diff options
author | robot-contrib <robot-contrib@yandex-team.com> | 2023-04-07 14:28:41 +0300 |
---|---|---|
committer | robot-contrib <robot-contrib@yandex-team.com> | 2023-04-07 14:28:41 +0300 |
commit | bebed7ab9b918d9bb64cc4d8ccf739be80fa1e4b (patch) | |
tree | 4cbf5baa5ce1d206c534a68bff66253bd35e4c73 /contrib | |
parent | bcaaf7514561a925d14b81a86b96b9ed80c16f33 (diff) | |
download | ydb-bebed7ab9b918d9bb64cc4d8ccf739be80fa1e4b.tar.gz |
Update contrib/restricted/aws/s2n to 1.3.41
Diffstat (limited to 'contrib')
19 files changed, 327 insertions, 66 deletions
diff --git a/contrib/restricted/aws/s2n/CMakeLists.darwin-x86_64.txt b/contrib/restricted/aws/s2n/CMakeLists.darwin-x86_64.txt index 32d251a3fd..a4243e1232 100644 --- a/contrib/restricted/aws/s2n/CMakeLists.darwin-x86_64.txt +++ b/contrib/restricted/aws/s2n/CMakeLists.darwin-x86_64.txt @@ -16,6 +16,7 @@ target_compile_options(restricted-aws-s2n PRIVATE -DS2N_LIBCRYPTO_SUPPORTS_EVP_MD_CTX_SET_PKEY_CTX -DS2N_LIBCRYPTO_SUPPORTS_EVP_RC4 -DS2N_MADVISE_SUPPORTED + -DS2N_PLATFORM_SUPPORTS_KTLS -DS2N___RESTRICT__SUPPORTED -DS2N_STACKTRACE -DS2N_CPUID_AVAILABLE @@ -159,6 +160,7 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_kex.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_key_log.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_key_update.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_ktls.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_next_protocol.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_ocsp_stapling.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c diff --git a/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt b/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt index bf1ec3e599..206a41c21c 100644 --- a/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt +++ b/contrib/restricted/aws/s2n/CMakeLists.linux-aarch64.txt @@ -16,6 +16,7 @@ target_compile_options(restricted-aws-s2n PRIVATE -DS2N_LIBCRYPTO_SUPPORTS_EVP_MD_CTX_SET_PKEY_CTX -DS2N_LIBCRYPTO_SUPPORTS_EVP_RC4 -DS2N_MADVISE_SUPPORTED + -DS2N_PLATFORM_SUPPORTS_KTLS -DS2N___RESTRICT__SUPPORTED -DS2N_FEATURES_AVAILABLE -DS2N_STACKTRACE @@ -154,6 +155,7 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_kex.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_key_log.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_key_update.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_ktls.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_next_protocol.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_ocsp_stapling.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c diff --git a/contrib/restricted/aws/s2n/CMakeLists.linux-x86_64.txt b/contrib/restricted/aws/s2n/CMakeLists.linux-x86_64.txt index 8a2bd8ff47..316bae6bcb 100644 --- a/contrib/restricted/aws/s2n/CMakeLists.linux-x86_64.txt +++ b/contrib/restricted/aws/s2n/CMakeLists.linux-x86_64.txt @@ -16,6 +16,7 @@ target_compile_options(restricted-aws-s2n PRIVATE -DS2N_LIBCRYPTO_SUPPORTS_EVP_MD_CTX_SET_PKEY_CTX -DS2N_LIBCRYPTO_SUPPORTS_EVP_RC4 -DS2N_MADVISE_SUPPORTED + -DS2N_PLATFORM_SUPPORTS_KTLS -DS2N___RESTRICT__SUPPORTED -DS2N_FEATURES_AVAILABLE -DS2N_STACKTRACE @@ -161,6 +162,7 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_kex.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_key_log.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_key_update.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_ktls.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_next_protocol.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_ocsp_stapling.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c diff --git a/contrib/restricted/aws/s2n/CMakeLists.windows-x86_64.txt b/contrib/restricted/aws/s2n/CMakeLists.windows-x86_64.txt index 46028244d0..1e470c31e0 100644 --- a/contrib/restricted/aws/s2n/CMakeLists.windows-x86_64.txt +++ b/contrib/restricted/aws/s2n/CMakeLists.windows-x86_64.txt @@ -16,6 +16,7 @@ target_compile_options(restricted-aws-s2n PRIVATE -DS2N_LIBCRYPTO_SUPPORTS_EVP_MD_CTX_SET_PKEY_CTX -DS2N_LIBCRYPTO_SUPPORTS_EVP_RC4 -DS2N_MADVISE_SUPPORTED + -DS2N_PLATFORM_SUPPORTS_KTLS -DS2N___RESTRICT__SUPPORTED -DS2N_STACKTRACE -DS2N_CPUID_AVAILABLE @@ -159,6 +160,7 @@ target_sources(restricted-aws-s2n PRIVATE ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_kex.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_key_log.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_key_update.c + ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_ktls.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_next_protocol.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_ocsp_stapling.c ${CMAKE_SOURCE_DIR}/contrib/restricted/aws/s2n/tls/s2n_post_handshake.c diff --git a/contrib/restricted/aws/s2n/README.md b/contrib/restricted/aws/s2n/README.md index 0b7035a04b..e3e9b08057 100644 --- a/contrib/restricted/aws/s2n/README.md +++ b/contrib/restricted/aws/s2n/README.md @@ -66,7 +66,7 @@ Otherwise, if you think you might have found a security impacting issue, please ## Documentation -s2n-tls uses [Doxygen](https://doxygen.nl/index.html) to document its public API. The latest s2n-tls documentation can be found on [GitHub pages](https://aws.github.io/s2n-tls/doxygen/). +s2n-tls uses [Doxygen](https://doxygen.nl/index.html) to document its public API. The latest s2n-tls documentation can be found on [GitHub pages](https://aws.github.io/s2n-tls/doxygen/). The [Usage Guide](docs/USAGE-GUIDE.md) explains how different TLS features can be configured and used. Documentation for older versions or branches of s2n-tls can be generated locally. To generate the documentation, install doxygen and run `doxygen docs/doxygen/Doxyfile`. The doxygen documentation can now be found at `docs/doxygen/output/html/index.html`. diff --git a/contrib/restricted/aws/s2n/api/s2n.h b/contrib/restricted/aws/s2n/api/s2n.h index a4d7afab96..ca8d4d4923 100644 --- a/contrib/restricted/aws/s2n/api/s2n.h +++ b/contrib/restricted/aws/s2n/api/s2n.h @@ -1776,6 +1776,11 @@ typedef enum { /** * Performs the initial "handshake" phase of a TLS connection and must be called before any s2n_recv() or s2n_send() calls. * + * @note When using client authentication with TLS1.3, s2n_negotiate() will report a successful + * handshake to clients before the server validates the client certificate. If the server then + * rejects the client certificate, the client may later receive an alert while calling s2n_recv, + * potentially after already having sent application data with s2n_send. + * * @param conn A pointer to the s2n_connection object * @param blocked A pointer which will be set to the blocked status. * @returns S2N_SUCCESS if the handshake completed. S2N_FAILURE if the handshake encountered an error or is blocked. diff --git a/contrib/restricted/aws/s2n/api/unstable/fingerprint.h b/contrib/restricted/aws/s2n/api/unstable/fingerprint.h index e8163b86e3..f76b2e03da 100644 --- a/contrib/restricted/aws/s2n/api/unstable/fingerprint.h +++ b/contrib/restricted/aws/s2n/api/unstable/fingerprint.h @@ -74,3 +74,29 @@ int s2n_client_hello_get_fingerprint_hash(struct s2n_client_hello *ch, int s2n_client_hello_get_fingerprint_string(struct s2n_client_hello *ch, s2n_fingerprint_type type, uint32_t max_size, uint8_t *output, uint32_t *output_size); + +/** + * Creates an s2n_client_hello from bytes representing a ClientHello message. + * + * Unlike s2n_connection_get_client_hello, the s2n_client_hello returned by this + * method is owned by the application and must be freed with s2n_client_hello_free. + * + * This method does not support SSLv2 ClientHellos. + * + * @param bytes The raw bytes representing the ClientHello. + * @param size The size of raw_message. + * @returns A new s2n_client_hello on success, or NULL on failure. + */ +struct s2n_client_hello *s2n_client_hello_parse_message(const uint8_t *bytes, uint32_t size); + +/** + * Frees an s2n_client_hello structure. + * + * This method should be called to free s2n_client_hellos returned by + * s2n_client_hello_parse_message. It will error if passed an s2n_client_hello + * returned by s2n_connection_get_client_hello and owned by the connection. + * + * @param ch The structure to be freed. + * @returns S2N_SUCCESS on success, S2N_FAILURE on failure. + */ +int s2n_client_hello_free(struct s2n_client_hello **ch); diff --git a/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c b/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c index 3d8411d6de..7a389162ed 100644 --- a/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c +++ b/contrib/restricted/aws/s2n/pq-crypto/s2n_kyber_512_evp.c @@ -20,21 +20,27 @@ #include "error/s2n_errno.h" #include "tls/s2n_kem.h" +#include "utils/s2n_safety.h" #include "utils/s2n_safety_macros.h" -#if defined(S2N_LIBCRYPTO_SUPPORTS_KYBER512) -int s2n_kyber_512_evp_generate_keypair(uint8_t *public_key, uint8_t *private_key) { - EVP_PKEY_CTX *kyber_pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_KYBER512, NULL); +#if defined(S2N_LIBCRYPTO_SUPPORTS_KYBER512) && !defined(S2N_NO_PQ) + +DEFINE_POINTER_CLEANUP_FUNC(EVP_PKEY *, EVP_PKEY_free); +DEFINE_POINTER_CLEANUP_FUNC(EVP_PKEY_CTX *, EVP_PKEY_CTX_free); + +int s2n_kyber_512_evp_generate_keypair(uint8_t *public_key, uint8_t *secret_key) { + DEFER_CLEANUP(EVP_PKEY_CTX *kyber_pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, NULL), EVP_PKEY_CTX_free_pointer); POSIX_GUARD_PTR(kyber_pkey_ctx); + POSIX_GUARD_OSSL(EVP_PKEY_CTX_kem_set_params(kyber_pkey_ctx, NID_KYBER512_R3), S2N_ERR_PQ_CRYPTO); POSIX_GUARD_OSSL(EVP_PKEY_keygen_init(kyber_pkey_ctx), S2N_ERR_PQ_CRYPTO); - EVP_PKEY *kyber_pkey = NULL; + DEFER_CLEANUP(EVP_PKEY *kyber_pkey = NULL, EVP_PKEY_free_pointer); POSIX_GUARD_OSSL(EVP_PKEY_keygen(kyber_pkey_ctx, &kyber_pkey), S2N_ERR_PQ_CRYPTO); size_t public_key_size = S2N_KYBER_512_R3_PUBLIC_KEY_BYTES; - size_t private_key_size = S2N_KYBER_512_R3_SECRET_KEY_BYTES; + size_t secret_key_size = S2N_KYBER_512_R3_SECRET_KEY_BYTES; POSIX_GUARD_OSSL(EVP_PKEY_get_raw_public_key(kyber_pkey, public_key, &public_key_size), S2N_ERR_PQ_CRYPTO); - POSIX_GUARD_OSSL(EVP_PKEY_get_raw_private_key(kyber_pkey, private_key, &private_key_size), S2N_ERR_PQ_CRYPTO); + POSIX_GUARD_OSSL(EVP_PKEY_get_raw_private_key(kyber_pkey, secret_key, &secret_key_size), S2N_ERR_PQ_CRYPTO); return S2N_SUCCESS; } @@ -42,10 +48,10 @@ int s2n_kyber_512_evp_generate_keypair(uint8_t *public_key, uint8_t *private_key int s2n_kyber_512_evp_encapsulate(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) { size_t public_key_size = S2N_KYBER_512_R3_PUBLIC_KEY_BYTES; - EVP_PKEY *kyber_pkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_KYBER512, NULL, public_key, public_key_size); + DEFER_CLEANUP(EVP_PKEY *kyber_pkey = EVP_PKEY_kem_new_raw_public_key(NID_KYBER512_R3, public_key, public_key_size), EVP_PKEY_free_pointer); POSIX_GUARD_PTR(kyber_pkey); - EVP_PKEY_CTX *kyber_pkey_ctx = EVP_PKEY_CTX_new(kyber_pkey, NULL); + DEFER_CLEANUP(EVP_PKEY_CTX *kyber_pkey_ctx = EVP_PKEY_CTX_new(kyber_pkey, NULL), EVP_PKEY_CTX_free_pointer); POSIX_GUARD_PTR(kyber_pkey_ctx); size_t cipher_text_size = S2N_KYBER_512_R3_CIPHERTEXT_BYTES; @@ -56,21 +62,21 @@ int s2n_kyber_512_evp_encapsulate(uint8_t *ciphertext, uint8_t *shared_secret, } int s2n_kyber_512_evp_decapsulate(uint8_t *shared_secret, const uint8_t *ciphertext, - const uint8_t *private_key) { - size_t private_key_size = S2N_KYBER_512_R3_SECRET_KEY_BYTES; - EVP_PKEY *kyber_pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_KYBER512, NULL, private_key, private_key_size); + const uint8_t *secret_key) { + size_t secret_key_size = S2N_KYBER_512_R3_SECRET_KEY_BYTES; + DEFER_CLEANUP(EVP_PKEY *kyber_pkey = EVP_PKEY_kem_new_raw_secret_key(NID_KYBER512_R3, secret_key, secret_key_size), EVP_PKEY_free_pointer); POSIX_GUARD_PTR(kyber_pkey); - EVP_PKEY_CTX *kyber_pkey_ctx = EVP_PKEY_CTX_new(kyber_pkey, NULL); + DEFER_CLEANUP(EVP_PKEY_CTX *kyber_pkey_ctx = EVP_PKEY_CTX_new(kyber_pkey, NULL), EVP_PKEY_CTX_free_pointer); POSIX_GUARD_PTR(kyber_pkey_ctx); size_t shared_secret_size = S2N_KYBER_512_R3_SHARED_SECRET_BYTES; POSIX_GUARD_OSSL(EVP_PKEY_decapsulate(kyber_pkey_ctx, shared_secret, &shared_secret_size, (uint8_t *) ciphertext, - S2N_KYBER_512_R3_CIPHERTEXT_BYTES), S2N_ERR_PQ_CRYPTO); + S2N_KYBER_512_R3_CIPHERTEXT_BYTES), S2N_ERR_PQ_CRYPTO); return S2N_SUCCESS; } #else -int s2n_kyber_512_evp_generate_keypair(OUT uint8_t *public_key, OUT uint8_t *private_key) { +int s2n_kyber_512_evp_generate_keypair(OUT uint8_t *public_key, OUT uint8_t *secret_key) { POSIX_BAIL(S2N_ERR_UNIMPLEMENTED); } @@ -80,7 +86,7 @@ int s2n_kyber_512_evp_encapsulate(OUT uint8_t *ciphertext, OUT uint8_t *shared_s } int s2n_kyber_512_evp_decapsulate(OUT uint8_t *shared_secret, IN const uint8_t *ciphertext, - IN const uint8_t *private_key) { + IN const uint8_t *secret_key) { POSIX_BAIL(S2N_ERR_UNIMPLEMENTED); } #endif diff --git a/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.c b/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.c index fc17e95891..2187c9fb2d 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.c +++ b/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.c @@ -273,6 +273,35 @@ const struct s2n_cipher_preferences cipher_preferences_20170210 = { .allow_chacha20_boosting = false, }; +/* + * TLS1.3 support. + * FIPS compliant. + * No DHE (would require extra setup with s2n_config_add_dhparams) + */ +struct s2n_cipher_suite *cipher_suites_20230317[] = { + /* TLS1.2 with ECDSA */ + &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, + &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, + &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, + + /* TLS1.2 with RSA */ + &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, + &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, + &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, + + /* TLS1.3 */ + &s2n_tls13_aes_128_gcm_sha256, + &s2n_tls13_aes_256_gcm_sha384, +}; + +const struct s2n_cipher_preferences cipher_preferences_20230317 = { + .count = s2n_array_len(cipher_suites_20230317), + .suites = cipher_suites_20230317, + .allow_chacha20_boosting = false, +}; + /* Same as 20160411, but with ChaCha20 added as 1st in Preference List */ struct s2n_cipher_suite *cipher_suites_20190122[] = { &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256, diff --git a/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.h b/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.h index 54b5f2fe09..38e4e4e594 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.h +++ b/contrib/restricted/aws/s2n/tls/s2n_cipher_preferences.h @@ -27,6 +27,7 @@ struct s2n_cipher_preferences { bool allow_chacha20_boosting; }; +extern const struct s2n_cipher_preferences cipher_preferences_20230317; extern const struct s2n_cipher_preferences cipher_preferences_20140601; extern const struct s2n_cipher_preferences cipher_preferences_20141001; extern const struct s2n_cipher_preferences cipher_preferences_20150202; diff --git a/contrib/restricted/aws/s2n/tls/s2n_client_hello.c b/contrib/restricted/aws/s2n/tls/s2n_client_hello.c index c0dbabe67b..91d8664371 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_client_hello.c +++ b/contrib/restricted/aws/s2n/tls/s2n_client_hello.c @@ -159,7 +159,7 @@ ssize_t s2n_client_hello_get_extensions(struct s2n_client_hello *ch, uint8_t *ou return len; } -int s2n_client_hello_free(struct s2n_client_hello *client_hello) +int s2n_client_hello_free_raw_message(struct s2n_client_hello *client_hello) { POSIX_ENSURE_REF(client_hello); @@ -173,16 +173,28 @@ int s2n_client_hello_free(struct s2n_client_hello *client_hello) return 0; } -int s2n_collect_client_hello(struct s2n_connection *conn, struct s2n_stuffer *source) +int s2n_client_hello_free(struct s2n_client_hello **ch) { - POSIX_ENSURE_REF(conn); + POSIX_ENSURE_REF(ch); + if (*ch == NULL) { + return S2N_SUCCESS; + } + + POSIX_ENSURE((*ch)->alloced, S2N_ERR_INVALID_ARGUMENT); + POSIX_GUARD(s2n_client_hello_free_raw_message(*ch)); + POSIX_GUARD(s2n_free_object((uint8_t **) ch, sizeof(struct s2n_client_hello))); + *ch = NULL; + return S2N_SUCCESS; +} + +int s2n_collect_client_hello(struct s2n_client_hello *ch, struct s2n_stuffer *source) +{ + POSIX_ENSURE_REF(ch); POSIX_ENSURE_REF(source); uint32_t size = s2n_stuffer_data_available(source); S2N_ERROR_IF(size == 0, S2N_ERR_BAD_MESSAGE); - struct s2n_client_hello *ch = &conn->client_hello; - POSIX_GUARD(s2n_realloc(&ch->raw_message, size)); POSIX_GUARD(s2n_stuffer_read(source, &ch->raw_message)); @@ -310,6 +322,69 @@ static S2N_RESULT s2n_client_hello_verify_for_retry(struct s2n_connection *conn, return S2N_RESULT_OK; } +S2N_RESULT s2n_client_hello_parse_raw(struct s2n_client_hello *client_hello, + uint8_t client_protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN], + uint8_t client_random[S2N_TLS_RANDOM_DATA_LEN]) +{ + RESULT_ENSURE_REF(client_hello); + + struct s2n_stuffer in_stuffer = { 0 }; + RESULT_GUARD_POSIX(s2n_stuffer_init_written(&in_stuffer, &client_hello->raw_message)); + struct s2n_stuffer *in = &in_stuffer; + + /** + * https://tools.ietf.org/rfc/rfc8446#4.1.2 + * Structure of this message: + * + * uint16 ProtocolVersion; + * opaque Random[32]; + * + * uint8 CipherSuite[2]; + * + * struct { + * ProtocolVersion legacy_version = 0x0303; + * Random random; + * opaque legacy_session_id<0..32>; + * CipherSuite cipher_suites<2..2^16-2>; + * opaque legacy_compression_methods<1..2^8-1>; + * Extension extensions<8..2^16-1>; + * } ClientHello; + **/ + + /* legacy_version */ + RESULT_GUARD_POSIX(s2n_stuffer_read_bytes(in, client_protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN)); + + /* random */ + RESULT_GUARD_POSIX(s2n_stuffer_erase_and_read_bytes(in, client_random, S2N_TLS_RANDOM_DATA_LEN)); + + /* legacy_session_id */ + uint8_t session_id_len = 0; + RESULT_GUARD_POSIX(s2n_stuffer_read_uint8(in, &session_id_len)); + RESULT_ENSURE(session_id_len <= S2N_TLS_SESSION_ID_MAX_LEN, S2N_ERR_BAD_MESSAGE); + uint8_t *session_id = s2n_stuffer_raw_read(in, session_id_len); + RESULT_ENSURE(session_id != NULL, S2N_ERR_BAD_MESSAGE); + RESULT_GUARD_POSIX(s2n_blob_init(&client_hello->session_id, session_id, session_id_len)); + + /* cipher suites */ + uint16_t cipher_suites_length = 0; + RESULT_GUARD_POSIX(s2n_stuffer_read_uint16(in, &cipher_suites_length)); + RESULT_ENSURE(cipher_suites_length > 0, S2N_ERR_BAD_MESSAGE); + RESULT_ENSURE(cipher_suites_length % S2N_TLS_CIPHER_SUITE_LEN == 0, S2N_ERR_BAD_MESSAGE); + uint8_t *cipher_suites = s2n_stuffer_raw_read(in, cipher_suites_length); + RESULT_ENSURE(cipher_suites != NULL, S2N_ERR_BAD_MESSAGE); + RESULT_GUARD_POSIX(s2n_blob_init(&client_hello->cipher_suites, cipher_suites, cipher_suites_length)); + + /* legacy_compression_methods (ignored) */ + uint8_t num_compression_methods = 0; + RESULT_GUARD_POSIX(s2n_stuffer_read_uint8(in, &num_compression_methods)); + RESULT_GUARD_POSIX(s2n_stuffer_skip_read(in, num_compression_methods)); + + /* extensions */ + RESULT_GUARD_POSIX(s2n_extension_list_parse(in, &client_hello->extensions)); + + return S2N_RESULT_OK; +} + int s2n_parse_client_hello(struct s2n_connection *conn) { POSIX_ENSURE_REF(conn); @@ -318,12 +393,12 @@ int s2n_parse_client_hello(struct s2n_connection *conn) * somewhere safe so we can compare it to the new client hello later. */ DEFER_CLEANUP(struct s2n_client_hello previous_hello_retry = conn->client_hello, - s2n_client_hello_free); + s2n_client_hello_free_raw_message); if (s2n_is_hello_retry_handshake(conn)) { POSIX_CHECKED_MEMSET(&conn->client_hello, 0, sizeof(struct s2n_client_hello)); } - POSIX_GUARD(s2n_collect_client_hello(conn, &conn->handshake.io)); + POSIX_GUARD(s2n_collect_client_hello(&conn->client_hello, &conn->handshake.io)); /* The ClientHello version must be TLS12 after a HelloRetryRequest */ if (s2n_is_hello_retry_handshake(conn)) { @@ -335,20 +410,15 @@ int s2n_parse_client_hello(struct s2n_connection *conn) return S2N_SUCCESS; } - /* Going forward, we parse the collected client hello */ - struct s2n_client_hello *client_hello = &conn->client_hello; - struct s2n_stuffer in_stuffer = { 0 }; - POSIX_GUARD(s2n_stuffer_init(&in_stuffer, &client_hello->raw_message)); - POSIX_GUARD(s2n_stuffer_skip_write(&in_stuffer, client_hello->raw_message.size)); - struct s2n_stuffer *in = &in_stuffer; - - uint8_t client_protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN]; - - POSIX_GUARD(s2n_stuffer_read_bytes(in, client_protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN)); - + /* Save the current client_random for comparison in the case of a retry */ uint8_t previous_client_random[S2N_TLS_RANDOM_DATA_LEN] = { 0 }; - POSIX_CHECKED_MEMCPY(previous_client_random, conn->handshake_params.client_random, S2N_TLS_RANDOM_DATA_LEN); - POSIX_GUARD(s2n_stuffer_erase_and_read_bytes(in, conn->handshake_params.client_random, S2N_TLS_RANDOM_DATA_LEN)); + POSIX_CHECKED_MEMCPY(previous_client_random, conn->handshake_params.client_random, + S2N_TLS_RANDOM_DATA_LEN); + + /* Parse raw, collected client hello */ + uint8_t client_protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN] = { 0 }; + POSIX_GUARD_RESULT(s2n_client_hello_parse_raw(&conn->client_hello, + client_protocol_version, conn->handshake_params.client_random)); /* Protocol version in the ClientHello is fixed at 0x0303(TLS 1.2) for * future versions of TLS. Therefore, we will negotiate down if a client sends @@ -357,48 +427,81 @@ int s2n_parse_client_hello(struct s2n_connection *conn) conn->client_protocol_version = MIN((client_protocol_version[0] * 10) + client_protocol_version[1], S2N_TLS12); conn->client_hello_version = conn->client_protocol_version; - POSIX_GUARD(s2n_stuffer_read_uint8(in, &conn->session_id_len)); - S2N_ERROR_IF(conn->session_id_len > S2N_TLS_SESSION_ID_MAX_LEN || conn->session_id_len > s2n_stuffer_data_available(in), S2N_ERR_BAD_MESSAGE); - POSIX_GUARD(s2n_blob_init(&client_hello->session_id, s2n_stuffer_raw_read(in, conn->session_id_len), conn->session_id_len)); - POSIX_CHECKED_MEMCPY(conn->session_id, client_hello->session_id.data, conn->session_id_len); - - uint16_t cipher_suites_length = 0; - POSIX_GUARD(s2n_stuffer_read_uint16(in, &cipher_suites_length)); - POSIX_ENSURE(cipher_suites_length > 0, S2N_ERR_BAD_MESSAGE); - POSIX_ENSURE(cipher_suites_length % S2N_TLS_CIPHER_SUITE_LEN == 0, S2N_ERR_BAD_MESSAGE); - - client_hello->cipher_suites.size = cipher_suites_length; - client_hello->cipher_suites.data = s2n_stuffer_raw_read(in, cipher_suites_length); - POSIX_ENSURE_REF(client_hello->cipher_suites.data); - - /* Don't choose the cipher yet, read the extensions first */ - uint8_t num_compression_methods = 0; - POSIX_GUARD(s2n_stuffer_read_uint8(in, &num_compression_methods)); - POSIX_GUARD(s2n_stuffer_skip_read(in, num_compression_methods)); + /* Copy the session id to the connection. */ + conn->session_id_len = conn->client_hello.session_id.size; + POSIX_CHECKED_MEMCPY(conn->session_id, conn->client_hello.session_id.data, conn->session_id_len); + /* Set default key exchange curve. + * This is going to be our fallback if the client has no preference. + * + * P-256 is our preferred fallback option because the TLS1.3 RFC requires + * all implementations to support it: + * + * https://tools.ietf.org/rfc/rfc8446#section-9.1 + * A TLS-compliant application MUST support key exchange with secp256r1 (NIST P-256) + * and SHOULD support key exchange with X25519 [RFC7748] + */ const struct s2n_ecc_preferences *ecc_pref = NULL; POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_pref)); POSIX_ENSURE_REF(ecc_pref); POSIX_ENSURE_GT(ecc_pref->count, 0); - if (s2n_ecc_preferences_includes_curve(ecc_pref, TLS_EC_CURVE_SECP_256_R1)) { - /* This is going to be our fallback if the client has no preference. */ - /* A TLS-compliant application MUST support key exchange with secp256r1 (NIST P-256) */ - /* and SHOULD support key exchange with X25519 [RFC7748]. */ - /* - https://tools.ietf.org/html/rfc8446#section-9.1 */ conn->kex_params.server_ecc_evp_params.negotiated_curve = &s2n_ecc_curve_secp256r1; } else { - /* P-256 is the preferred fallback option. These prefs don't support it, so choose whatever curve is first. */ + /* If P-256 isn't allowed by the current security policy, instead choose + * the first / most preferred curve. + */ conn->kex_params.server_ecc_evp_params.negotiated_curve = ecc_pref->ecc_curves[0]; } - POSIX_GUARD(s2n_extension_list_parse(in, &conn->client_hello.extensions)); - POSIX_GUARD_RESULT(s2n_client_hello_verify_for_retry(conn, - &previous_hello_retry, client_hello, previous_client_random)); + &previous_hello_retry, &conn->client_hello, previous_client_random)); return S2N_SUCCESS; } +static S2N_RESULT s2n_client_hello_parse_message_impl(struct s2n_client_hello **result, + const uint8_t *raw_message, uint32_t raw_message_size) +{ + RESULT_ENSURE_REF(result); + + DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free); + RESULT_GUARD_POSIX(s2n_alloc(&mem, sizeof(struct s2n_client_hello))); + RESULT_GUARD_POSIX(s2n_blob_zero(&mem)); + + DEFER_CLEANUP(struct s2n_client_hello *client_hello = NULL, s2n_client_hello_free); + client_hello = (struct s2n_client_hello *) (void *) mem.data; + client_hello->alloced = true; + ZERO_TO_DISABLE_DEFER_CLEANUP(mem); + + DEFER_CLEANUP(struct s2n_stuffer in = { 0 }, s2n_stuffer_free); + RESULT_GUARD_POSIX(s2n_stuffer_alloc(&in, raw_message_size)); + RESULT_GUARD_POSIX(s2n_stuffer_write_bytes(&in, raw_message, raw_message_size)); + + uint8_t message_type = 0; + uint32_t message_len = 0; + RESULT_GUARD(s2n_handshake_parse_header(&in, &message_type, &message_len)); + RESULT_ENSURE(message_type == TLS_CLIENT_HELLO, S2N_ERR_BAD_MESSAGE); + RESULT_ENSURE(message_len == s2n_stuffer_data_available(&in), S2N_ERR_BAD_MESSAGE); + + RESULT_GUARD_POSIX(s2n_collect_client_hello(client_hello, &in)); + RESULT_ENSURE(s2n_stuffer_data_available(&in) == 0, S2N_ERR_BAD_MESSAGE); + + uint8_t protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN] = { 0 }; + uint8_t random[S2N_TLS_RANDOM_DATA_LEN] = { 0 }; + RESULT_GUARD(s2n_client_hello_parse_raw(client_hello, protocol_version, random)); + + *result = client_hello; + ZERO_TO_DISABLE_DEFER_CLEANUP(client_hello); + return S2N_RESULT_OK; +} + +struct s2n_client_hello *s2n_client_hello_parse_message(const uint8_t *raw_message, uint32_t raw_message_size) +{ + struct s2n_client_hello *result = NULL; + PTR_GUARD_RESULT(s2n_client_hello_parse_message_impl(&result, raw_message, raw_message_size)); + return result; +} + int s2n_process_client_hello(struct s2n_connection *conn) { POSIX_ENSURE_REF(conn); diff --git a/contrib/restricted/aws/s2n/tls/s2n_client_hello.h b/contrib/restricted/aws/s2n/tls/s2n_client_hello.h index d7eaa749b8..bed6a56849 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_client_hello.h +++ b/contrib/restricted/aws/s2n/tls/s2n_client_hello.h @@ -43,7 +43,6 @@ struct s2n_client_hello { * issues a hello retry. */ unsigned int parsed : 1; - /* * SSLv2 ClientHellos have a different format. * Cipher suites are each three bytes instead of two. @@ -51,9 +50,20 @@ struct s2n_client_hello { * the raw_message will not contain the protocol version. */ unsigned int sslv2 : 1; + /* + * The memory for this structure can be either owned by the application + * or tied to and managed by a connection. + * + * If owned by the application, it can be freed using s2n_client_hello_free. + * Otherwise, it is freed with s2n_connection_free. + * + * We could simplify this by moving the client hello structure off of the + * connection structure. + */ + unsigned int alloced : 1; }; -int s2n_client_hello_free(struct s2n_client_hello *client_hello); +int s2n_client_hello_free_raw_message(struct s2n_client_hello *client_hello); struct s2n_client_hello *s2n_connection_get_client_hello(struct s2n_connection *conn); diff --git a/contrib/restricted/aws/s2n/tls/s2n_connection.c b/contrib/restricted/aws/s2n/tls/s2n_connection.c index 5fd809ab00..16d1c19850 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_connection.c +++ b/contrib/restricted/aws/s2n/tls/s2n_connection.c @@ -267,7 +267,7 @@ int s2n_connection_free(struct s2n_connection *conn) POSIX_GUARD(s2n_stuffer_free(&conn->handshake.io)); POSIX_GUARD(s2n_stuffer_free(&conn->post_handshake.in)); s2n_x509_validator_wipe(&conn->x509_validator); - POSIX_GUARD(s2n_client_hello_free(&conn->client_hello)); + POSIX_GUARD(s2n_client_hello_free_raw_message(&conn->client_hello)); POSIX_GUARD(s2n_free(&conn->application_protocols_overridden)); POSIX_GUARD(s2n_free(&conn->cookie)); POSIX_GUARD_RESULT(s2n_crypto_parameters_free(&conn->initial)); diff --git a/contrib/restricted/aws/s2n/tls/s2n_ktls.c b/contrib/restricted/aws/s2n/tls/s2n_ktls.c new file mode 100644 index 0000000000..81b72bf4e6 --- /dev/null +++ b/contrib/restricted/aws/s2n/tls/s2n_ktls.c @@ -0,0 +1,25 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). + * You may not use this file except in compliance with the License. + * A copy of the License is located at + * + * http://aws.amazon.com/apache2.0 + * + * or in the "license" file accompanying this file. This file is distributed + * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +#include "tls/s2n_ktls.h" + +bool s2n_ktls_is_supported_on_platform() +{ +#ifdef S2N_PLATFORM_SUPPORTS_KTLS + return true; +#else + return false; +#endif +} diff --git a/contrib/restricted/aws/s2n/tls/s2n_ktls.h b/contrib/restricted/aws/s2n/tls/s2n_ktls.h index 117fa3dcae..5e2de31955 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_ktls.h +++ b/contrib/restricted/aws/s2n/tls/s2n_ktls.h @@ -32,3 +32,4 @@ typedef enum { } s2n_ktls_mode; int s2n_config_set_ktls_mode(struct s2n_config *config, s2n_ktls_mode ktls_mode); +bool s2n_ktls_is_supported_on_platform(); diff --git a/contrib/restricted/aws/s2n/tls/s2n_security_policies.c b/contrib/restricted/aws/s2n/tls/s2n_security_policies.c index a0aee17963..1f51175d7c 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_security_policies.c +++ b/contrib/restricted/aws/s2n/tls/s2n_security_policies.c @@ -51,6 +51,15 @@ const struct s2n_security_policy security_policy_default_fips = { .ecc_preferences = &s2n_ecc_preferences_default_fips, }; +const struct s2n_security_policy security_policy_20230317 = { + .minimum_protocol_version = S2N_TLS12, + .cipher_preferences = &cipher_preferences_20230317, + .kem_preferences = &kem_preferences_null, + .signature_preferences = &s2n_signature_preferences_20230317, + .certificate_signature_preferences = &s2n_signature_preferences_20230317, + .ecc_preferences = &s2n_ecc_preferences_20201021, +}; + const struct s2n_security_policy security_policy_20190801 = { .minimum_protocol_version = S2N_TLS10, .cipher_preferences = &cipher_preferences_20190801, @@ -787,6 +796,7 @@ struct s2n_security_policy_selection security_policy_selection[] = { { .version = "default", .security_policy = &security_policy_20170210, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_tls13", .security_policy = &security_policy_default_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_fips", .security_policy = &security_policy_default_fips, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "20230317", .security_policy = &security_policy_20230317, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "ELBSecurityPolicy-TLS-1-0-2015-04", .security_policy = &security_policy_elb_2015_04, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, /* Not a mistake. TLS-1-0-2015-05 and 2016-08 are equivalent */ { .version = "ELBSecurityPolicy-TLS-1-0-2015-05", .security_policy = &security_policy_elb_2016_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, diff --git a/contrib/restricted/aws/s2n/tls/s2n_security_policies.h b/contrib/restricted/aws/s2n/tls/s2n_security_policies.h index 3828d7544f..ad98ab6923 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_security_policies.h +++ b/contrib/restricted/aws/s2n/tls/s2n_security_policies.h @@ -63,6 +63,7 @@ extern const struct s2n_security_policy security_policy_20190214; extern const struct s2n_security_policy security_policy_20190214_gcm; extern const struct s2n_security_policy security_policy_20190801; extern const struct s2n_security_policy security_policy_20190802; +extern const struct s2n_security_policy security_policy_20230317; extern const struct s2n_security_policy security_policy_default_tls13; extern const struct s2n_security_policy security_policy_default_fips; extern const struct s2n_security_policy security_policy_test_all; diff --git a/contrib/restricted/aws/s2n/tls/s2n_signature_scheme.c b/contrib/restricted/aws/s2n/tls/s2n_signature_scheme.c index 4d674379f7..bbea03abd9 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_signature_scheme.c +++ b/contrib/restricted/aws/s2n/tls/s2n_signature_scheme.c @@ -282,6 +282,41 @@ const struct s2n_signature_preferences s2n_signature_preferences_default_fips = .signature_schemes = s2n_sig_scheme_pref_list_default_fips, }; +/* + * FIPS compliant. + * Supports TLS1.3. + * Prefers PSS over PKCS1. + */ +const struct s2n_signature_scheme* const s2n_sig_scheme_pref_list_20230317[] = { + /* RSA */ + &s2n_rsa_pss_rsae_sha256, + &s2n_rsa_pss_rsae_sha384, + &s2n_rsa_pss_rsae_sha512, + &s2n_rsa_pkcs1_sha256, + &s2n_rsa_pkcs1_sha384, + &s2n_rsa_pkcs1_sha512, + + /* TLS1.2 with ECDSA */ + &s2n_ecdsa_sha256, /* same iana value as TLS 1.3 s2n_ecdsa_secp256r1_sha256 */ + &s2n_ecdsa_sha384, /* same iana value as TLS 1.3 s2n_ecdsa_secp384r1_sha384 */ + &s2n_ecdsa_sha512, + + /* TLS1.3 with ECDSA */ + &s2n_ecdsa_secp256r1_sha256, + &s2n_ecdsa_secp384r1_sha384, + &s2n_ecdsa_secp521r1_sha512, + + /* TLS1.3 with RSA-PSS */ + &s2n_rsa_pss_pss_sha256, + &s2n_rsa_pss_pss_sha384, + &s2n_rsa_pss_pss_sha512, +}; + +const struct s2n_signature_preferences s2n_signature_preferences_20230317 = { + .count = s2n_array_len(s2n_sig_scheme_pref_list_20230317), + .signature_schemes = s2n_sig_scheme_pref_list_20230317, +}; + /* Add s2n_ecdsa_secp521r1_sha512 */ const struct s2n_signature_scheme* const s2n_sig_scheme_pref_list_20201021[] = { /* RSA PSS */ diff --git a/contrib/restricted/aws/s2n/tls/s2n_signature_scheme.h b/contrib/restricted/aws/s2n/tls/s2n_signature_scheme.h index c4700f4d1a..a1c58db5ce 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_signature_scheme.h +++ b/contrib/restricted/aws/s2n/tls/s2n_signature_scheme.h @@ -73,6 +73,7 @@ extern const struct s2n_signature_scheme s2n_rsa_pss_rsae_sha256; extern const struct s2n_signature_scheme s2n_rsa_pss_rsae_sha384; extern const struct s2n_signature_scheme s2n_rsa_pss_rsae_sha512; +extern const struct s2n_signature_preferences s2n_signature_preferences_20230317; extern const struct s2n_signature_preferences s2n_signature_preferences_20140601; extern const struct s2n_signature_preferences s2n_signature_preferences_20200207; extern const struct s2n_signature_preferences s2n_signature_preferences_20201021; |