Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #pragma once
17 : :
18 : : #include <errno.h>
19 : : #include <signal.h>
20 : : #include <stdint.h>
21 : :
22 : : #include "api/s2n.h"
23 : : #include "crypto/s2n_hash.h"
24 : : #include "crypto/s2n_hmac.h"
25 : : #include "stuffer/s2n_stuffer.h"
26 : : #include "tls/s2n_async_offload.h"
27 : : #include "tls/s2n_client_hello.h"
28 : : #include "tls/s2n_config.h"
29 : : #include "tls/s2n_crypto.h"
30 : : #include "tls/s2n_early_data.h"
31 : : #include "tls/s2n_ecc_preferences.h"
32 : : #include "tls/s2n_handshake.h"
33 : : #include "tls/s2n_kem_preferences.h"
34 : : #include "tls/s2n_key_update.h"
35 : : #include "tls/s2n_post_handshake.h"
36 : : #include "tls/s2n_prf.h"
37 : : #include "tls/s2n_quic_support.h"
38 : : #include "tls/s2n_record.h"
39 : : #include "tls/s2n_resume.h"
40 : : #include "tls/s2n_security_policies.h"
41 : : #include "tls/s2n_tls_parameters.h"
42 : : #include "tls/s2n_x509_validator.h"
43 : : #include "unstable/events.h"
44 : : #include "utils/s2n_atomic.h"
45 : : #include "utils/s2n_mem.h"
46 : : #include "utils/s2n_timer.h"
47 : :
48 : 11618784 : #define S2N_TLS_PROTOCOL_VERSION_LEN 2
49 : :
50 : 3461 : #define S2N_PEER_MODE(our_mode) ((our_mode + 1) % 2)
51 : :
52 : 148 : #define is_handshake_complete(conn) (APPLICATION_DATA == s2n_conn_get_current_message_type(conn))
53 : :
54 : 1060 : #define S2N_DEFAULT_BLINDING_MAX 30
55 : 1060 : #define S2N_DEFAULT_BLINDING_MIN 10
56 : :
57 : : typedef enum {
58 : : S2N_NO_TICKET = 0,
59 : : S2N_DECRYPT_TICKET,
60 : : S2N_NEW_TICKET
61 : : } s2n_session_ticket_status;
62 : :
63 : : struct s2n_connection {
64 : : /* Is this connection using CORK/SO_RCVLOWAT optimizations? Only valid when the connection is using
65 : : * managed_send_io
66 : : */
67 : : unsigned corked_io : 1;
68 : :
69 : : /* Session resumption indicator on client side */
70 : : unsigned client_session_resumed : 1;
71 : :
72 : : /* Connection can be used by a QUIC implementation */
73 : : unsigned quic_enabled : 1;
74 : :
75 : : /* RFC5746 Section 4.3 suggests servers implement a minimal version of the
76 : : * renegotiation_info extension even if renegotiation is not supported.
77 : : * Some clients may fail the handshake if a corresponding renegotiation_info
78 : : * extension is not sent back by the server.
79 : : */
80 : : unsigned secure_renegotiation : 1;
81 : : /* Was the EC point formats sent by the client */
82 : : unsigned ec_point_formats : 1;
83 : :
84 : : /* whether the connection address is ipv6 or not */
85 : : unsigned ipv6 : 1;
86 : :
87 : : /* Whether server_name extension was used to make a decision on cert selection.
88 : : * RFC6066 Section 3 states that server which used server_name to make a decision
89 : : * on certificate or security settings has to send an empty server_name.
90 : : */
91 : : unsigned server_name_used : 1;
92 : :
93 : : /* If write fd is broken */
94 : : unsigned write_fd_broken : 1;
95 : :
96 : : /* Has the user set their own I/O callbacks or is this connection using the
97 : : * default socket-based I/O set by s2n */
98 : : unsigned managed_send_io : 1;
99 : : unsigned managed_recv_io : 1;
100 : :
101 : : /* Early data supported by caller.
102 : : * If a caller does not use any APIs that support early data,
103 : : * do not negotiate early data.
104 : : */
105 : : unsigned early_data_expected : 1;
106 : :
107 : : /* Connection overrides server_max_early_data_size */
108 : : unsigned server_max_early_data_size_overridden : 1;
109 : :
110 : : /* Connection overrides psk_mode.
111 : : * This means that the connection will keep the existing value of psk_params->type,
112 : : * even when setting a new config. */
113 : : unsigned psk_mode_overridden : 1;
114 : :
115 : : /* Connection negotiated an EMS */
116 : : unsigned ems_negotiated : 1;
117 : :
118 : : /* Connection successfully set a ticket on the connection */
119 : : unsigned set_session : 1;
120 : :
121 : : /* Buffer multiple records before flushing them.
122 : : * This allows multiple records to be written with one socket send. */
123 : : unsigned multirecord_send : 1;
124 : :
125 : : /* If enabled, this connection will free each of its IO buffers after all data
126 : : * has been flushed */
127 : : unsigned dynamic_buffers : 1;
128 : :
129 : : /* Indicates protocol negotiation will be done through the NPN extension
130 : : * instead of the ALPN extension */
131 : : unsigned npn_negotiated : 1;
132 : :
133 : : /* Marks if kTLS has been enabled for this connection. */
134 : : unsigned ktls_send_enabled : 1;
135 : : unsigned ktls_recv_enabled : 1;
136 : :
137 : : /* Indicates whether the connection should request OCSP stapling from the peer */
138 : : unsigned request_ocsp_status : 1;
139 : :
140 : : /* Indicates that the connection was created from deserialization
141 : : * and therefore knowledge of the original handshake is limited. */
142 : : unsigned deserialized_conn : 1;
143 : :
144 : : /* Indicates s2n_recv should reduce read calls by attempting to buffer more
145 : : * data than is required for a single record.
146 : : *
147 : : * This is more efficient, but will break applications that expect exact reads,
148 : : * for example any custom IO that behaves like MSG_WAITALL.
149 : : */
150 : : unsigned recv_buffering : 1;
151 : :
152 : : /* The configuration (cert, key .. etc ) */
153 : : struct s2n_config *config;
154 : :
155 : : /* Overrides Security Policy in config if non-null */
156 : : const struct s2n_security_policy *security_policy_override;
157 : :
158 : : /* The user defined context associated with connection */
159 : : void *context;
160 : :
161 : : /* The user defined secret callback and context */
162 : : s2n_secret_cb secret_cb;
163 : : void *secret_cb_context;
164 : :
165 : : /* The send and receive callbacks don't have to be the same (e.g. two pipes) */
166 : : s2n_send_fn *send;
167 : : s2n_recv_fn *recv;
168 : :
169 : : /* The context passed to the I/O callbacks */
170 : : void *send_io_context;
171 : : void *recv_io_context;
172 : :
173 : : /* Track request/response extensions to ensure correct response extension behavior.
174 : : *
175 : : * We need to track client and server extensions separately because some
176 : : * extensions (like request_status and other Certificate extensions) can
177 : : * be requested by the client, the server, or both.
178 : : */
179 : : s2n_extension_bitfield extension_requests_sent;
180 : : s2n_extension_bitfield extension_requests_received;
181 : : s2n_extension_bitfield extension_responses_received;
182 : :
183 : : /* Is this connection a client or a server connection */
184 : : s2n_mode mode;
185 : :
186 : : /* Does s2n handle the blinding, or does the application */
187 : : s2n_blinding blinding;
188 : :
189 : : /* A timer to measure the time between record writes */
190 : : struct s2n_timer write_timer;
191 : :
192 : : /* last written time */
193 : : uint64_t last_write_elapsed;
194 : :
195 : : /* When fatal errors occurs, s2n imposes a pause before
196 : : * the connection is closed. If non-zero, this value tracks
197 : : * how many nanoseconds to pause - which will be relative to
198 : : * the write_timer value. */
199 : : uint64_t delay;
200 : :
201 : : /* The session id */
202 : : uint8_t session_id[S2N_TLS_SESSION_ID_MAX_LEN];
203 : : uint8_t session_id_len;
204 : :
205 : : /* The version advertised by the client, by the
206 : : * server, and the actual version we are currently
207 : : * speaking. */
208 : : uint8_t client_protocol_version;
209 : : uint8_t server_protocol_version;
210 : : uint8_t actual_protocol_version;
211 : : /* The version stored in the ticket / session we are resuming.
212 : : * We expect the connection to negotiate this version during
213 : : * the resumption handshake.
214 : : */
215 : : uint8_t resume_protocol_version;
216 : :
217 : : /* Flag indicating whether a protocol version has been
218 : : * negotiated yet. */
219 : : uint8_t actual_protocol_version_established;
220 : :
221 : : /* Our crypto parameters */
222 : : struct s2n_crypto_parameters *initial;
223 : : struct s2n_crypto_parameters *secure;
224 : : struct s2n_secrets secrets;
225 : :
226 : : /* Which set is the client/server actually using? */
227 : : struct s2n_crypto_parameters *client;
228 : : struct s2n_crypto_parameters *server;
229 : :
230 : : /* Contains parameters needed to negotiate a shared secret */
231 : : struct s2n_kex_parameters kex_params;
232 : :
233 : : /* Contains parameters needed during the handshake phase */
234 : : struct s2n_handshake_parameters handshake_params;
235 : :
236 : : /* Our PSK parameters */
237 : : struct s2n_psk_parameters psk_params;
238 : :
239 : : /* The PRF needs some storage elements to work with */
240 : : struct s2n_prf_working_space *prf_space;
241 : :
242 : : /* Indicates whether the application has overridden the client auth behavior
243 : : * inherited from the config.
244 : : * This should be a bitflag, but that change is blocked on the SAW proofs.
245 : : */
246 : : uint8_t client_cert_auth_type_overridden;
247 : :
248 : : /* Whether or not the client should authenticate itself to the server.
249 : : * Only used if client_cert_auth_type_overridden is true.
250 : : */
251 : : s2n_cert_auth_type client_cert_auth_type;
252 : :
253 : : /* Our workhorse stuffers, used for buffering the plaintext
254 : : * and encrypted data in both directions.
255 : : */
256 : : uint8_t header_in_data[S2N_TLS_RECORD_HEADER_LENGTH];
257 : : struct s2n_stuffer header_in;
258 : : struct s2n_stuffer buffer_in;
259 : : struct s2n_stuffer in;
260 : : struct s2n_stuffer out;
261 : : enum {
262 : : ENCRYPTED,
263 : : PLAINTEXT
264 : : } in_status;
265 : :
266 : : /* How much of the current user buffer have we already
267 : : * encrypted and sent or have pending for the wire but have
268 : : * not acknowledged to the user.
269 : : */
270 : : ssize_t current_user_data_consumed;
271 : :
272 : : /* An alert may be fragmented across multiple records,
273 : : * this stuffer is used to re-assemble.
274 : : */
275 : : uint8_t alert_in_data[S2N_ALERT_LENGTH];
276 : : struct s2n_stuffer alert_in;
277 : :
278 : : /* Both readers and writers can trigger alerts.
279 : : * We prioritize writer alerts over reader alerts.
280 : : */
281 : : uint8_t writer_alert_out;
282 : : uint8_t reader_alert_out;
283 : : uint8_t reader_warning_out;
284 : : bool alert_sent;
285 : :
286 : : /* Receiving error or close_notify alerts changes the behavior of s2n_shutdown_send */
287 : : s2n_atomic_flag error_alert_received;
288 : : s2n_atomic_flag close_notify_received;
289 : :
290 : : /* Our handshake state machine */
291 : : struct s2n_handshake handshake;
292 : :
293 : : /* Maximum outgoing fragment size for this connection. Does not limit
294 : : * incoming record size.
295 : : *
296 : : * This value is updated when:
297 : : * 1. s2n_connection_prefer_low_latency is set
298 : : * 2. s2n_connection_prefer_throughput is set
299 : : * 3. TLS Maximum Fragment Length extension is negotiated
300 : : *
301 : : * Default value: S2N_DEFAULT_FRAGMENT_LENGTH
302 : : */
303 : : uint16_t max_outgoing_fragment_length;
304 : :
305 : : /* The number of bytes to send before changing the record size.
306 : : * If this value > 0 then dynamic TLS record size is enabled. Otherwise, the feature is disabled (default).
307 : : */
308 : : uint32_t dynamic_record_resize_threshold;
309 : :
310 : : /* Reset record size back to a single segment after threshold seconds of inactivity */
311 : : uint16_t dynamic_record_timeout_threshold;
312 : :
313 : : /* The number of bytes consumed during a period of application activity.
314 : : * Used for dynamic record sizing. */
315 : : uint64_t active_application_bytes_consumed;
316 : :
317 : : /* Negotiated TLS extension Maximum Fragment Length code.
318 : : * If set, the client and server have both agreed to fragment their records to the given length. */
319 : : uint8_t negotiated_mfl_code;
320 : :
321 : : /* Keep some accounting on each connection */
322 : : uint64_t wire_bytes_in;
323 : : uint64_t wire_bytes_out;
324 : : uint64_t early_data_bytes;
325 : :
326 : : /* Either the reader or the writer can trigger both sides of the connection
327 : : * to close in response to a fatal error.
328 : : */
329 : : s2n_atomic_flag read_closed;
330 : : s2n_atomic_flag write_closed;
331 : :
332 : : /* TLS extension data */
333 : : char server_name[S2N_MAX_SERVER_NAME + 1];
334 : :
335 : : /* The application protocol decided upon during the client hello.
336 : : * If ALPN is being used, then:
337 : : * In server mode, this will be set by the time client_hello_cb is invoked.
338 : : * In client mode, this will be set after is_handshake_complete(connection) is true.
339 : : */
340 : : char application_protocol[256];
341 : :
342 : : /* OCSP stapling response data */
343 : : s2n_status_request_type status_type;
344 : : struct s2n_blob status_response;
345 : :
346 : : /* Certificate Transparency response data */
347 : : s2n_ct_support_level ct_level_requested;
348 : : struct s2n_blob ct_response;
349 : :
350 : : /* QUIC transport parameters data: https://tools.ietf.org/html/draft-ietf-quic-tls-29#section-8.2 */
351 : : struct s2n_blob our_quic_transport_parameters;
352 : : struct s2n_blob peer_quic_transport_parameters;
353 : :
354 : : struct s2n_client_hello client_hello;
355 : :
356 : : struct s2n_x509_validator x509_validator;
357 : :
358 : : struct s2n_async_offload_op async_offload_op;
359 : :
360 : : /* After a connection is created this is the verification function that should always be used. At init time,
361 : : * the config should be checked for a verify callback and each connection should default to that. However,
362 : : * from the user's perspective, it's sometimes simpler to manage state by attaching each validation function/data
363 : : * to the connection, instead of globally to a single config.*/
364 : : s2n_verify_host_fn verify_host_fn;
365 : : void *data_for_verify_host;
366 : : uint8_t verify_host_fn_overridden;
367 : :
368 : : /* Session ticket data */
369 : : s2n_session_ticket_status session_ticket_status;
370 : : struct s2n_blob client_ticket;
371 : : uint32_t ticket_lifetime_hint;
372 : : struct s2n_ticket_fields tls13_ticket_fields;
373 : :
374 : : /* Session ticket extension from client to attempt to decrypt as the server. */
375 : : uint8_t ticket_ext_data[S2N_TLS12_TICKET_SIZE_IN_BYTES];
376 : : struct s2n_stuffer client_ticket_to_decrypt;
377 : :
378 : : /* application protocols overridden */
379 : : struct s2n_blob application_protocols_overridden;
380 : :
381 : : /* Cookie extension data */
382 : : struct s2n_blob cookie;
383 : :
384 : : struct s2n_blob cert_authorities;
385 : :
386 : : /* Flags to prevent users from calling methods recursively.
387 : : * This can be an easy mistake to make when implementing callbacks.
388 : : */
389 : : bool send_in_use;
390 : : bool recv_in_use;
391 : : bool negotiate_in_use;
392 : :
393 : : uint16_t tickets_to_send;
394 : : uint16_t tickets_sent;
395 : :
396 : : s2n_early_data_state early_data_state;
397 : : uint32_t server_max_early_data_size;
398 : : struct s2n_blob server_early_data_context;
399 : : uint32_t server_keying_material_lifetime;
400 : :
401 : : struct s2n_post_handshake post_handshake;
402 : : /* Both the reader and writer can set key_update_pending.
403 : : * The writer clears it after a KeyUpdate is sent.
404 : : */
405 : : s2n_atomic_flag key_update_pending;
406 : :
407 : : /* Track KeyUpdates for metrics */
408 : : uint8_t send_key_updated;
409 : : uint8_t recv_key_updated;
410 : :
411 : : struct s2n_event_handshake handshake_event;
412 : : };
413 : :
414 : : S2N_CLEANUP_RESULT s2n_connection_ptr_free(struct s2n_connection **s2n_connection);
415 : :
416 : : int s2n_connection_is_managed_corked(const struct s2n_connection *s2n_connection);
417 : : int s2n_connection_is_client_auth_enabled(struct s2n_connection *s2n_connection);
418 : :
419 : : typedef enum {
420 : : S2N_IO_WRITABLE,
421 : : S2N_IO_READABLE,
422 : : S2N_IO_FULL_DUPLEX,
423 : : S2N_IO_CLOSED,
424 : : } s2n_io_status;
425 : : bool s2n_connection_check_io_status(struct s2n_connection *conn, s2n_io_status status);
426 : : S2N_RESULT s2n_connection_set_closed(struct s2n_connection *conn);
427 : :
428 : : /* Send/recv a stuffer to/from a connection */
429 : : int s2n_connection_send_stuffer(struct s2n_stuffer *stuffer, struct s2n_connection *conn, uint32_t len);
430 : : int s2n_connection_recv_stuffer(struct s2n_stuffer *stuffer, struct s2n_connection *conn, uint32_t len);
431 : :
432 : : S2N_RESULT s2n_connection_wipe_all_keyshares(struct s2n_connection *conn);
433 : :
434 : : /* If dynamic buffers are enabled, the IO buffers may be freed if they are completely consumed */
435 : : S2N_RESULT s2n_connection_dynamic_free_in_buffer(struct s2n_connection *conn);
436 : : S2N_RESULT s2n_connection_dynamic_free_out_buffer(struct s2n_connection *conn);
437 : :
438 : : int s2n_connection_get_cipher_preferences(struct s2n_connection *conn, const struct s2n_cipher_preferences **cipher_preferences);
439 : : int s2n_connection_get_security_policy(struct s2n_connection *conn, const struct s2n_security_policy **security_policy);
440 : : int s2n_connection_get_kem_preferences(struct s2n_connection *conn, const struct s2n_kem_preferences **kem_preferences);
441 : : int s2n_connection_get_signature_preferences(struct s2n_connection *conn, const struct s2n_signature_preferences **signature_preferences);
442 : : int s2n_connection_get_ecc_preferences(struct s2n_connection *conn, const struct s2n_ecc_preferences **ecc_preferences);
443 : : int s2n_connection_get_protocol_preferences(struct s2n_connection *conn, struct s2n_blob **protocol_preferences);
444 : : int s2n_connection_set_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type cert_auth_type);
445 : : int s2n_connection_get_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type *client_cert_auth_type);
446 : : int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **der_cert_chain_out, uint32_t *cert_chain_len);
447 : : int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn, struct s2n_cert_chain_and_key *cert_chain_and_key);
448 : : uint8_t s2n_connection_get_protocol_version(const struct s2n_connection *conn);
449 : : S2N_RESULT s2n_connection_set_max_fragment_length(struct s2n_connection *conn, uint16_t length);
450 : : S2N_RESULT s2n_connection_get_secure_cipher(struct s2n_connection *conn, const struct s2n_cipher **cipher);
451 : : S2N_RESULT s2n_connection_get_sequence_number(struct s2n_connection *conn,
452 : : s2n_mode mode, struct s2n_blob *seq_num);
|
