+ RESULT_GUARD_POSIX(s2n_stuffer_read_uint24(io, length));
- return S2N_SUCCESS;
+ return S2N_RESULT_OK;
}
static int s2n_handshake_get_hash_state_ptr(struct s2n_connection *conn, s2n_hash_algorithm hash_alg, struct s2n_hash_state **hash_state)
diff --git a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c
index 3df9b21270..fb7de64ae8 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_handshake_io.c
@@ -1257,8 +1257,8 @@ static int s2n_read_full_handshake_message(struct s2n_connection *conn, uint8_t
POSIX_GUARD(s2n_stuffer_copy(&conn->in, &conn->handshake.io, (TLS_HANDSHAKE_HEADER_LENGTH - current_handshake_data)));
}
- uint32_t handshake_message_length;
- POSIX_GUARD(s2n_handshake_parse_header(conn, message_type, &handshake_message_length));
+ uint32_t handshake_message_length = 0;
+ POSIX_GUARD_RESULT(s2n_handshake_parse_header(&conn->handshake.io, message_type, &handshake_message_length));
S2N_ERROR_IF(handshake_message_length > S2N_MAXIMUM_HANDSHAKE_MESSAGE_LENGTH, S2N_ERR_BAD_MESSAGE);
@@ -1285,7 +1285,7 @@ static int s2n_handshake_conn_update_hashes(struct s2n_connection *conn)
uint32_t handshake_message_length;
POSIX_GUARD(s2n_stuffer_reread(&conn->handshake.io));
- POSIX_GUARD(s2n_handshake_parse_header(conn, &message_type, &handshake_message_length));
+ POSIX_GUARD_RESULT(s2n_handshake_parse_header(&conn->handshake.io, &message_type, &handshake_message_length));
struct s2n_blob handshake_record = {0};
handshake_record.data = conn->handshake.io.blob.data;
diff --git a/contrib/restricted/aws/s2n/tls/s2n_kem.c b/contrib/restricted/aws/s2n/tls/s2n_kem.c
index 82394f8f03..affe9e02c4 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_kem.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_kem.c
@@ -13,13 +13,15 @@
* permissions and limitations under the License.
*/
-#include "stuffer/s2n_stuffer.h"
-#include "tls/s2n_tls_parameters.h"
#include "tls/s2n_kem.h"
+
+#include "pq-crypto/s2n_kyber_512_evp.h"
+#include "pq-crypto/s2n_pq.h"
+#include "stuffer/s2n_stuffer.h"
#include "tls/extensions/s2n_key_share.h"
+#include "tls/s2n_tls_parameters.h"
#include "utils/s2n_mem.h"
#include "utils/s2n_safety.h"
-#include "pq-crypto/s2n_pq.h"
/* The KEM IDs and names come from https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid */
@@ -30,9 +32,15 @@ const struct s2n_kem s2n_kyber_512_r3 = {
.private_key_length = S2N_KYBER_512_R3_SECRET_KEY_BYTES,
.shared_secret_key_length = S2N_KYBER_512_R3_SHARED_SECRET_BYTES,
.ciphertext_length = S2N_KYBER_512_R3_CIPHERTEXT_BYTES,
+#if defined (S2N_LIBCRYPTO_SUPPORTS_KYBER512)
+ .generate_keypair = &s2n_kyber_512_evp_generate_keypair,
+ .encapsulate = &s2n_kyber_512_evp_encapsulate,
+ .decapsulate = &s2n_kyber_512_evp_decapsulate,
+#else
.generate_keypair = &s2n_kyber_512_r3_crypto_kem_keypair,
.encapsulate = &s2n_kyber_512_r3_crypto_kem_enc,
.decapsulate = &s2n_kyber_512_r3_crypto_kem_dec,
+#endif
};
const struct s2n_kem *kyber_kems[] = {
@@ -359,7 +367,7 @@ int s2n_kem_recv_ciphertext(struct s2n_stuffer *in, struct s2n_kem_params *kem_p
/* If S2N_NO_PQ was defined at compile time, the PQ KEM code will have been entirely excluded
* from compilation. We define stubs of these functions here to error if they are called. */
/* kyber512r3 */
-int s2n_kyber_512_r3_crypto_kem_keypair(OUT unsigned char *pk, OUT unsigned char *sk) { POSIX_BAIL(S2N_ERR_UNIMPLEMENTED); }
-int s2n_kyber_512_r3_crypto_kem_enc(OUT unsigned char *ct, OUT unsigned char *ss, IN const unsigned char *pk) { POSIX_BAIL(S2N_ERR_UNIMPLEMENTED); }
-int s2n_kyber_512_r3_crypto_kem_dec(OUT unsigned char *ss, IN const unsigned char *ct, IN const unsigned char *sk) { POSIX_BAIL(S2N_ERR_UNIMPLEMENTED); }
+int s2n_kyber_512_r3_crypto_kem_keypair(OUT uint8_t *pk, OUT uint8_t *sk) { POSIX_BAIL(S2N_ERR_UNIMPLEMENTED); }
+int s2n_kyber_512_r3_crypto_kem_enc(OUT uint8_t *ct, OUT uint8_t *ss, IN const uint8_t *pk) { POSIX_BAIL(S2N_ERR_UNIMPLEMENTED); }
+int s2n_kyber_512_r3_crypto_kem_dec(OUT uint8_t *ss, IN const uint8_t *ct, IN const uint8_t *sk) { POSIX_BAIL(S2N_ERR_UNIMPLEMENTED); }
#endif
diff --git a/contrib/restricted/aws/s2n/tls/s2n_kem.h b/contrib/restricted/aws/s2n/tls/s2n_kem.h
index 8e78d649ab..44f16ecc72 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_kem.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_kem.h
@@ -38,9 +38,9 @@ struct s2n_kem {
const kem_shared_secret_size shared_secret_key_length;
const kem_ciphertext_key_size ciphertext_length;
/* NIST Post Quantum KEM submissions require the following API for compatibility */
- int (*generate_keypair)(OUT unsigned char *public_key, OUT unsigned char *private_key);
- int (*encapsulate)(OUT unsigned char *ciphertext, OUT unsigned char *shared_secret, IN const unsigned char *public_key);
- int (*decapsulate)(OUT unsigned char *shared_secret, IN const unsigned char *ciphertext, IN const unsigned char *private_key);
+ int (*generate_keypair)(OUT uint8_t *public_key, OUT uint8_t *private_key);
+ int (*encapsulate)(OUT uint8_t *ciphertext, OUT uint8_t *shared_secret, IN const uint8_t *public_key);
+ int (*decapsulate)(OUT uint8_t *shared_secret, IN const uint8_t *ciphertext, IN const uint8_t *private_key);
};
struct s2n_kem_params {
@@ -135,6 +135,6 @@ extern int s2n_kem_recv_ciphertext(struct s2n_stuffer *in, struct s2n_kem_params
#define S2N_KYBER_512_R3_SECRET_KEY_BYTES 1632
#define S2N_KYBER_512_R3_CIPHERTEXT_BYTES 768
#define S2N_KYBER_512_R3_SHARED_SECRET_BYTES 32
-int s2n_kyber_512_r3_crypto_kem_keypair(OUT unsigned char *pk, OUT unsigned char *sk);
-int s2n_kyber_512_r3_crypto_kem_enc(OUT unsigned char *ct, OUT unsigned char *ss, IN const unsigned char *pk);
-int s2n_kyber_512_r3_crypto_kem_dec(OUT unsigned char *ss, IN const unsigned char *ct, IN const unsigned char *sk);
+int s2n_kyber_512_r3_crypto_kem_keypair(OUT uint8_t *pk, OUT uint8_t *sk);
+int s2n_kyber_512_r3_crypto_kem_enc(OUT uint8_t *ct, OUT uint8_t *ss, IN const uint8_t *pk);
+int s2n_kyber_512_r3_crypto_kem_dec(OUT uint8_t *ss, IN const uint8_t *ct, IN const uint8_t *sk);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c
index 9ae3039f4b..52ba7ca389 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c
@@ -13,6 +13,8 @@
* permissions and limitations under the License.
*/
+#include <sys/param.h>
+
#include "error/s2n_errno.h"
#include "tls/s2n_connection.h"
@@ -20,59 +22,150 @@
#include "tls/s2n_tls.h"
#include "utils/s2n_safety.h"
-int s2n_post_handshake_recv(struct s2n_connection *conn)
+static S2N_RESULT s2n_post_handshake_process(struct s2n_connection *conn, struct s2n_stuffer *in, uint8_t message_type)
{
- POSIX_ENSURE_REF(conn);
+ RESULT_ENSURE_REF(conn);
- uint8_t post_handshake_id;
- uint32_t message_length;
+ switch (message_type) {
+ case TLS_KEY_UPDATE:
+ RESULT_GUARD_POSIX(s2n_key_update_recv(conn, in));
+ break;
+ case TLS_SERVER_NEW_SESSION_TICKET:
+ RESULT_GUARD(s2n_tls13_server_nst_recv(conn, in));
+ break;
+ case TLS_HELLO_REQUEST:
+ RESULT_GUARD(s2n_client_hello_request_recv(conn));
+ break;
+ case TLS_CERT_REQ:
+ /*
+ * s2n-tls does not support post-handshake authentication.
+ *
+ *= https://tools.ietf.org/rfc/rfc8446#section-4.6.2
+ *# A client that receives a CertificateRequest message without having
+ *# sent the "post_handshake_auth" extension MUST send an
+ *# "unexpected_message" fatal alert.
+ */
+ RESULT_BAIL(S2N_ERR_BAD_MESSAGE);
+ default:
+ /* All other messages are unexpected */
+ RESULT_BAIL(S2N_ERR_BAD_MESSAGE);
+ }
- while(s2n_stuffer_data_available(&conn->in)) {
- POSIX_GUARD(s2n_stuffer_read_uint8(&conn->in, &post_handshake_id));
- POSIX_GUARD(s2n_stuffer_read_uint24(&conn->in, &message_length));
-
- struct s2n_blob post_handshake_blob = { 0 };
- uint8_t *message_data = s2n_stuffer_raw_read(&conn->in, message_length);
- POSIX_ENSURE_REF(message_data);
- POSIX_GUARD(s2n_blob_init(&post_handshake_blob, message_data, message_length));
-
- struct s2n_stuffer post_handshake_stuffer = { 0 };
- POSIX_GUARD(s2n_stuffer_init(&post_handshake_stuffer, &post_handshake_blob));
- POSIX_GUARD(s2n_stuffer_skip_write(&post_handshake_stuffer, message_length));
-
- switch (post_handshake_id)
- {
- case TLS_KEY_UPDATE:
- POSIX_GUARD(s2n_key_update_recv(conn, &post_handshake_stuffer));
- break;
- case TLS_SERVER_NEW_SESSION_TICKET:
- POSIX_GUARD_RESULT(s2n_tls13_server_nst_recv(conn, &post_handshake_stuffer));
- break;
- case TLS_HELLO_REQUEST:
- POSIX_GUARD_RESULT(s2n_client_hello_request_recv(conn));
- break;
- case TLS_CLIENT_HELLO:
- case TLS_SERVER_HELLO:
- case TLS_END_OF_EARLY_DATA:
- case TLS_ENCRYPTED_EXTENSIONS:
- case TLS_CERTIFICATE:
- case TLS_SERVER_KEY:
- case TLS_CERT_REQ:
- case TLS_SERVER_HELLO_DONE:
- case TLS_CERT_VERIFY:
- case TLS_CLIENT_KEY:
- case TLS_FINISHED:
- case TLS_SERVER_CERT_STATUS:
- /* All other known handshake messages should be rejected */
- POSIX_BAIL(S2N_ERR_BAD_MESSAGE);
- break;
- default:
- /* Ignore all other messages */
- break;
+ return S2N_RESULT_OK;
+}
+
+/*
+ * Read a handshake message from conn->in.
+ *
+ * Handshake messages can be fragmented, meaning that a single message
+ * may be split between multiple records. conn->in only holds a single
+ * record at a time, so we may need to call this method multiple
+ * times to construct the complete message. We store the partial message
+ * in conn->post_handshake.in between calls.
+ */
+S2N_RESULT s2n_post_handshake_message_recv(struct s2n_connection *conn)
+{
+ RESULT_ENSURE_REF(conn);
+
+ struct s2n_stuffer *in = &conn->in;
+ struct s2n_stuffer *message = &conn->post_handshake.in;
+ uint8_t message_type = 0;
+ uint32_t message_len = 0;
+
+ /* We always start reading from the beginning of the message.
+ * Reset the read progress, but keep the write progress since
+ * there may already be a partial message stored in `message`.
+ */
+ RESULT_GUARD_POSIX(s2n_stuffer_reread(message));
+
+ /* At minimum, the message stuffer needs to have enough space to read the header.
+ * For small messages like KeyUpdate and HelloRequest, this is all the space we will need.
+ */
+ if (s2n_stuffer_is_freed(message)) {
+ struct s2n_blob b = { 0 };
+ RESULT_GUARD_POSIX(s2n_blob_init(&b, conn->post_handshake.header_in,
+ sizeof(conn->post_handshake.header_in)));
+ RESULT_GUARD_POSIX(s2n_stuffer_init(message, &b));
+ }
+
+ /* Try to copy the header into the message stuffer.
+ * The message stuffer may already contain some or all of the header if
+ * we have read fragments of this message from previous records.
+ */
+ if (s2n_stuffer_data_available(message) < TLS_HANDSHAKE_HEADER_LENGTH) {
+ uint32_t remaining = TLS_HANDSHAKE_HEADER_LENGTH - s2n_stuffer_data_available(message);
+ uint32_t to_read = MIN(remaining, s2n_stuffer_data_available(in));
+ RESULT_GUARD_POSIX(s2n_stuffer_copy(in, message, to_read));
+ }
+ RESULT_ENSURE(s2n_stuffer_data_available(message) >= TLS_HANDSHAKE_HEADER_LENGTH, S2N_ERR_IO_BLOCKED);
+
+ /* Parse the header */
+ RESULT_GUARD(s2n_handshake_parse_header(message, &message_type, &message_len));
+ RESULT_ENSURE(message_len == 0 || s2n_stuffer_data_available(in), S2N_ERR_IO_BLOCKED);
+ RESULT_ENSURE(message_len <= S2N_MAXIMUM_HANDSHAKE_MESSAGE_LENGTH, S2N_ERR_BAD_MESSAGE);
+
+ /* If the message body is not fragmented, just process it directly from conn->in.
+ * This will be the most common case, and does not require us to allocate any new memory.
+ */
+ if (s2n_stuffer_data_available(message) == 0 && s2n_stuffer_data_available(in) >= message_len) {
+ struct s2n_stuffer full_message = { 0 };
+ struct s2n_blob full_message_blob = { 0 };
+ RESULT_GUARD_POSIX(s2n_blob_init(&full_message_blob, s2n_stuffer_raw_read(in, message_len), message_len));
+ RESULT_GUARD_POSIX(s2n_stuffer_init(&full_message, &full_message_blob));
+ RESULT_GUARD_POSIX(s2n_stuffer_skip_write(&full_message, message_len));
+ RESULT_GUARD(s2n_post_handshake_process(conn, &full_message, message_type));
+ return S2N_RESULT_OK;
+ }
+
+ /* If the message body is fragmented, then the current fragment will be wiped from conn->in
+ * in order to read the next record. So the message stuffer needs enough space to store
+ * the full message as we reconstruct it from multiple records.
+ * For large messages like NewSessionTicket, this will require allocating new memory.
+ */
+ if (s2n_stuffer_space_remaining(message) < message_len) {
+ /* We want to avoid servers allocating memory in response to post-handshake messages
+ * to avoid a potential DDOS / resource exhaustion attack.
+ *
+ * Currently, s2n-tls servers only support the KeyUpdate message,
+ * which should never require additional memory to parse.
+ */
+ RESULT_ENSURE(conn->mode == S2N_CLIENT, S2N_ERR_BAD_MESSAGE);
+
+ uint32_t total_size = message_len + TLS_HANDSHAKE_HEADER_LENGTH;
+ if (message->alloced) {
+ RESULT_GUARD_POSIX(s2n_stuffer_resize(message, total_size));
+ } else {
+ /* Manually convert our static stuffer to a growable stuffer */
+ RESULT_GUARD_POSIX(s2n_stuffer_growable_alloc(message, total_size));
+ RESULT_GUARD_POSIX(s2n_stuffer_write_bytes(message, conn->post_handshake.header_in, TLS_HANDSHAKE_HEADER_LENGTH));
+ RESULT_GUARD_POSIX(s2n_stuffer_skip_read(message, TLS_HANDSHAKE_HEADER_LENGTH));
}
}
- return S2N_SUCCESS;
+ /* Try to copy the message body into the message stuffer.
+ * The message stuffer may already contain some of the message body if
+ * we have already read fragments from previous records.
+ */
+ if (s2n_stuffer_data_available(message) < message_len) {
+ uint32_t remaining = message_len - s2n_stuffer_data_available(message);
+ uint32_t to_read = MIN(remaining, s2n_stuffer_data_available(in));
+ RESULT_GUARD_POSIX(s2n_stuffer_copy(in, message, to_read));
+ }
+ RESULT_ENSURE(s2n_stuffer_data_available(message) == message_len, S2N_ERR_IO_BLOCKED);
+
+ /* Now that the full message body is available, process it. */
+ RESULT_GUARD(s2n_post_handshake_process(conn, message, message_type));
+ return S2N_RESULT_OK;
+}
+
+S2N_RESULT s2n_post_handshake_recv(struct s2n_connection *conn)
+{
+ RESULT_ENSURE_REF(conn);
+ while(s2n_stuffer_data_available(&conn->in)) {
+ RESULT_GUARD(s2n_post_handshake_message_recv(conn));
+ RESULT_GUARD_POSIX(s2n_stuffer_wipe(&conn->post_handshake.in));
+ }
+ return S2N_RESULT_OK;
}
int s2n_post_handshake_send(struct s2n_connection *conn, s2n_blocked_status *blocked)
diff --git a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h
index f021f7afb5..cb70af7ee2 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_post_handshake.h
@@ -15,7 +15,12 @@
#pragma once
-#include "tls/s2n_connection.h"
+struct s2n_connection;
-int s2n_post_handshake_recv(struct s2n_connection *conn);
+struct s2n_post_handshake {
+ struct s2n_stuffer in;
+ uint8_t header_in[TLS_HANDSHAKE_HEADER_LENGTH];
+};
+
+S2N_RESULT s2n_post_handshake_recv(struct s2n_connection *conn);
int s2n_post_handshake_send(struct s2n_connection *conn, s2n_blocked_status *blocked);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_protocol_preferences.h b/contrib/restricted/aws/s2n/tls/s2n_protocol_preferences.h
index 327249e80b..259d4ed8ae 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_protocol_preferences.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_protocol_preferences.h
@@ -17,7 +17,9 @@
#include "api/s2n.h"
+#include "stuffer/s2n_stuffer.h"
#include "utils/s2n_result.h"
+#include "utils/s2n_blob.h"
S2N_RESULT s2n_protocol_preferences_read(struct s2n_stuffer *protocol_preferences, struct s2n_blob *protocol);
S2N_RESULT s2n_protocol_preferences_contain(struct s2n_blob *protocol_preferences, struct s2n_blob *protocol, bool *contains);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_quic_support.c b/contrib/restricted/aws/s2n/tls/s2n_quic_support.c
index bd0b44f906..c1da75bf6c 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_quic_support.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_quic_support.c
@@ -105,7 +105,7 @@ S2N_RESULT s2n_quic_read_handshake_message(struct s2n_connection *conn, uint8_t
RESULT_GUARD(s2n_read_in_bytes(conn, &conn->handshake.io, TLS_HANDSHAKE_HEADER_LENGTH));
uint32_t message_len;
- RESULT_GUARD_POSIX(s2n_handshake_parse_header(conn, message_type, &message_len));
+ RESULT_GUARD(s2n_handshake_parse_header(&conn->handshake.io, message_type, &message_len));
RESULT_GUARD_POSIX(s2n_stuffer_reread(&conn->handshake.io));
RESULT_ENSURE(message_len < S2N_MAXIMUM_HANDSHAKE_MESSAGE_LENGTH, S2N_ERR_BAD_MESSAGE);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_recv.c b/contrib/restricted/aws/s2n/tls/s2n_recv.c
index ddd3fa8062..84b87e433f 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_recv.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_recv.c
@@ -157,6 +157,24 @@ ssize_t s2n_recv_impl(struct s2n_connection * conn, void *buf, ssize_t size, s2n
S2N_ERROR_IF(isSSLv2, S2N_ERR_BAD_MESSAGE);
+ if (record_type != TLS_HANDSHAKE) {
+ /*
+ *= https://tools.ietf.org/rfc/rfc8446#section-5.1
+ *# - Handshake messages MUST NOT be interleaved with other record
+ *# types. That is, if a handshake message is split over two or more
+ *# records, there MUST NOT be any other records between them.
+ */
+ POSIX_ENSURE(s2n_stuffer_is_wiped(&conn->post_handshake.in), S2N_ERR_BAD_MESSAGE);
+
+ /* If not handling a handshake message, free the post-handshake memory.
+ * Post-handshake messages are infrequent enough that we don't want to
+ * keep a potentially large buffer around unnecessarily.
+ */
+ if (!s2n_stuffer_is_freed(&conn->post_handshake.in)) {
+ POSIX_GUARD(s2n_stuffer_free(&conn->post_handshake.in));
+ }
+ }
+
if (record_type != TLS_APPLICATION_DATA) {
switch (record_type)
{
@@ -164,9 +182,16 @@ ssize_t s2n_recv_impl(struct s2n_connection * conn, void *buf, ssize_t size, s2n
POSIX_GUARD(s2n_process_alert_fragment(conn));
POSIX_GUARD(s2n_flush(conn, blocked));
break;
- case TLS_HANDSHAKE:
- WITH_ERROR_BLINDING(conn, POSIX_GUARD(s2n_post_handshake_recv(conn)));
+ case TLS_HANDSHAKE: {
+ s2n_result result = s2n_post_handshake_recv(conn);
+ /* Ignore any errors due to insufficient input data from io.
+ * The next iteration of this loop will attempt to read more input data.
+ */
+ if (s2n_result_is_error(result) && s2n_errno != S2N_ERR_IO_BLOCKED) {
+ WITH_ERROR_BLINDING(conn, POSIX_GUARD_RESULT(result));
+ }
break;
+ }
}
POSIX_GUARD(s2n_stuffer_wipe(&conn->header_in));
POSIX_GUARD(s2n_stuffer_wipe(&conn->in));
diff --git a/contrib/restricted/aws/s2n/tls/s2n_security_policies.c b/contrib/restricted/aws/s2n/tls/s2n_security_policies.c
index 9072932670..aad1a07828 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_security_policies.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_security_policies.c
@@ -921,6 +921,8 @@ int s2n_security_policies_init()
POSIX_ENSURE_REF(ecc_preference);
POSIX_GUARD(s2n_check_ecc_preferences_curves_list(ecc_preference));
+ bool cipher_preferences_has_chacha20_cipher_suite = false;
+
const struct s2n_signature_preferences *certificate_signature_preference = security_policy->certificate_signature_preferences;
if (certificate_signature_preference != NULL) {
POSIX_GUARD_RESULT(s2n_validate_certificate_signature_preferences(certificate_signature_preference));
@@ -935,12 +937,14 @@ int s2n_security_policies_init()
struct s2n_cipher_suite *cipher = cipher_preference->suites[j];
POSIX_ENSURE_REF(cipher);
+ const uint8_t *iana = cipher->iana_value;
+
if (cipher->minimum_required_tls_version >= S2N_TLS13) {
security_policy_selection[i].supports_tls13 = 1;
}
/* Sanity check that valid tls13 has minimum tls version set correctly */
- S2N_ERROR_IF(s2n_is_valid_tls13_cipher(cipher->iana_value) ^
+ S2N_ERROR_IF(s2n_is_valid_tls13_cipher(iana) ^
(cipher->minimum_required_tls_version >= S2N_TLS13), S2N_ERR_INVALID_SECURITY_POLICY);
if (s2n_cipher_suite_requires_ecc_extension(cipher)) {
@@ -950,6 +954,15 @@ int s2n_security_policies_init()
if (s2n_cipher_suite_requires_pq_extension(cipher)) {
security_policy_selection[i].pq_kem_extension_required = 1;
}
+
+ if (s2n_cipher_suite_uses_chacha20_alg(cipher)) {
+ cipher_preferences_has_chacha20_cipher_suite = true;
+ }
+ }
+
+ if (cipher_preference->allow_chacha20_boosting) {
+ /* If chacha20 boosting support is enabled, then the cipher preference must have at least one chacha20 cipher suite */
+ POSIX_ENSURE(cipher_preferences_has_chacha20_cipher_suite, S2N_ERR_INVALID_SECURITY_POLICY);
}
POSIX_GUARD(s2n_validate_kem_preferences(kem_preference, security_policy_selection[i].pq_kem_extension_required));
diff --git a/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.h b/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.h
index f1533335ba..3bab8e9953 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_signature_algorithms.h
@@ -22,6 +22,8 @@
#include "stuffer/s2n_stuffer.h"
+#include "tls/s2n_signature_scheme.h"
+
struct s2n_connection;
struct s2n_sig_scheme_list {
diff --git a/contrib/restricted/aws/s2n/tls/s2n_tls.h b/contrib/restricted/aws/s2n/tls/s2n_tls.h
index 03a5737770..c99d53d66f 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_tls.h
+++ b/contrib/restricted/aws/s2n/tls/s2n_tls.h
@@ -81,7 +81,7 @@ extern int s2n_end_of_early_data_recv(struct s2n_connection *conn);
extern int s2n_process_client_hello(struct s2n_connection *conn);
extern int s2n_handshake_write_header(struct s2n_stuffer *out, uint8_t message_type);
extern int s2n_handshake_finish_header(struct s2n_stuffer *out);
-extern int s2n_handshake_parse_header(struct s2n_connection *conn, uint8_t * message_type, uint32_t * length);
+S2N_RESULT s2n_handshake_parse_header(struct s2n_stuffer *io, uint8_t *message_type, uint32_t *length);
extern int s2n_read_full_record(struct s2n_connection *conn, uint8_t * record_type, int *isSSLv2);
extern int s2n_recv_close_notify(struct s2n_connection *conn, s2n_blocked_status * blocked);
diff --git a/contrib/restricted/aws/s2n/tls/s2n_x509_validator.c b/contrib/restricted/aws/s2n/tls/s2n_x509_validator.c
index 696e7ed463..561be9d815 100644
--- a/contrib/restricted/aws/s2n/tls/s2n_x509_validator.c
+++ b/contrib/restricted/aws/s2n/tls/s2n_x509_validator.c
@@ -71,8 +71,6 @@ int s2n_x509_trust_store_from_system_defaults(struct s2n_x509_trust_store *store
POSIX_BAIL(S2N_ERR_X509_TRUST_STORE);
}
- X509_STORE_set_flags(store->trust_store, X509_VP_FLAG_DEFAULT);
-
return 0;
}
@@ -127,8 +125,7 @@ int s2n_x509_trust_store_from_ca_file(struct s2n_x509_trust_store *store, const
* without a trust anchor. However if you call this function, the assumption is you trust ca_file or path and if a certificate
* is encountered that's in that path, it should be trusted. The following flag tells libcrypto to not care that the cert
* is missing a root anchor. */
- unsigned long flags = X509_VP_FLAG_DEFAULT;
- flags |= X509_V_FLAG_PARTIAL_CHAIN;
+ unsigned long flags = X509_V_FLAG_PARTIAL_CHAIN;
X509_STORE_set_flags(store->trust_store, flags);
return 0;