Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #pragma once
17 : :
18 : : #include <errno.h>
19 : : #include <signal.h>
20 : : #include <stdint.h>
21 : :
22 : : #include "api/s2n.h"
23 : : #include "crypto/s2n_hash.h"
24 : : #include "crypto/s2n_hmac.h"
25 : : #include "stuffer/s2n_stuffer.h"
26 : : #include "tls/s2n_async_offload.h"
27 : : #include "tls/s2n_client_hello.h"
28 : : #include "tls/s2n_config.h"
29 : : #include "tls/s2n_crypto.h"
30 : : #include "tls/s2n_early_data.h"
31 : : #include "tls/s2n_ecc_preferences.h"
32 : : #include "tls/s2n_handshake.h"
33 : : #include "tls/s2n_kem_preferences.h"
34 : : #include "tls/s2n_key_update.h"
35 : : #include "tls/s2n_post_handshake.h"
36 : : #include "tls/s2n_prf.h"
37 : : #include "tls/s2n_quic_support.h"
38 : : #include "tls/s2n_record.h"
39 : : #include "tls/s2n_resume.h"
40 : : #include "tls/s2n_security_policies.h"
41 : : #include "tls/s2n_tls_parameters.h"
42 : : #include "tls/s2n_x509_validator.h"
43 : : #include "utils/s2n_atomic.h"
44 : : #include "utils/s2n_mem.h"
45 : : #include "utils/s2n_timer.h"
46 : :
47 : 11743167 : #define S2N_TLS_PROTOCOL_VERSION_LEN 2
48 : :
49 : 3305 : #define S2N_PEER_MODE(our_mode) ((our_mode + 1) % 2)
50 : :
51 : 148 : #define is_handshake_complete(conn) (APPLICATION_DATA == s2n_conn_get_current_message_type(conn))
52 : :
53 : 1038 : #define S2N_DEFAULT_BLINDING_MAX 30
54 : 1038 : #define S2N_DEFAULT_BLINDING_MIN 10
55 : :
56 : : typedef enum {
57 : : S2N_NO_TICKET = 0,
58 : : S2N_DECRYPT_TICKET,
59 : : S2N_NEW_TICKET
60 : : } s2n_session_ticket_status;
61 : :
62 : : struct s2n_connection {
63 : : /* Is this connection using CORK/SO_RCVLOWAT optimizations? Only valid when the connection is using
64 : : * managed_send_io
65 : : */
66 : : unsigned corked_io : 1;
67 : :
68 : : /* Session resumption indicator on client side */
69 : : unsigned client_session_resumed : 1;
70 : :
71 : : /* Connection can be used by a QUIC implementation */
72 : : unsigned quic_enabled : 1;
73 : :
74 : : /* RFC5746 Section 4.3 suggests servers implement a minimal version of the
75 : : * renegotiation_info extension even if renegotiation is not supported.
76 : : * Some clients may fail the handshake if a corresponding renegotiation_info
77 : : * extension is not sent back by the server.
78 : : */
79 : : unsigned secure_renegotiation : 1;
80 : : /* Was the EC point formats sent by the client */
81 : : unsigned ec_point_formats : 1;
82 : :
83 : : /* whether the connection address is ipv6 or not */
84 : : unsigned ipv6 : 1;
85 : :
86 : : /* Whether server_name extension was used to make a decision on cert selection.
87 : : * RFC6066 Section 3 states that server which used server_name to make a decision
88 : : * on certificate or security settings has to send an empty server_name.
89 : : */
90 : : unsigned server_name_used : 1;
91 : :
92 : : /* If write fd is broken */
93 : : unsigned write_fd_broken : 1;
94 : :
95 : : /* Has the user set their own I/O callbacks or is this connection using the
96 : : * default socket-based I/O set by s2n */
97 : : unsigned managed_send_io : 1;
98 : : unsigned managed_recv_io : 1;
99 : :
100 : : /* Early data supported by caller.
101 : : * If a caller does not use any APIs that support early data,
102 : : * do not negotiate early data.
103 : : */
104 : : unsigned early_data_expected : 1;
105 : :
106 : : /* Connection overrides server_max_early_data_size */
107 : : unsigned server_max_early_data_size_overridden : 1;
108 : :
109 : : /* Connection overrides psk_mode.
110 : : * This means that the connection will keep the existing value of psk_params->type,
111 : : * even when setting a new config. */
112 : : unsigned psk_mode_overridden : 1;
113 : :
114 : : /* Connection negotiated an EMS */
115 : : unsigned ems_negotiated : 1;
116 : :
117 : : /* Connection successfully set a ticket on the connection */
118 : : unsigned set_session : 1;
119 : :
120 : : /* Buffer multiple records before flushing them.
121 : : * This allows multiple records to be written with one socket send. */
122 : : unsigned multirecord_send : 1;
123 : :
124 : : /* If enabled, this connection will free each of its IO buffers after all data
125 : : * has been flushed */
126 : : unsigned dynamic_buffers : 1;
127 : :
128 : : /* Indicates protocol negotiation will be done through the NPN extension
129 : : * instead of the ALPN extension */
130 : : unsigned npn_negotiated : 1;
131 : :
132 : : /* Marks if kTLS has been enabled for this connection. */
133 : : unsigned ktls_send_enabled : 1;
134 : : unsigned ktls_recv_enabled : 1;
135 : :
136 : : /* Indicates whether the connection should request OCSP stapling from the peer */
137 : : unsigned request_ocsp_status : 1;
138 : :
139 : : /* Indicates that the connection was created from deserialization
140 : : * and therefore knowledge of the original handshake is limited. */
141 : : unsigned deserialized_conn : 1;
142 : :
143 : : /* Indicates s2n_recv should reduce read calls by attempting to buffer more
144 : : * data than is required for a single record.
145 : : *
146 : : * This is more efficient, but will break applications that expect exact reads,
147 : : * for example any custom IO that behaves like MSG_WAITALL.
148 : : */
149 : : unsigned recv_buffering : 1;
150 : :
151 : : /* The configuration (cert, key .. etc ) */
152 : : struct s2n_config *config;
153 : :
154 : : /* Overrides Security Policy in config if non-null */
155 : : const struct s2n_security_policy *security_policy_override;
156 : :
157 : : /* The user defined context associated with connection */
158 : : void *context;
159 : :
160 : : /* The user defined secret callback and context */
161 : : s2n_secret_cb secret_cb;
162 : : void *secret_cb_context;
163 : :
164 : : /* The send and receive callbacks don't have to be the same (e.g. two pipes) */
165 : : s2n_send_fn *send;
166 : : s2n_recv_fn *recv;
167 : :
168 : : /* The context passed to the I/O callbacks */
169 : : void *send_io_context;
170 : : void *recv_io_context;
171 : :
172 : : /* Track request/response extensions to ensure correct response extension behavior.
173 : : *
174 : : * We need to track client and server extensions separately because some
175 : : * extensions (like request_status and other Certificate extensions) can
176 : : * be requested by the client, the server, or both.
177 : : */
178 : : s2n_extension_bitfield extension_requests_sent;
179 : : s2n_extension_bitfield extension_requests_received;
180 : : s2n_extension_bitfield extension_responses_received;
181 : :
182 : : /* Is this connection a client or a server connection */
183 : : s2n_mode mode;
184 : :
185 : : /* Does s2n handle the blinding, or does the application */
186 : : s2n_blinding blinding;
187 : :
188 : : /* A timer to measure the time between record writes */
189 : : struct s2n_timer write_timer;
190 : :
191 : : /* last written time */
192 : : uint64_t last_write_elapsed;
193 : :
194 : : /* When fatal errors occurs, s2n imposes a pause before
195 : : * the connection is closed. If non-zero, this value tracks
196 : : * how many nanoseconds to pause - which will be relative to
197 : : * the write_timer value. */
198 : : uint64_t delay;
199 : :
200 : : /* The session id */
201 : : uint8_t session_id[S2N_TLS_SESSION_ID_MAX_LEN];
202 : : uint8_t session_id_len;
203 : :
204 : : /* The version advertised by the client, by the
205 : : * server, and the actual version we are currently
206 : : * speaking. */
207 : : uint8_t client_protocol_version;
208 : : uint8_t server_protocol_version;
209 : : uint8_t actual_protocol_version;
210 : : /* The version stored in the ticket / session we are resuming.
211 : : * We expect the connection to negotiate this version during
212 : : * the resumption handshake.
213 : : */
214 : : uint8_t resume_protocol_version;
215 : :
216 : : /* Flag indicating whether a protocol version has been
217 : : * negotiated yet. */
218 : : uint8_t actual_protocol_version_established;
219 : :
220 : : /* Our crypto parameters */
221 : : struct s2n_crypto_parameters *initial;
222 : : struct s2n_crypto_parameters *secure;
223 : : struct s2n_secrets secrets;
224 : :
225 : : /* Which set is the client/server actually using? */
226 : : struct s2n_crypto_parameters *client;
227 : : struct s2n_crypto_parameters *server;
228 : :
229 : : /* Contains parameters needed to negotiate a shared secret */
230 : : struct s2n_kex_parameters kex_params;
231 : :
232 : : /* Contains parameters needed during the handshake phase */
233 : : struct s2n_handshake_parameters handshake_params;
234 : :
235 : : /* Our PSK parameters */
236 : : struct s2n_psk_parameters psk_params;
237 : :
238 : : /* The PRF needs some storage elements to work with */
239 : : struct s2n_prf_working_space *prf_space;
240 : :
241 : : /* Indicates whether the application has overridden the client auth behavior
242 : : * inherited from the config.
243 : : * This should be a bitflag, but that change is blocked on the SAW proofs.
244 : : */
245 : : uint8_t client_cert_auth_type_overridden;
246 : :
247 : : /* Whether or not the client should authenticate itself to the server.
248 : : * Only used if client_cert_auth_type_overridden is true.
249 : : */
250 : : s2n_cert_auth_type client_cert_auth_type;
251 : :
252 : : /* Our workhorse stuffers, used for buffering the plaintext
253 : : * and encrypted data in both directions.
254 : : */
255 : : uint8_t header_in_data[S2N_TLS_RECORD_HEADER_LENGTH];
256 : : struct s2n_stuffer header_in;
257 : : struct s2n_stuffer buffer_in;
258 : : struct s2n_stuffer in;
259 : : struct s2n_stuffer out;
260 : : enum {
261 : : ENCRYPTED,
262 : : PLAINTEXT
263 : : } in_status;
264 : :
265 : : /* How much of the current user buffer have we already
266 : : * encrypted and sent or have pending for the wire but have
267 : : * not acknowledged to the user.
268 : : */
269 : : ssize_t current_user_data_consumed;
270 : :
271 : : /* An alert may be fragmented across multiple records,
272 : : * this stuffer is used to re-assemble.
273 : : */
274 : : uint8_t alert_in_data[S2N_ALERT_LENGTH];
275 : : struct s2n_stuffer alert_in;
276 : :
277 : : /* Both readers and writers can trigger alerts.
278 : : * We prioritize writer alerts over reader alerts.
279 : : */
280 : : uint8_t writer_alert_out;
281 : : uint8_t reader_alert_out;
282 : : uint8_t reader_warning_out;
283 : : bool alert_sent;
284 : :
285 : : /* Receiving error or close_notify alerts changes the behavior of s2n_shutdown_send */
286 : : s2n_atomic_flag error_alert_received;
287 : : s2n_atomic_flag close_notify_received;
288 : :
289 : : /* Our handshake state machine */
290 : : struct s2n_handshake handshake;
291 : :
292 : : /* Maximum outgoing fragment size for this connection. Does not limit
293 : : * incoming record size.
294 : : *
295 : : * This value is updated when:
296 : : * 1. s2n_connection_prefer_low_latency is set
297 : : * 2. s2n_connection_prefer_throughput is set
298 : : * 3. TLS Maximum Fragment Length extension is negotiated
299 : : *
300 : : * Default value: S2N_DEFAULT_FRAGMENT_LENGTH
301 : : */
302 : : uint16_t max_outgoing_fragment_length;
303 : :
304 : : /* The number of bytes to send before changing the record size.
305 : : * If this value > 0 then dynamic TLS record size is enabled. Otherwise, the feature is disabled (default).
306 : : */
307 : : uint32_t dynamic_record_resize_threshold;
308 : :
309 : : /* Reset record size back to a single segment after threshold seconds of inactivity */
310 : : uint16_t dynamic_record_timeout_threshold;
311 : :
312 : : /* The number of bytes consumed during a period of application activity.
313 : : * Used for dynamic record sizing. */
314 : : uint64_t active_application_bytes_consumed;
315 : :
316 : : /* Negotiated TLS extension Maximum Fragment Length code.
317 : : * If set, the client and server have both agreed to fragment their records to the given length. */
318 : : uint8_t negotiated_mfl_code;
319 : :
320 : : /* Keep some accounting on each connection */
321 : : uint64_t wire_bytes_in;
322 : : uint64_t wire_bytes_out;
323 : : uint64_t early_data_bytes;
324 : :
325 : : /* Either the reader or the writer can trigger both sides of the connection
326 : : * to close in response to a fatal error.
327 : : */
328 : : s2n_atomic_flag read_closed;
329 : : s2n_atomic_flag write_closed;
330 : :
331 : : /* TLS extension data */
332 : : char server_name[S2N_MAX_SERVER_NAME + 1];
333 : :
334 : : /* The application protocol decided upon during the client hello.
335 : : * If ALPN is being used, then:
336 : : * In server mode, this will be set by the time client_hello_cb is invoked.
337 : : * In client mode, this will be set after is_handshake_complete(connection) is true.
338 : : */
339 : : char application_protocol[256];
340 : :
341 : : /* OCSP stapling response data */
342 : : s2n_status_request_type status_type;
343 : : struct s2n_blob status_response;
344 : :
345 : : /* Certificate Transparency response data */
346 : : s2n_ct_support_level ct_level_requested;
347 : : struct s2n_blob ct_response;
348 : :
349 : : /* QUIC transport parameters data: https://tools.ietf.org/html/draft-ietf-quic-tls-29#section-8.2 */
350 : : struct s2n_blob our_quic_transport_parameters;
351 : : struct s2n_blob peer_quic_transport_parameters;
352 : :
353 : : struct s2n_client_hello client_hello;
354 : :
355 : : struct s2n_x509_validator x509_validator;
356 : :
357 : : struct s2n_async_offload_op async_offload_op;
358 : :
359 : : /* After a connection is created this is the verification function that should always be used. At init time,
360 : : * the config should be checked for a verify callback and each connection should default to that. However,
361 : : * from the user's perspective, it's sometimes simpler to manage state by attaching each validation function/data
362 : : * to the connection, instead of globally to a single config.*/
363 : : s2n_verify_host_fn verify_host_fn;
364 : : void *data_for_verify_host;
365 : : uint8_t verify_host_fn_overridden;
366 : :
367 : : /* Session ticket data */
368 : : s2n_session_ticket_status session_ticket_status;
369 : : struct s2n_blob client_ticket;
370 : : uint32_t ticket_lifetime_hint;
371 : : struct s2n_ticket_fields tls13_ticket_fields;
372 : :
373 : : /* Session ticket extension from client to attempt to decrypt as the server. */
374 : : uint8_t ticket_ext_data[S2N_TLS12_TICKET_SIZE_IN_BYTES];
375 : : struct s2n_stuffer client_ticket_to_decrypt;
376 : :
377 : : /* application protocols overridden */
378 : : struct s2n_blob application_protocols_overridden;
379 : :
380 : : /* Cookie extension data */
381 : : struct s2n_blob cookie;
382 : :
383 : : struct s2n_blob cert_authorities;
384 : :
385 : : /* Flags to prevent users from calling methods recursively.
386 : : * This can be an easy mistake to make when implementing callbacks.
387 : : */
388 : : bool send_in_use;
389 : : bool recv_in_use;
390 : : bool negotiate_in_use;
391 : :
392 : : uint16_t tickets_to_send;
393 : : uint16_t tickets_sent;
394 : :
395 : : s2n_early_data_state early_data_state;
396 : : uint32_t server_max_early_data_size;
397 : : struct s2n_blob server_early_data_context;
398 : : uint32_t server_keying_material_lifetime;
399 : :
400 : : struct s2n_post_handshake post_handshake;
401 : : /* Both the reader and writer can set key_update_pending.
402 : : * The writer clears it after a KeyUpdate is sent.
403 : : */
404 : : s2n_atomic_flag key_update_pending;
405 : :
406 : : /* Track KeyUpdates for metrics */
407 : : uint8_t send_key_updated;
408 : : uint8_t recv_key_updated;
409 : : };
410 : :
411 : : S2N_CLEANUP_RESULT s2n_connection_ptr_free(struct s2n_connection **s2n_connection);
412 : :
413 : : int s2n_connection_is_managed_corked(const struct s2n_connection *s2n_connection);
414 : : int s2n_connection_is_client_auth_enabled(struct s2n_connection *s2n_connection);
415 : :
416 : : typedef enum {
417 : : S2N_IO_WRITABLE,
418 : : S2N_IO_READABLE,
419 : : S2N_IO_FULL_DUPLEX,
420 : : S2N_IO_CLOSED,
421 : : } s2n_io_status;
422 : : bool s2n_connection_check_io_status(struct s2n_connection *conn, s2n_io_status status);
423 : : S2N_RESULT s2n_connection_set_closed(struct s2n_connection *conn);
424 : :
425 : : /* Send/recv a stuffer to/from a connection */
426 : : int s2n_connection_send_stuffer(struct s2n_stuffer *stuffer, struct s2n_connection *conn, uint32_t len);
427 : : int s2n_connection_recv_stuffer(struct s2n_stuffer *stuffer, struct s2n_connection *conn, uint32_t len);
428 : :
429 : : S2N_RESULT s2n_connection_wipe_all_keyshares(struct s2n_connection *conn);
430 : :
431 : : /* If dynamic buffers are enabled, the IO buffers may be freed if they are completely consumed */
432 : : S2N_RESULT s2n_connection_dynamic_free_in_buffer(struct s2n_connection *conn);
433 : : S2N_RESULT s2n_connection_dynamic_free_out_buffer(struct s2n_connection *conn);
434 : :
435 : : int s2n_connection_get_cipher_preferences(struct s2n_connection *conn, const struct s2n_cipher_preferences **cipher_preferences);
436 : : int s2n_connection_get_security_policy(struct s2n_connection *conn, const struct s2n_security_policy **security_policy);
437 : : int s2n_connection_get_kem_preferences(struct s2n_connection *conn, const struct s2n_kem_preferences **kem_preferences);
438 : : int s2n_connection_get_signature_preferences(struct s2n_connection *conn, const struct s2n_signature_preferences **signature_preferences);
439 : : int s2n_connection_get_ecc_preferences(struct s2n_connection *conn, const struct s2n_ecc_preferences **ecc_preferences);
440 : : int s2n_connection_get_protocol_preferences(struct s2n_connection *conn, struct s2n_blob **protocol_preferences);
441 : : int s2n_connection_set_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type cert_auth_type);
442 : : int s2n_connection_get_client_auth_type(struct s2n_connection *conn, s2n_cert_auth_type *client_cert_auth_type);
443 : : int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **der_cert_chain_out, uint32_t *cert_chain_len);
444 : : int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn, struct s2n_cert_chain_and_key *cert_chain_and_key);
445 : : uint8_t s2n_connection_get_protocol_version(const struct s2n_connection *conn);
446 : : S2N_RESULT s2n_connection_set_max_fragment_length(struct s2n_connection *conn, uint16_t length);
447 : : S2N_RESULT s2n_connection_get_secure_cipher(struct s2n_connection *conn, const struct s2n_cipher **cipher);
448 : : S2N_RESULT s2n_connection_get_sequence_number(struct s2n_connection *conn,
449 : : s2n_mode mode, struct s2n_blob *seq_num);
|
