Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #pragma once
17 : :
18 : : #include <errno.h>
19 : : #include <signal.h>
20 : : #include <stdint.h>
21 : :
22 : : #include "api/s2n.h"
23 : : #include "crypto/s2n_hash.h"
24 : : #include "crypto/s2n_hmac.h"
25 : : #include "stuffer/s2n_stuffer.h"
26 : : #include "tls/s2n_async_offload.h"
27 : : #include "tls/s2n_client_hello.h"
28 : : #include "tls/s2n_config.h"
29 : : #include "tls/s2n_crypto.h"
30 : : #include "tls/s2n_early_data.h"
31 : : #include "tls/s2n_ecc_preferences.h"
32 : : #include "tls/s2n_handshake.h"
33 : : #include "tls/s2n_kem_preferences.h"
34 : : #include "tls/s2n_key_update.h"
35 : : #include "tls/s2n_post_handshake.h"
36 : : #include "tls/s2n_prf.h"
37 : : #include "tls/s2n_quic_support.h"
38 : : #include "tls/s2n_record.h"
39 : : #include "tls/s2n_resume.h"
40 : : #include "tls/s2n_security_policies.h"
41 : : #include "tls/s2n_tls_parameters.h"
42 : : #include "tls/s2n_x509_validator.h"
43 : : #include "unstable/events.h"
44 : : #include "utils/s2n_atomic.h"
45 : : #include "utils/s2n_mem.h"
46 : : #include "utils/s2n_timer.h"
47 : :
48 : 11693781 : #define S2N_TLS_PROTOCOL_VERSION_LEN 2
49 : :
50 : 3423 : #define S2N_PEER_MODE(our_mode) ((our_mode + 1) % 2)
51 : :
52 : 148 : #define is_handshake_complete(conn) (APPLICATION_DATA == s2n_conn_get_current_message_type(conn))
53 : :
54 : 1056 : #define S2N_DEFAULT_BLINDING_MAX 30
55 : 1056 : #define S2N_DEFAULT_BLINDING_MIN 10
56 : :
57 : : typedef enum {
58 : : S2N_NO_TICKET = 0,
59 : : S2N_DECRYPT_TICKET,
60 : : S2N_NEW_TICKET
61 : : } s2n_session_ticket_status;
62 : :
63 : : struct s2n_connection {
64 : : /* Is this connection using CORK/SO_RCVLOWAT optimizations? Only valid when the connection is using
65 : : * managed_send_io
66 : : */
67 : : unsigned corked_io : 1;
68 : :
69 : : /* Session resumption indicator on client side */
70 : : unsigned client_session_resumed : 1;
71 : :
72 : : /* Connection can be used by a QUIC implementation */
73 : : unsigned quic_enabled : 1;
74 : :
75 : : /* RFC5746 Section 4.3 suggests servers implement a minimal version of the
76 : : * renegotiation_info extension even if renegotiation is not supported.
77 : : * Some clients may fail the handshake if a corresponding renegotiation_info
78 : : * extension is not sent back by the server.
79 : : */
80 : : unsigned secure_renegotiation : 1;
81 : : /* Was the EC point formats sent by the client */
82 : : unsigned ec_point_formats : 1;
83 : :
84 : : /* Whether server_name extension was used to make a decision on cert selection.
85 : : * RFC6066 Section 3 states that server which used server_name to make a decision
86 : : * on certificate or security settings has to send an empty server_name.
87 : : */
88 : : unsigned server_name_used : 1;
89 : :
90 : : /* If write fd is broken */
91 : : unsigned write_fd_broken : 1;
92 : :
93 : : /* Has the user set their own I/O callbacks or is this connection using the
94 : : * default socket-based I/O set by s2n */
95 : : unsigned managed_send_io : 1;
96 : : unsigned managed_recv_io : 1;
97 : :
98 : : /* Early data supported by caller.
99 : : * If a caller does not use any APIs that support early data,
100 : : * do not negotiate early data.
101 : : */
102 : : unsigned early_data_expected : 1;
103 : :
104 : : /* Connection overrides server_max_early_data_size */
105 : : unsigned server_max_early_data_size_overridden : 1;
106 : :
107 : : /* Connection overrides psk_mode.
108 : : * This means that the connection will keep the existing value of psk_params->type,
109 : : * even when setting a new config. */
110 : : unsigned psk_mode_overridden : 1;
111 : :
112 : : /* Connection negotiated an EMS */
113 : : unsigned ems_negotiated : 1;
114 : :
115 : : /* Connection successfully set a ticket on the connection */
116 : : unsigned set_session : 1;
117 : :
118 : : /* Buffer multiple records before flushing them.
119 : : * This allows multiple records to be written with one socket send. */
120 : : unsigned multirecord_send : 1;
121 : :
122 : : /* If enabled, this connection will free each of its IO buffers after all data
123 : : * has been flushed */
124 : : unsigned dynamic_buffers : 1;
125 : :
126 : : /* Indicates protocol negotiation will be done through the NPN extension
127 : : * instead of the ALPN extension */
128 : : unsigned npn_negotiated : 1;
129 : :
130 : : /* Marks if kTLS has been enabled for this connection. */
131 : : unsigned ktls_send_enabled : 1;
132 : : unsigned ktls_recv_enabled : 1;
133 : :
134 : : /* Indicates whether the connection should request OCSP stapling from the peer */
135 : : unsigned request_ocsp_status : 1;
136 : :
137 : : /* Indicates that the connection was created from deserialization
138 : : * and therefore knowledge of the original handshake is limited. */
139 : : unsigned deserialized_conn : 1;
140 : :
141 : : /* Indicates s2n_recv should reduce read calls by attempting to buffer more
142 : : * data than is required for a single record.
143 : : *
144 : : * This is more efficient, but will break applications that expect exact reads,
145 : : * for example any custom IO that behaves like MSG_WAITALL.
146 : : */
147 : : unsigned recv_buffering : 1;
148 : :
149 : : /* The configuration (cert, key .. etc ) */
150 : : struct s2n_config *config;
151 : :
152 : : /* Overrides Security Policy in config if non-null */
153 : : const struct s2n_security_policy *security_policy_override;
154 : :
155 : : /* The user defined context associated with connection */
156 : : void *context;
157 : :
158 : : /* The user defined secret callback and context */
159 : : s2n_secret_cb secret_cb;
160 : : void *secret_cb_context;
161 : :
162 : : /* The send and receive callbacks don't have to be the same (e.g. two pipes) */
163 : : s2n_send_fn *send;
164 : : s2n_recv_fn *recv;
165 : :
166 : : /* The context passed to the I/O callbacks */
167 : : void *send_io_context;
168 : : void *recv_io_context;
169 : :
170 : : /* Track request/response extensions to ensure correct response extension behavior.
171 : : *
172 : : * We need to track client and server extensions separately because some
173 : : * extensions (like request_status and other Certificate extensions) can
174 : : * be requested by the client, the server, or both.
175 : : */
176 : : s2n_extension_bitfield extension_requests_sent;
177 : : s2n_extension_bitfield extension_requests_received;
178 : : s2n_extension_bitfield extension_responses_received;
179 : :
180 : : /* Is this connection a client or a server connection */
181 : : s2n_mode mode;
182 : :
183 : : /* Does s2n handle the blinding, or does the application */
184 : : s2n_blinding blinding;
185 : :
186 : : /* A timer to measure the time between record writes */
187 : : struct s2n_timer write_timer;
188 : :
189 : : /* last written time */
190 : : uint64_t last_write_elapsed;
191 : :
192 : : /* When fatal errors occurs, s2n imposes a pause before
193 : : * the connection is closed. If non-zero, this value tracks
194 : : * how many nanoseconds to pause - which will be relative to
195 : : * the write_timer value. */
196 : : uint64_t delay;
197 : :
198 : : /* The session id */
199 : : uint8_t session_id[S2N_TLS_SESSION_ID_MAX_LEN];
200 : : uint8_t session_id_len;
201 : :
202 : : /* The version advertised by the client, by the
203 : : * server, and the actual version we are currently
204 : : * speaking. */
205 : : uint8_t client_protocol_version;
206 : : uint8_t server_protocol_version;
207 : : uint8_t actual_protocol_version;
208 : : /* The version stored in the ticket / session we are resuming.
209 : : * We expect the connection to negotiate this version during
210 : : * the resumption handshake.
211 : : */
212 : : uint8_t resume_protocol_version;
213 : :
214 : : /* Flag indicating whether a protocol version has been
215 : : * negotiated yet. */
216 : : uint8_t actual_protocol_version_established;
217 : :
218 : : /* Our crypto parameters */
219 : : struct s2n_crypto_parameters *initial;
220 : : struct s2n_crypto_parameters *secure;
221 : : struct s2n_secrets secrets;
222 : :
223 : : /* Which set is the client/server actually using? */
224 : : struct s2n_crypto_parameters *client;
225 : : struct s2n_crypto_parameters *server;
226 : :
227 : : /* Contains parameters needed to negotiate a shared secret */
228 : : struct s2n_kex_parameters kex_params;
229 : :
230 : : /* Contains parameters needed during the handshake phase */
231 : : struct s2n_handshake_parameters handshake_params;
232 : :
233 : : /* Our PSK parameters */
234 : : struct s2n_psk_parameters psk_params;
235 : :
236 : : /* The PRF needs some storage elements to work with */
237 : : struct s2n_prf_working_space *prf_space;
238 : :
239 : : /* Indicates whether the application has overridden the client auth behavior
240 : : * inherited from the config.
241 : : * This should be a bitflag, but that change is blocked on the SAW proofs.
242 : : */
243 : : uint8_t client_cert_auth_type_overridden;
244 : :
245 : : /* Whether or not the client should authenticate itself to the server.
246 : : * Only used if client_cert_auth_type_overridden is true.
247 : : */
248 : : s2n_cert_auth_type client_cert_auth_type;
249 : :
250 : : /* Our workhorse stuffers, used for buffering the plaintext
251 : : * and encrypted data in both directions.
252 : : */
253 : : uint8_t header_in_data[S2N_TLS_RECORD_HEADER_LENGTH];
254 : : struct s2n_stuffer header_in;
255 : : struct s2n_stuffer buffer_in;
256 : : struct s2n_stuffer in;
257 : : struct s2n_stuffer out;
258 : : enum {
259 : : ENCRYPTED,
260 : : PLAINTEXT
261 : : } in_status;
262 : :
263 : : /* How much of the current user buffer have we already
264 : : * encrypted and sent or have pending for the wire but have
265 : : * not acknowledged to the user.
266 : : */
267 : : ssize_t current_user_data_consumed;
268 : :
269 : : /* An alert may be fragmented across multiple records,
270 : : * this stuffer is used to re-assemble.
271 : : */
272 : : uint8_t alert_in_data[S2N_ALERT_LENGTH];
273 : : struct s2n_stuffer alert_in;
274 : :
275 : : /* Both readers and writers can trigger alerts.
276 : : * We prioritize writer alerts over reader alerts.
277 : : */
278 : : uint8_t writer_alert_out;
279 : : uint8_t reader_alert_out;
280 : : uint8_t reader_warning_out;
281 : : bool alert_sent;
282 : :
283 : : /* Receiving error or close_notify alerts changes the behavior of s2n_shutdown_send */
284 : : s2n_atomic_flag error_alert_received;
285 : : s2n_atomic_flag close_notify_received;
286 : :
287 : : /* Our handshake state machine */
288 : : struct s2n_handshake handshake;
289 : :
290 : : /* Maximum outgoing fragment size for this connection. Does not limit
291 : : * incoming record size.
292 : : *
293 : : * This value is updated when:
294 : : * 1. s2n_connection_prefer_low_latency is set
295 : : * 2. s2n_connection_prefer_throughput is set
296 : : * 3. TLS Maximum Fragment Length extension is negotiated
297 : : *
298 : : * Default value: S2N_DEFAULT_FRAGMENT_LENGTH
299 : : */
300 : : uint16_t max_outgoing_fragment_length;
301 : :
302 : : /* The number of bytes to send before changing the record size.
303 : : * If this value > 0 then dynamic TLS record size is enabled. Otherwise, the feature is disabled (default).
304 : : */
305 : : uint32_t dynamic_record_resize_threshold;
306 : :
307 : : /* Reset record size back to a single segment after threshold seconds of inactivity */
308 : : uint16_t dynamic_record_timeout_threshold;
309 : :
310 : : /* The number of bytes consumed during a period of application activity.
311 : : * Used for dynamic record sizing. */
312 : : uint64_t active_application_bytes_consumed;
313 : :
314 : : /* Negotiated TLS extension Maximum Fragment Length code.
315 : : * If set, the client and server have both agreed to fragment their records to the given length. */
316 : : uint8_t negotiated_mfl_code;
317 : :
318 : : /* Keep some accounting on each connection */
319 : : uint64_t wire_bytes_in;
320 : : uint64_t wire_bytes_out;
321 : : uint64_t early_data_bytes;
322 : :
323 : : /* Either the reader or the writer can trigger both sides of the connection
324 : : * to close in response to a fatal error.
325 : : */
326 : : s2n_atomic_flag read_closed;
327 : : s2n_atomic_flag write_closed;
328 : :
329 : : /* TLS extension data */
330 : : char server_name[S2N_MAX_SERVER_NAME + 1];
331 : :
332 : : /* The application protocol decided upon during the client hello.
333 : : * If ALPN is being used, then:
334 : : * In server mode, this will be set by the time client_hello_cb is invoked.
335 : : * In client mode, this will be set after is_handshake_complete(connection) is true.
336 : : */
337 : : char application_protocol[256];
338 : :
339 : : /* OCSP stapling response data */
340 : : s2n_status_request_type status_type;
341 : : struct s2n_blob status_response;
342 : :
343 : : /* Certificate Transparency response data */
344 : : s2n_ct_support_level ct_level_requested;
345 : : struct s2n_blob ct_response;
346 : :
347 : : /* QUIC transport parameters data: https://tools.ietf.org/html/draft-ietf-quic-tls-29#section-8.2 */
348 : : struct s2n_blob our_quic_transport_parameters;
349 : : struct s2n_blob peer_quic_transport_parameters;
350 : :
351 : : struct s2n_client_hello client_hello;
352 : :
353 : : struct s2n_x509_validator x509_validator;
354 : :
355 : : struct s2n_async_offload_op async_offload_op;
356 : :
357 : : /* After a connection is created this is the verification function that should always be used. At init time,
358 : : * the config should be checked for a verify callback and each connection should default to that. However,
359 : : * from the user's perspective, it's sometimes simpler to manage state by attaching each validation function/data
360 : : * to the connection, instead of globally to a single config.*/
361 : : s2n_verify_host_fn verify_host_fn;
362 : : void *data_for_verify_host;
363 : : uint8_t verify_host_fn_overridden;
364 : :
365 : : /* Session ticket data */
366 : : s2n_session_ticket_status session_ticket_status;
367 : : struct s2n_blob client_ticket;
368 : : uint32_t ticket_lifetime_hint;
369 : : struct s2n_ticket_fields tls13_ticket_fields;
370 : :
371 : : /* Session ticket extension from client to attempt to decrypt as the server. */
372 : : uint8_t ticket_ext_data[S2N_TLS12_TICKET_SIZE_IN_BYTES];
373 : : struct s2n_stuffer client_ticket_to_decrypt;
374 : :
375 : : /* application protocols overridden */
376 : : struct s2n_blob application_protocols_overridden;
377 : :
378 : : /* Cookie extension data */
379 : : struct s2n_blob cookie;
380 : :
381 : : struct s2n_blob cert_authorities;
382 : :
383 : : /* Flags to prevent users from calling methods recursively.
384 : : * This can be an easy mistake to make when implementing callbacks.
385 : : */
386 : : bool send_in_use;
387 : : bool recv_in_use;
388 : : bool negotiate_in_use;
389 : :
390 : : uint16_t tickets_to_send;
391 : : uint16_t tickets_sent;
392 : :
393 : : s2n_early_data_state early_data_state;
394 : : uint32_t server_max_early_data_size;
395 : : struct s2n_blob server_early_data_context;
396 : : uint32_t server_keying_material_lifetime;
397 : :
398 : : struct s2n_post_handshake post_handshake;
399 : : /* Both the reader and writer can set key_update_pending.
400 : : * The writer clears it after a KeyUpdate is sent.
401 : : */
402 : : s2n_atomic_flag key_update_pending;
403 : :
404 : : /* Track KeyUpdates for metrics */
405 : : uint8_t send_key_updated;
406 : : uint8_t recv_key_updated;
407 : :
408 : : struct s2n_event_handshake handshake_event;
409 : : };
410 : :
411 : : S2N_CLEANUP_RESULT s2n_connection_ptr_free(struct s2n_connection **s2n_connection);
412 : :
413 : : int s2n_connection_is_managed_corked(const struct s2n_connection *s2n_connection);
414 : : int s2n_connection_is_client_auth_enabled(struct s2n_connection *s2n_connection);
415 : :
416 : : typedef enum {
417 : : S2N_IO_WRITABLE,
418 : : S2N_IO_READABLE,
419 : : S2N_IO_FULL_DUPLEX,
420 : : S2N_IO_CLOSED,
421 : : } s2n_io_status;
422 : : bool s2n_connection_check_io_status(struct s2n_connection *conn, s2n_io_status status);
423 : : S2N_RESULT s2n_connection_set_closed(struct s2n_connection *conn);
424 : :
425 : : /* Send/recv a stuffer to/from a connection */
426 : : int s2n_connection_send_stuffer(struct s2n_stuffer *stuffer, struct s2n_connection *conn, uint32_t len);
427 : : int s2n_connection_recv_stuffer(struct s2n_stuffer *stuffer, struct s2n_connection *conn, uint32_t len);
428 : :
429 : : S2N_RESULT s2n_connection_wipe_all_keyshares(struct s2n_connection *conn);
430 : :
431 : : /* If dynamic buffers are enabled, the IO buffers may be freed if they are completely consumed */
432 : : S2N_RESULT s2n_connection_dynamic_free_in_buffer(struct s2n_connection *conn);
433 : : S2N_RESULT s2n_connection_dynamic_free_out_buffer(struct s2n_connection *conn);
434 : :
435 : : int s2n_connection_get_cipher_preferences(struct s2n_connection *conn, const struct s2n_cipher_preferences **cipher_preferences);
436 : : int s2n_connection_get_security_policy(struct s2n_connection *conn, const struct s2n_security_policy **security_policy);
437 : : int s2n_connection_get_kem_preferences(struct s2n_connection *conn, const struct s2n_kem_preferences **kem_preferences);
438 : : int s2n_connection_get_signature_preferences(struct s2n_connection *conn, const struct s2n_signature_preferences **signature_preferences);
439 : : int s2n_connection_get_ecc_preferences(struct s2n_connection *conn, const struct s2n_ecc_preferences **ecc_preferences);
440 : : int s2n_connection_get_protocol_preferences(struct s2n_connection *conn, struct s2n_blob **protocol_preferences);
441 : : int s2n_connection_set_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type cert_auth_type);
442 : : int s2n_connection_get_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type *client_cert_auth_type);
443 : : int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **der_cert_chain_out, uint32_t *cert_chain_len);
444 : : int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn, struct s2n_cert_chain_and_key *cert_chain_and_key);
445 : : uint8_t s2n_connection_get_protocol_version(const struct s2n_connection *conn);
446 : : S2N_RESULT s2n_connection_set_max_fragment_length(struct s2n_connection *conn, uint16_t length);
447 : : S2N_RESULT s2n_connection_get_secure_cipher(struct s2n_connection *conn, const struct s2n_cipher **cipher);
448 : : S2N_RESULT s2n_connection_get_sequence_number(struct s2n_connection *conn,
449 : : s2n_mode mode, struct s2n_blob *seq_num);
|