Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #pragma once
17 : :
18 : : #include <errno.h>
19 : : #include <signal.h>
20 : : #include <stdint.h>
21 : :
22 : : #include "api/s2n.h"
23 : : #include "crypto/s2n_hash.h"
24 : : #include "crypto/s2n_hmac.h"
25 : : #include "stuffer/s2n_stuffer.h"
26 : : #include "tls/s2n_client_hello.h"
27 : : #include "tls/s2n_config.h"
28 : : #include "tls/s2n_crypto.h"
29 : : #include "tls/s2n_early_data.h"
30 : : #include "tls/s2n_ecc_preferences.h"
31 : : #include "tls/s2n_handshake.h"
32 : : #include "tls/s2n_kem_preferences.h"
33 : : #include "tls/s2n_key_update.h"
34 : : #include "tls/s2n_post_handshake.h"
35 : : #include "tls/s2n_prf.h"
36 : : #include "tls/s2n_quic_support.h"
37 : : #include "tls/s2n_record.h"
38 : : #include "tls/s2n_resume.h"
39 : : #include "tls/s2n_security_policies.h"
40 : : #include "tls/s2n_tls_parameters.h"
41 : : #include "tls/s2n_x509_validator.h"
42 : : #include "utils/s2n_atomic.h"
43 : : #include "utils/s2n_mem.h"
44 : : #include "utils/s2n_timer.h"
45 : :
46 : 11701561 : #define S2N_TLS_PROTOCOL_VERSION_LEN 2
47 : :
48 : 3017 : #define S2N_PEER_MODE(our_mode) ((our_mode + 1) % 2)
49 : :
50 : 148 : #define is_handshake_complete(conn) (APPLICATION_DATA == s2n_conn_get_current_message_type(conn))
51 : :
52 : 1038 : #define S2N_DEFAULT_BLINDING_MAX 30
53 : 1038 : #define S2N_DEFAULT_BLINDING_MIN 10
54 : :
55 : : typedef enum {
56 : : S2N_NO_TICKET = 0,
57 : : S2N_DECRYPT_TICKET,
58 : : S2N_NEW_TICKET
59 : : } s2n_session_ticket_status;
60 : :
61 : : struct s2n_connection {
62 : : /* Is this connection using CORK/SO_RCVLOWAT optimizations? Only valid when the connection is using
63 : : * managed_send_io
64 : : */
65 : : unsigned corked_io : 1;
66 : :
67 : : /* Session resumption indicator on client side */
68 : : unsigned client_session_resumed : 1;
69 : :
70 : : /* Connection can be used by a QUIC implementation */
71 : : unsigned quic_enabled : 1;
72 : :
73 : : /* RFC5746 Section 4.3 suggests servers implement a minimal version of the
74 : : * renegotiation_info extension even if renegotiation is not supported.
75 : : * Some clients may fail the handshake if a corresponding renegotiation_info
76 : : * extension is not sent back by the server.
77 : : */
78 : : unsigned secure_renegotiation : 1;
79 : : /* Was the EC point formats sent by the client */
80 : : unsigned ec_point_formats : 1;
81 : :
82 : : /* whether the connection address is ipv6 or not */
83 : : unsigned ipv6 : 1;
84 : :
85 : : /* Whether server_name extension was used to make a decision on cert selection.
86 : : * RFC6066 Section 3 states that server which used server_name to make a decision
87 : : * on certificate or security settings has to send an empty server_name.
88 : : */
89 : : unsigned server_name_used : 1;
90 : :
91 : : /* If write fd is broken */
92 : : unsigned write_fd_broken : 1;
93 : :
94 : : /* Has the user set their own I/O callbacks or is this connection using the
95 : : * default socket-based I/O set by s2n */
96 : : unsigned managed_send_io : 1;
97 : : unsigned managed_recv_io : 1;
98 : :
99 : : /* Early data supported by caller.
100 : : * If a caller does not use any APIs that support early data,
101 : : * do not negotiate early data.
102 : : */
103 : : unsigned early_data_expected : 1;
104 : :
105 : : /* Connection overrides server_max_early_data_size */
106 : : unsigned server_max_early_data_size_overridden : 1;
107 : :
108 : : /* Connection overrides psk_mode.
109 : : * This means that the connection will keep the existing value of psk_params->type,
110 : : * even when setting a new config. */
111 : : unsigned psk_mode_overridden : 1;
112 : :
113 : : /* Connection negotiated an EMS */
114 : : unsigned ems_negotiated : 1;
115 : :
116 : : /* Connection successfully set a ticket on the connection */
117 : : unsigned set_session : 1;
118 : :
119 : : /* Buffer multiple records before flushing them.
120 : : * This allows multiple records to be written with one socket send. */
121 : : unsigned multirecord_send : 1;
122 : :
123 : : /* If enabled, this connection will free each of its IO buffers after all data
124 : : * has been flushed */
125 : : unsigned dynamic_buffers : 1;
126 : :
127 : : /* Indicates protocol negotiation will be done through the NPN extension
128 : : * instead of the ALPN extension */
129 : : unsigned npn_negotiated : 1;
130 : :
131 : : /* Marks if kTLS has been enabled for this connection. */
132 : : unsigned ktls_send_enabled : 1;
133 : : unsigned ktls_recv_enabled : 1;
134 : :
135 : : /* Indicates whether the connection should request OCSP stapling from the peer */
136 : : unsigned request_ocsp_status : 1;
137 : :
138 : : /* Indicates that the connection was created from deserialization
139 : : * and therefore knowledge of the original handshake is limited. */
140 : : unsigned deserialized_conn : 1;
141 : :
142 : : /* Indicates s2n_recv should reduce read calls by attempting to buffer more
143 : : * data than is required for a single record.
144 : : *
145 : : * This is more efficient, but will break applications that expect exact reads,
146 : : * for example any custom IO that behaves like MSG_WAITALL.
147 : : */
148 : : unsigned recv_buffering : 1;
149 : :
150 : : /* The configuration (cert, key .. etc ) */
151 : : struct s2n_config *config;
152 : :
153 : : /* Overrides Security Policy in config if non-null */
154 : : const struct s2n_security_policy *security_policy_override;
155 : :
156 : : /* The user defined context associated with connection */
157 : : void *context;
158 : :
159 : : /* The user defined secret callback and context */
160 : : s2n_secret_cb secret_cb;
161 : : void *secret_cb_context;
162 : :
163 : : /* The send and receive callbacks don't have to be the same (e.g. two pipes) */
164 : : s2n_send_fn *send;
165 : : s2n_recv_fn *recv;
166 : :
167 : : /* The context passed to the I/O callbacks */
168 : : void *send_io_context;
169 : : void *recv_io_context;
170 : :
171 : : /* Track request/response extensions to ensure correct response extension behavior.
172 : : *
173 : : * We need to track client and server extensions separately because some
174 : : * extensions (like request_status and other Certificate extensions) can
175 : : * be requested by the client, the server, or both.
176 : : */
177 : : s2n_extension_bitfield extension_requests_sent;
178 : : s2n_extension_bitfield extension_requests_received;
179 : : s2n_extension_bitfield extension_responses_received;
180 : :
181 : : /* Is this connection a client or a server connection */
182 : : s2n_mode mode;
183 : :
184 : : /* Does s2n handle the blinding, or does the application */
185 : : s2n_blinding blinding;
186 : :
187 : : /* A timer to measure the time between record writes */
188 : : struct s2n_timer write_timer;
189 : :
190 : : /* last written time */
191 : : uint64_t last_write_elapsed;
192 : :
193 : : /* When fatal errors occurs, s2n imposes a pause before
194 : : * the connection is closed. If non-zero, this value tracks
195 : : * how many nanoseconds to pause - which will be relative to
196 : : * the write_timer value. */
197 : : uint64_t delay;
198 : :
199 : : /* The session id */
200 : : uint8_t session_id[S2N_TLS_SESSION_ID_MAX_LEN];
201 : : uint8_t session_id_len;
202 : :
203 : : /* The version advertised by the client, by the
204 : : * server, and the actual version we are currently
205 : : * speaking. */
206 : : uint8_t client_protocol_version;
207 : : uint8_t server_protocol_version;
208 : : uint8_t actual_protocol_version;
209 : : /* The version stored in the ticket / session we are resuming.
210 : : * We expect the connection to negotiate this version during
211 : : * the resumption handshake.
212 : : */
213 : : uint8_t resume_protocol_version;
214 : :
215 : : /* Flag indicating whether a protocol version has been
216 : : * negotiated yet. */
217 : : uint8_t actual_protocol_version_established;
218 : :
219 : : /* Our crypto parameters */
220 : : struct s2n_crypto_parameters *initial;
221 : : struct s2n_crypto_parameters *secure;
222 : : struct s2n_secrets secrets;
223 : :
224 : : /* Which set is the client/server actually using? */
225 : : struct s2n_crypto_parameters *client;
226 : : struct s2n_crypto_parameters *server;
227 : :
228 : : /* Contains parameters needed to negotiate a shared secret */
229 : : struct s2n_kex_parameters kex_params;
230 : :
231 : : /* Contains parameters needed during the handshake phase */
232 : : struct s2n_handshake_parameters handshake_params;
233 : :
234 : : /* Our PSK parameters */
235 : : struct s2n_psk_parameters psk_params;
236 : :
237 : : /* The PRF needs some storage elements to work with */
238 : : struct s2n_prf_working_space *prf_space;
239 : :
240 : : /* Indicates whether the application has overridden the client auth behavior
241 : : * inherited from the config.
242 : : * This should be a bitflag, but that change is blocked on the SAW proofs.
243 : : */
244 : : uint8_t client_cert_auth_type_overridden;
245 : :
246 : : /* Whether or not the client should authenticate itself to the server.
247 : : * Only used if client_cert_auth_type_overridden is true.
248 : : */
249 : : s2n_cert_auth_type client_cert_auth_type;
250 : :
251 : : /* Our workhorse stuffers, used for buffering the plaintext
252 : : * and encrypted data in both directions.
253 : : */
254 : : uint8_t header_in_data[S2N_TLS_RECORD_HEADER_LENGTH];
255 : : struct s2n_stuffer header_in;
256 : : struct s2n_stuffer buffer_in;
257 : : struct s2n_stuffer in;
258 : : struct s2n_stuffer out;
259 : : enum {
260 : : ENCRYPTED,
261 : : PLAINTEXT
262 : : } in_status;
263 : :
264 : : /* How much of the current user buffer have we already
265 : : * encrypted and sent or have pending for the wire but have
266 : : * not acknowledged to the user.
267 : : */
268 : : ssize_t current_user_data_consumed;
269 : :
270 : : /* An alert may be fragmented across multiple records,
271 : : * this stuffer is used to re-assemble.
272 : : */
273 : : uint8_t alert_in_data[S2N_ALERT_LENGTH];
274 : : struct s2n_stuffer alert_in;
275 : :
276 : : /* Both readers and writers can trigger alerts.
277 : : * We prioritize writer alerts over reader alerts.
278 : : */
279 : : uint8_t writer_alert_out;
280 : : uint8_t reader_alert_out;
281 : : uint8_t reader_warning_out;
282 : : bool alert_sent;
283 : :
284 : : /* Receiving error or close_notify alerts changes the behavior of s2n_shutdown_send */
285 : : s2n_atomic_flag error_alert_received;
286 : : s2n_atomic_flag close_notify_received;
287 : :
288 : : /* Our handshake state machine */
289 : : struct s2n_handshake handshake;
290 : :
291 : : /* Maximum outgoing fragment size for this connection. Does not limit
292 : : * incoming record size.
293 : : *
294 : : * This value is updated when:
295 : : * 1. s2n_connection_prefer_low_latency is set
296 : : * 2. s2n_connection_prefer_throughput is set
297 : : * 3. TLS Maximum Fragment Length extension is negotiated
298 : : *
299 : : * Default value: S2N_DEFAULT_FRAGMENT_LENGTH
300 : : */
301 : : uint16_t max_outgoing_fragment_length;
302 : :
303 : : /* The number of bytes to send before changing the record size.
304 : : * If this value > 0 then dynamic TLS record size is enabled. Otherwise, the feature is disabled (default).
305 : : */
306 : : uint32_t dynamic_record_resize_threshold;
307 : :
308 : : /* Reset record size back to a single segment after threshold seconds of inactivity */
309 : : uint16_t dynamic_record_timeout_threshold;
310 : :
311 : : /* The number of bytes consumed during a period of application activity.
312 : : * Used for dynamic record sizing. */
313 : : uint64_t active_application_bytes_consumed;
314 : :
315 : : /* Negotiated TLS extension Maximum Fragment Length code.
316 : : * If set, the client and server have both agreed to fragment their records to the given length. */
317 : : uint8_t negotiated_mfl_code;
318 : :
319 : : /* Keep some accounting on each connection */
320 : : uint64_t wire_bytes_in;
321 : : uint64_t wire_bytes_out;
322 : : uint64_t early_data_bytes;
323 : :
324 : : /* Either the reader or the writer can trigger both sides of the connection
325 : : * to close in response to a fatal error.
326 : : */
327 : : s2n_atomic_flag read_closed;
328 : : s2n_atomic_flag write_closed;
329 : :
330 : : /* TLS extension data */
331 : : char server_name[S2N_MAX_SERVER_NAME + 1];
332 : :
333 : : /* The application protocol decided upon during the client hello.
334 : : * If ALPN is being used, then:
335 : : * In server mode, this will be set by the time client_hello_cb is invoked.
336 : : * In client mode, this will be set after is_handshake_complete(connection) is true.
337 : : */
338 : : char application_protocol[256];
339 : :
340 : : /* OCSP stapling response data */
341 : : s2n_status_request_type status_type;
342 : : struct s2n_blob status_response;
343 : :
344 : : /* Certificate Transparency response data */
345 : : s2n_ct_support_level ct_level_requested;
346 : : struct s2n_blob ct_response;
347 : :
348 : : /* QUIC transport parameters data: https://tools.ietf.org/html/draft-ietf-quic-tls-29#section-8.2 */
349 : : struct s2n_blob our_quic_transport_parameters;
350 : : struct s2n_blob peer_quic_transport_parameters;
351 : :
352 : : struct s2n_client_hello client_hello;
353 : :
354 : : struct s2n_x509_validator x509_validator;
355 : :
356 : : /* After a connection is created this is the verification function that should always be used. At init time,
357 : : * the config should be checked for a verify callback and each connection should default to that. However,
358 : : * from the user's perspective, it's sometimes simpler to manage state by attaching each validation function/data
359 : : * to the connection, instead of globally to a single config.*/
360 : : s2n_verify_host_fn verify_host_fn;
361 : : void *data_for_verify_host;
362 : : uint8_t verify_host_fn_overridden;
363 : :
364 : : /* Session ticket data */
365 : : s2n_session_ticket_status session_ticket_status;
366 : : struct s2n_blob client_ticket;
367 : : uint32_t ticket_lifetime_hint;
368 : : struct s2n_ticket_fields tls13_ticket_fields;
369 : :
370 : : /* Session ticket extension from client to attempt to decrypt as the server. */
371 : : uint8_t ticket_ext_data[S2N_TLS12_TICKET_SIZE_IN_BYTES];
372 : : struct s2n_stuffer client_ticket_to_decrypt;
373 : :
374 : : /* application protocols overridden */
375 : : struct s2n_blob application_protocols_overridden;
376 : :
377 : : /* Cookie extension data */
378 : : struct s2n_blob cookie;
379 : :
380 : : struct s2n_blob cert_authorities;
381 : :
382 : : /* Flags to prevent users from calling methods recursively.
383 : : * This can be an easy mistake to make when implementing callbacks.
384 : : */
385 : : bool send_in_use;
386 : : bool recv_in_use;
387 : : bool negotiate_in_use;
388 : :
389 : : uint16_t tickets_to_send;
390 : : uint16_t tickets_sent;
391 : :
392 : : s2n_early_data_state early_data_state;
393 : : uint32_t server_max_early_data_size;
394 : : struct s2n_blob server_early_data_context;
395 : : uint32_t server_keying_material_lifetime;
396 : :
397 : : struct s2n_post_handshake post_handshake;
398 : : /* Both the reader and writer can set key_update_pending.
399 : : * The writer clears it after a KeyUpdate is sent.
400 : : */
401 : : s2n_atomic_flag key_update_pending;
402 : :
403 : : /* Track KeyUpdates for metrics */
404 : : uint8_t send_key_updated;
405 : : uint8_t recv_key_updated;
406 : : };
407 : :
408 : : S2N_CLEANUP_RESULT s2n_connection_ptr_free(struct s2n_connection **s2n_connection);
409 : :
410 : : int s2n_connection_is_managed_corked(const struct s2n_connection *s2n_connection);
411 : : int s2n_connection_is_client_auth_enabled(struct s2n_connection *s2n_connection);
412 : :
413 : : typedef enum {
414 : : S2N_IO_WRITABLE,
415 : : S2N_IO_READABLE,
416 : : S2N_IO_FULL_DUPLEX,
417 : : S2N_IO_CLOSED,
418 : : } s2n_io_status;
419 : : bool s2n_connection_check_io_status(struct s2n_connection *conn, s2n_io_status status);
420 : : S2N_RESULT s2n_connection_set_closed(struct s2n_connection *conn);
421 : :
422 : : /* Send/recv a stuffer to/from a connection */
423 : : int s2n_connection_send_stuffer(struct s2n_stuffer *stuffer, struct s2n_connection *conn, uint32_t len);
424 : : int s2n_connection_recv_stuffer(struct s2n_stuffer *stuffer, struct s2n_connection *conn, uint32_t len);
425 : :
426 : : S2N_RESULT s2n_connection_wipe_all_keyshares(struct s2n_connection *conn);
427 : :
428 : : /* If dynamic buffers are enabled, the IO buffers may be freed if they are completely consumed */
429 : : S2N_RESULT s2n_connection_dynamic_free_in_buffer(struct s2n_connection *conn);
430 : : S2N_RESULT s2n_connection_dynamic_free_out_buffer(struct s2n_connection *conn);
431 : :
432 : : int s2n_connection_get_cipher_preferences(struct s2n_connection *conn, const struct s2n_cipher_preferences **cipher_preferences);
433 : : int s2n_connection_get_security_policy(struct s2n_connection *conn, const struct s2n_security_policy **security_policy);
434 : : int s2n_connection_get_kem_preferences(struct s2n_connection *conn, const struct s2n_kem_preferences **kem_preferences);
435 : : int s2n_connection_get_signature_preferences(struct s2n_connection *conn, const struct s2n_signature_preferences **signature_preferences);
436 : : int s2n_connection_get_ecc_preferences(struct s2n_connection *conn, const struct s2n_ecc_preferences **ecc_preferences);
437 : : int s2n_connection_get_protocol_preferences(struct s2n_connection *conn, struct s2n_blob **protocol_preferences);
438 : : int s2n_connection_set_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type cert_auth_type);
439 : : int s2n_connection_get_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type *client_cert_auth_type);
440 : : int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **der_cert_chain_out, uint32_t *cert_chain_len);
441 : : int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn, struct s2n_cert_chain_and_key *cert_chain_and_key);
442 : : uint8_t s2n_connection_get_protocol_version(const struct s2n_connection *conn);
443 : : S2N_RESULT s2n_connection_set_max_fragment_length(struct s2n_connection *conn, uint16_t length);
444 : : S2N_RESULT s2n_connection_get_secure_cipher(struct s2n_connection *conn, const struct s2n_cipher **cipher);
445 : : S2N_RESULT s2n_connection_get_sequence_number(struct s2n_connection *conn,
446 : : s2n_mode mode, struct s2n_blob *seq_num);
|
