aws-crt 0.1.5 → 0.1.6

data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_secrets_rfc8448_test.c

@@ -33,6 +33,9 @@ const int server_hello_message_num = 1;
 const s2n_mode modes[] = { S2N_CLIENT, S2N_SERVER };
 
 S2N_RESULT s2n_extract_early_secret(struct s2n_psk *psk);
+S2N_RESULT s2n_tls13_extract_secret(struct s2n_connection *conn, s2n_extract_secret_type_t secret_type);
+S2N_RESULT s2n_tls13_derive_secret(struct s2n_connection *conn, s2n_extract_secret_type_t secret_type,
+        s2n_mode mode, struct s2n_blob *secret);
 
 int main(int argc, char **argv)
 {
@@ -74,8 +77,9 @@ int main(int argc, char **argv)
                 conn->secure.cipher_suite = cipher_suite;
 
                 EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_EARLY_SECRET));
-                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.early_secret,
+                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
                         early_secret.data, early_secret.size);
+                EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_EARLY_SECRET);
             }
         }
 
@@ -159,8 +163,9 @@ int main(int argc, char **argv)
                 EXPECT_NOT_NULL(conn->kex_params.client_ecc_evp_params.evp_pkey);
 
                 EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_HANDSHAKE_SECRET));
-                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.handshake_secret,
+                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
                         handshake_secret.data, handshake_secret.size);
+                EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_HANDSHAKE_SECRET);
             }
 
             /* Client */
@@ -180,8 +185,9 @@ int main(int argc, char **argv)
                 EXPECT_NOT_NULL(conn->kex_params.client_ecc_evp_params.evp_pkey);
 
                 EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_HANDSHAKE_SECRET));
-                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.handshake_secret,
+                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
                         handshake_secret.data, handshake_secret.size);
+                EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_HANDSHAKE_SECRET);
             }
         }
 #endif
@@ -246,8 +252,7 @@ int main(int argc, char **argv)
                 DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
                 conn->secure.cipher_suite = cipher_suite;
                 EXPECT_OK(s2n_connection_set_test_handshake_secret(conn, &handshake_secret));
-                EXPECT_MEMCPY_SUCCESS(conn->handshake.hashes->server_hello_digest,
-                        hash.data, hash.size);
+                EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, SERVER_HELLO, &hash));
 
                 EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_HANDSHAKE_SECRET, S2N_CLIENT,
                         &derived_secret));
@@ -315,8 +320,7 @@ int main(int argc, char **argv)
                 DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
                 conn->secure.cipher_suite = cipher_suite;
                 EXPECT_OK(s2n_connection_set_test_handshake_secret(conn, &handshake_secret));
-                EXPECT_MEMCPY_SUCCESS(conn->handshake.hashes->server_hello_digest,
-                        hash.data, hash.size);
+                EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, SERVER_HELLO, &hash));
 
                 EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_HANDSHAKE_SECRET, S2N_SERVER,
                         &derived_secret));
@@ -360,8 +364,9 @@ int main(int argc, char **argv)
                 EXPECT_OK(s2n_connection_set_test_handshake_secret(conn, &handshake_secret));
 
                 EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_MASTER_SECRET));
-                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret,
+                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
                         master_secret.data, master_secret.size);
+                EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_MASTER_SECRET);
             }
         }
 
@@ -398,15 +403,12 @@ int main(int argc, char **argv)
                 DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
                 conn->secure.cipher_suite = cipher_suite;
                 EXPECT_OK(s2n_connection_set_test_master_secret(conn, &master_secret));
-                EXPECT_MEMCPY_SUCCESS(conn->handshake.hashes->server_finished_digest,
-                        hash.data, hash.size);
+                EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, SERVER_FINISHED, &hash));
 
                 EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_MASTER_SECRET, S2N_CLIENT,
                         &derived_secret));
                 EXPECT_EQUAL(derived_secret.size, secret.size);
                 EXPECT_BYTEARRAY_EQUAL(derived_secret.data, secret.data, secret.size);
-                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_app_secret,
-                        secret.data, secret.size);
             }
         }
 
@@ -445,16 +447,13 @@ int main(int argc, char **argv)
                 DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
                 conn->secure.cipher_suite = cipher_suite;
                 EXPECT_OK(s2n_connection_set_test_master_secret(conn, &master_secret));
-                EXPECT_MEMCPY_SUCCESS(conn->handshake.hashes->server_finished_digest,
-                        hash.data, hash.size);
+                EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, SERVER_FINISHED, &hash));
 
                 EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_MASTER_SECRET, S2N_SERVER,
                         &derived_secret));
 
                 EXPECT_EQUAL(derived_secret.size, secret.size);
                 EXPECT_BYTEARRAY_EQUAL(derived_secret.data, secret.data, secret.size);
-                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.server_app_secret,
-                        secret.data, secret.size);
             }
         }
 
@@ -493,8 +492,7 @@ int main(int argc, char **argv)
                 DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
                 conn->secure.cipher_suite = cipher_suite;
                 EXPECT_OK(s2n_connection_set_test_master_secret(conn, &master_secret));
-                EXPECT_MEMCPY_SUCCESS(conn->handshake.hashes->client_finished_digest,
-                        hash.data, hash.size);
+                EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, CLIENT_FINISHED, &hash));
 
                 EXPECT_OK(s2n_derive_resumption_master_secret(conn));
                 EXPECT_EQUAL(derived_secret.size, secret.size);
@@ -546,8 +544,9 @@ int main(int argc, char **argv)
                 /* Early secret retrieved and saved for connection */
                 conn->psk_params.chosen_psk = psk;
                 EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_EARLY_SECRET));
-                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.early_secret,
+                EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
                         early_secret.data, early_secret.size);
+                EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_EARLY_SECRET);
             }
         }
 
@@ -611,8 +610,7 @@ int main(int argc, char **argv)
                 DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
                 conn->secure.cipher_suite = cipher_suite;
                 EXPECT_OK(s2n_connection_set_test_early_secret(conn, &early_secret));
-                EXPECT_MEMCPY_SUCCESS(conn->handshake.hashes->client_hello_digest,
-                        hash.data, hash.size);
+                EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, CLIENT_HELLO, &hash));
 
                 EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_EARLY_SECRET, S2N_CLIENT,
                         &derived_secret));

data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_secrets_test.c

@@ -22,6 +22,10 @@
 
 #include "crypto/s2n_ecc_evp.h"
 
+S2N_RESULT s2n_tls13_extract_secret(struct s2n_connection *conn, s2n_extract_secret_type_t secret_type);
+S2N_RESULT s2n_tls13_derive_secret(struct s2n_connection *conn, s2n_extract_secret_type_t secret_type,
+        s2n_mode mode, struct s2n_blob *secret);
+
 static S2N_RESULT s2n_set_test_key_shares(struct s2n_connection *conn, const struct s2n_ecc_named_curve *curve)
 {
     conn->kex_params.server_ecc_evp_params.negotiated_curve = curve;
@@ -64,6 +68,10 @@ int main(int argc, char **argv)
                 for (size_t curve_i = 0; curve_i < curves->count; curve_i++) {
                     for (size_t m1_i = 0; m1_i < s2n_array_len(modes); m1_i++) {
                         for (size_t m2_i = 0; m2_i < s2n_array_len(modes); m2_i++) {
+                            if (curr_type > next_type) {
+                                /* Secret schedule MUST be evaluated in order */
+                                continue;
+                            }
                             test_cases[test_cases_count] = (struct s2n_tls13_secrets_test_case) {
                                 .curr_secret_type = curr_type,
                                 .next_secret_type = next_type,
@@ -101,11 +109,11 @@ int main(int argc, char **argv)
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
                     s2n_connection_ptr_free);
             conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
-            conn->secrets.tls13.secrets_state = S2N_EARLY_SECRET;
+            conn->secrets.tls13.extract_secret_type = S2N_EARLY_SECRET;
 
             EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_EARLY_SECRET));
-            EXPECT_EQUAL(conn->secrets.tls13.secrets_state, S2N_EARLY_SECRET);
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.early_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_EARLY_SECRET);
+            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
         }
 
         /* Generate all secrets sequentially  */
@@ -113,26 +121,20 @@ int main(int argc, char **argv)
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
                     s2n_connection_ptr_free);
             conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
-            conn->secrets.tls13.secrets_state = S2N_NONE_SECRET;
+            conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
 
             EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_EARLY_SECRET));
-            EXPECT_EQUAL(conn->secrets.tls13.secrets_state, S2N_EARLY_SECRET);
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.early_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_EARLY_SECRET);
+            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
 
             EXPECT_OK(s2n_set_test_key_shares(conn, &s2n_ecc_curve_secp256r1));
             EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_HANDSHAKE_SECRET));
-            EXPECT_EQUAL(conn->secrets.tls13.secrets_state, S2N_HANDSHAKE_SECRET);
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.early_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_HANDSHAKE_SECRET);
+            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
 
             EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_MASTER_SECRET));
-            EXPECT_EQUAL(conn->secrets.tls13.secrets_state, S2N_MASTER_SECRET);
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.early_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_MASTER_SECRET);
+            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
         }
 
         /* Generate all secrets at once (backfill) */
@@ -140,14 +142,12 @@ int main(int argc, char **argv)
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
                     s2n_connection_ptr_free);
             conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
-            conn->secrets.tls13.secrets_state = S2N_NONE_SECRET;
+            conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
             EXPECT_OK(s2n_set_test_key_shares(conn, &s2n_ecc_curve_secp256r1));
 
             EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_MASTER_SECRET));
-            EXPECT_EQUAL(conn->secrets.tls13.secrets_state, S2N_MASTER_SECRET);
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.early_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_MASTER_SECRET);
+            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
         }
 
         /* All valid parameter combinations should succeed */
@@ -155,7 +155,7 @@ int main(int argc, char **argv)
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(test_cases[i].conn_mode),
                     s2n_connection_ptr_free);
             conn->secure.cipher_suite = test_cases[i].cipher_suite;
-            conn->secrets.tls13.secrets_state = test_cases[i].curr_secret_type;
+            conn->secrets.tls13.extract_secret_type = test_cases[i].curr_secret_type;
             EXPECT_OK(s2n_set_test_key_shares(conn, test_cases[i].curve));
             EXPECT_OK(s2n_tls13_extract_secret(conn, test_cases[i].next_secret_type));
         }
@@ -163,6 +163,13 @@ int main(int argc, char **argv)
 
     /* Test: s2n_tls13_derive_secret */
     {
+        const uint32_t handshake_type = NEGOTIATED | FULL_HANDSHAKE;
+        const int message_nums[] = {
+            [S2N_EARLY_SECRET] = 0,
+            [S2N_HANDSHAKE_SECRET] = 1,
+            [S2N_MASTER_SECRET] = 5,
+        };
+
         /* Safety */
         {
             struct s2n_blob blob = { 0 };
@@ -186,13 +193,36 @@ int main(int argc, char **argv)
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
                     s2n_connection_ptr_free);
             conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
-            conn->secrets.tls13.secrets_state = S2N_NONE_SECRET;
+            conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
 
             EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_EARLY_SECRET, S2N_SERVER, &output));
             EXPECT_BYTEARRAY_NOT_EQUAL(output.data, empty_secret, sizeof(empty_secret));
         }
 
-        /* Extracts the parent secret if necessary */
+        /* Fails if correct transcript digest not available */
+        {
+            uint8_t output_bytes[S2N_TLS13_SECRET_MAX_LEN] = { 0 };
+            struct s2n_blob output = { 0 };
+            EXPECT_SUCCESS(s2n_blob_init(&output, output_bytes, sizeof(output_bytes)));
+
+            DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            conn->actual_protocol_version = S2N_TLS13;
+            conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
+            conn->handshake.handshake_type = handshake_type;
+            EXPECT_OK(s2n_set_test_key_shares(conn, &s2n_ecc_curve_secp256r1));
+
+            /* Fails with incorrect transcript */
+            conn->handshake.message_number = message_nums[S2N_HANDSHAKE_SECRET];
+            EXPECT_ERROR_WITH_ERRNO(s2n_tls13_derive_secret(conn, S2N_MASTER_SECRET, S2N_SERVER, &output),
+                    S2N_ERR_SECRET_SCHEDULE_STATE);
+
+            /* Succeeds with correct transcript */
+            conn->handshake.message_number = message_nums[S2N_MASTER_SECRET];
+            EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_MASTER_SECRET, S2N_SERVER, &output));
+        }
+
+        /* Calculates previous extract secrets if necessary */
         {
             uint8_t output_bytes[S2N_TLS13_SECRET_MAX_LEN] = { 0 };
             struct s2n_blob output = { 0 };
@@ -201,14 +231,15 @@ int main(int argc, char **argv)
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
                     s2n_connection_ptr_free);
             conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
-            conn->secrets.tls13.secrets_state = S2N_NONE_SECRET;
+            conn->actual_protocol_version = S2N_TLS13;
+            conn->handshake.handshake_type = handshake_type;
+            conn->handshake.message_number = message_nums[S2N_HANDSHAKE_SECRET];
             EXPECT_OK(s2n_set_test_key_shares(conn, &s2n_ecc_curve_secp256r1));
 
+            conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
             EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_HANDSHAKE_SECRET, S2N_SERVER, &output));
-            EXPECT_EQUAL(conn->secrets.tls13.secrets_state, S2N_HANDSHAKE_SECRET);
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.early_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_HANDSHAKE_SECRET);
+            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
             EXPECT_BYTEARRAY_NOT_EQUAL(output.data, empty_secret, sizeof(empty_secret));
         }
 
@@ -221,7 +252,10 @@ int main(int argc, char **argv)
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(test_cases[i].conn_mode),
                     s2n_connection_ptr_free);
             conn->secure.cipher_suite = test_cases[i].cipher_suite;
-            conn->secrets.tls13.secrets_state = test_cases[i].curr_secret_type;
+            conn->secrets.tls13.extract_secret_type = test_cases[i].curr_secret_type;
+            conn->actual_protocol_version = S2N_TLS13;
+            conn->handshake.handshake_type = handshake_type;
+            conn->handshake.message_number = message_nums[test_cases[i].next_secret_type];
             EXPECT_OK(s2n_set_test_key_shares(conn, test_cases[i].curve));
             EXPECT_OK(s2n_tls13_derive_secret(conn, test_cases[i].next_secret_type, test_cases[i].secret_mode, &output));
             EXPECT_BYTEARRAY_NOT_EQUAL(output.data, empty_secret, sizeof(empty_secret));
@@ -240,22 +274,16 @@ int main(int argc, char **argv)
             conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
             conn->actual_protocol_version = S2N_TLS13;
 
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.early_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
-
-            EXPECT_OK(s2n_connection_set_test_early_secret(conn, &test_secret));
-            EXPECT_OK(s2n_connection_set_test_handshake_secret(conn, &test_secret));
-            EXPECT_OK(s2n_connection_set_test_master_secret(conn, &test_secret));
+            EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.extract_secret, test_secret.data, test_secret.size);
+            EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_early_secret, test_secret.data, test_secret.size);
             EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_handshake_secret, test_secret.data, test_secret.size);
             EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.server_handshake_secret, test_secret.data, test_secret.size);
             EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_app_secret, test_secret.data, test_secret.size);
             EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.server_app_secret, test_secret.data, test_secret.size);
             EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.resumption_master_secret, test_secret.data, test_secret.size);
 
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.early_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_early_secret, empty_secret, sizeof(empty_secret));
             EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_handshake_secret, empty_secret, sizeof(empty_secret));
             EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.server_handshake_secret, empty_secret, sizeof(empty_secret));
             EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_app_secret, empty_secret, sizeof(empty_secret));
@@ -264,9 +292,8 @@ int main(int argc, char **argv)
 
             EXPECT_OK(s2n_tls13_secrets_clean(conn));
 
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.early_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
-            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
+            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_early_secret, empty_secret, sizeof(empty_secret));
             EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_handshake_secret, empty_secret, sizeof(empty_secret));
             EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.server_handshake_secret, empty_secret, sizeof(empty_secret));
             EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_app_secret, empty_secret, sizeof(empty_secret));
@@ -286,12 +313,13 @@ int main(int argc, char **argv)
             EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, S2N_NONE_SECRET, S2N_CLIENT, &result), S2N_ERR_SAFETY);
             EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, -1, S2N_CLIENT, &result), S2N_ERR_SAFETY);
             EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, 100, S2N_CLIENT, &result), S2N_ERR_SAFETY);
+            EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, S2N_EARLY_SECRET, S2N_SERVER, &result), S2N_ERR_SAFETY);
 
-            conn.secrets.tls13.secrets_state = S2N_NONE_SECRET;
+            conn.secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
             EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, S2N_HANDSHAKE_SECRET, S2N_CLIENT, &result), S2N_ERR_SAFETY);
         }
 
-        /* Retrieves an existing secret */
+        /* Retrieves a secret */
         {
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
                     s2n_connection_ptr_free);
@@ -300,7 +328,7 @@ int main(int argc, char **argv)
 
             EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_handshake_secret,
                     test_secret.data, test_secret.size);
-            conn->secrets.tls13.secrets_state = S2N_HANDSHAKE_SECRET;
+            conn->secrets.tls13.extract_secret_type = S2N_HANDSHAKE_SECRET;
 
             struct s2n_blob result = { 0 };
             uint8_t result_bytes[S2N_TLS13_SECRET_MAX_LEN] = { 0 };
@@ -311,29 +339,50 @@ int main(int argc, char **argv)
             EXPECT_TRUE(result.size <= S2N_TLS13_SECRET_MAX_LEN);
             EXPECT_BYTEARRAY_EQUAL(result.data, test_secret.data, result.size);
         }
+    }
 
-        /* Derives a new secret */
+    /* s2n_tls13_secrets_update */
+    {
+        /* Safety */
+        EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_update(NULL), S2N_ERR_NULL);
+
+        /* Derives early secret on CLIENT_HELLO */
         {
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
                     s2n_connection_ptr_free);
             conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
             conn->actual_protocol_version = S2N_TLS13;
+            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_early_secret,
+                    empty_secret, sizeof(empty_secret));
 
-            struct s2n_blob result = { 0 };
-            uint8_t result_bytes[S2N_TLS13_SECRET_MAX_LEN] = { 0 };
-            EXPECT_SUCCESS(s2n_blob_init(&result, result_bytes, sizeof(result_bytes)));
-            EXPECT_OK(s2n_tls13_secrets_get(conn, S2N_EARLY_SECRET, S2N_CLIENT, &result));
+            /* Early secret not derived if early data not requested */
+            conn->early_data_state = S2N_EARLY_DATA_NOT_REQUESTED;
+            EXPECT_OK(s2n_tls13_secrets_update(conn));
+            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_early_secret,
+                    empty_secret, sizeof(empty_secret));
 
-            EXPECT_TRUE(result.size > 0);
-            EXPECT_TRUE(result.size <= S2N_TLS13_SECRET_MAX_LEN);
-            EXPECT_BYTEARRAY_NOT_EQUAL(result.data, empty_secret, result.size);
-        }
-    }
+            /* Early secret not derived if early data rejected */
+            conn->early_data_state = S2N_EARLY_DATA_REJECTED;
+            EXPECT_OK(s2n_tls13_secrets_update(conn));
+            EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_early_secret,
+                    empty_secret, sizeof(empty_secret));
 
-    /* s2n_tls13_secrets_update */
-    {
-        /* Safety */
-        EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_update(NULL), S2N_ERR_NULL);
+            /* Early secret derived if early data requested */
+            conn->early_data_state = S2N_EARLY_DATA_REQUESTED;
+            EXPECT_OK(s2n_tls13_secrets_update(conn));
+            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_early_secret,
+                    empty_secret, sizeof(empty_secret));
+
+            /* Clear secret */
+            EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_early_secret,
+                    empty_secret, sizeof(empty_secret));
+
+            /* Early secret derived if early data accepted */
+            conn->early_data_state = S2N_EARLY_DATA_ACCEPTED;
+            EXPECT_OK(s2n_tls13_secrets_update(conn));
+            EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_early_secret,
+                    empty_secret, sizeof(empty_secret));
+        }
 
         /* Derives handshake secrets on SERVER_HELLO */
         {

data/aws-crt-ffi/crt/s2n/tls/s2n_config.c

@@ -22,6 +22,7 @@
 #include "crypto/s2n_fips.h"
 
 #include "tls/s2n_cipher_preferences.h"
+#include "tls/s2n_internal.h"
 #include "tls/s2n_security_policies.h"
 #include "tls/s2n_tls13.h"
 #include "utils/s2n_safety.h"

data/aws-crt-ffi/crt/s2n/tls/s2n_config.h

@@ -18,11 +18,11 @@
 #include "api/s2n.h"
 #include "crypto/s2n_certificate.h"
 #include "crypto/s2n_dhe.h"
+#include "tls/s2n_psk.h"
 #include "tls/s2n_resume.h"
 #include "tls/s2n_x509_validator.h"
 #include "utils/s2n_blob.h"
 #include "utils/s2n_set.h"
-#include "tls/s2n_psk.h"
 
 #define S2N_MAX_TICKET_KEYS 48
 #define S2N_MAX_TICKET_KEY_HASHES 500 /* 10KB */

data/aws-crt-ffi/crt/s2n/tls/s2n_connection.c

@@ -35,6 +35,7 @@
 #include "tls/s2n_connection_evp_digests.h"
 #include "tls/s2n_handshake.h"
 #include "tls/s2n_kem.h"
+#include "tls/s2n_internal.h"
 #include "tls/s2n_prf.h"
 #include "tls/s2n_record.h"
 #include "tls/s2n_resume.h"
@@ -80,6 +81,10 @@ static int s2n_connection_init_hmacs(struct s2n_connection *conn)
     return 0;
 }
 
+/* Allocates and initializes memory for a new connection.
+ *
+ * Since customers can reuse a connection, ensure that values on the connection are
+ * initialized in `s2n_connection_wipe` where possible. */
 struct s2n_connection *s2n_connection_new(s2n_mode mode)
 {
     struct s2n_blob blob = {0};
@@ -93,24 +98,8 @@ struct s2n_connection *s2n_connection_new(s2n_mode mode)
 
     PTR_GUARD_POSIX(s2n_connection_set_config(conn, s2n_fetch_default_config()));
 
+    /* `mode` is initialized here since its passed in as a parameter. */
     conn->mode = mode;
-    conn->blinding = S2N_BUILT_IN_BLINDING;
-    conn->close_notify_queued = 0;
-    conn->client_session_resumed = 0;
-    conn->session_id_len = 0;
-    conn->verify_host_fn = NULL;
-    conn->data_for_verify_host = NULL;
-    conn->verify_host_fn_overridden = 0;
-    conn->data_for_verify_host = NULL;
-    conn->send = NULL;
-    conn->recv = NULL;
-    conn->send_io_context = NULL;
-    conn->recv_io_context = NULL;
-    conn->corked_io = 0;
-    conn->context = NULL;
-    conn->security_policy_override = NULL;
-    conn->ticket_lifetime_hint = 0;
-    conn->session_ticket_status = S2N_NO_TICKET;
 
     /* Allocate the fixed-size stuffers */
     blob = (struct s2n_blob) {0};
@@ -152,13 +141,15 @@ struct s2n_connection *s2n_connection_new(s2n_mode mode)
     PTR_GUARD_POSIX(s2n_stuffer_growable_alloc(&conn->in, 0));
     PTR_GUARD_POSIX(s2n_stuffer_growable_alloc(&conn->handshake.io, 0));
     PTR_GUARD_POSIX(s2n_stuffer_growable_alloc(&conn->client_hello.raw_message, 0));
-    PTR_GUARD_POSIX(s2n_connection_wipe(conn));
     PTR_GUARD_RESULT(s2n_timer_start(conn->config, &conn->write_timer));
 
-    /* Initialize the cookie stuffer with zero length. If a cookie extension
-     * is received, the stuffer will be resized according to the cookie length */
-    PTR_GUARD_POSIX(s2n_stuffer_growable_alloc(&conn->cookie_stuffer, 0));
-
+    /* NOTE: s2n_connection_wipe MUST be called last in this function.
+     *
+     * s2n_connection_wipe is used for initializing values but also used by customers to
+     * reset/reuse the connection. Calling it last ensures that s2n_connection_wipe is
+     * implemented correctly and safe.
+     */
+    PTR_GUARD_POSIX(s2n_connection_wipe(conn));
     return conn;
 }
 
@@ -512,6 +503,12 @@ int s2n_connection_free_handshake(struct s2n_connection *conn)
     return 0;
 }
 
+/* An idempotent operation which initializes values on the connection.
+ *
+ * Called in order to reuse a connection structure for a new connection. Should wipe
+ * any persistent memory, free any temporary memory, and set all fields back to their
+ * defaults.
+ */
 int s2n_connection_wipe(struct s2n_connection *conn)
 {
     /* First make a copy of everything we'd like to save, which isn't very much. */
@@ -537,13 +534,11 @@ int s2n_connection_wipe(struct s2n_connection *conn)
     /* Some required structures might have been freed to conserve memory between handshakes.
      * Restore them.
      */
-
     if (!conn->handshake.hashes) {
         POSIX_GUARD_RESULT(s2n_handshake_hashes_new(&conn->handshake.hashes));
     }
     POSIX_GUARD_RESULT(s2n_handshake_hashes_wipe(conn->handshake.hashes));
     struct s2n_handshake_hashes *handshake_hashes = conn->handshake.hashes;
-
     if (!conn->prf_space) {
         POSIX_GUARD_RESULT(s2n_prf_new(conn));
     }
@@ -575,6 +570,9 @@ int s2n_connection_wipe(struct s2n_connection *conn)
     POSIX_GUARD(s2n_free(&conn->peer_quic_transport_parameters));
     POSIX_GUARD(s2n_free(&conn->server_early_data_context));
     POSIX_GUARD(s2n_free(&conn->tls13_ticket_fields.session_secret));
+    /* TODO: Simplify cookie_stuffer implementation.
+     * https://github.com/aws/s2n-tls/issues/3287 */
+    POSIX_GUARD(s2n_stuffer_free(&conn->cookie_stuffer));
 
     /* Allocate memory for handling handshakes */
     POSIX_GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_LARGE_RECORD_LENGTH));
@@ -658,6 +656,13 @@ int s2n_connection_wipe(struct s2n_connection *conn)
         conn->actual_protocol_version = s2n_highest_protocol_version;
     }
 
+    /* Initialize remaining values */
+    conn->blinding = S2N_BUILT_IN_BLINDING;
+    conn->session_ticket_status = S2N_NO_TICKET;
+    /* Initialize the cookie stuffer with zero length. If a cookie extension
+     * is received, the stuffer will be resized according to the cookie length */
+    POSIX_GUARD(s2n_stuffer_growable_alloc(&conn->cookie_stuffer, 0));
+
     return 0;
 }
 

data/aws-crt-ffi/crt/s2n/tls/s2n_connection.h

@@ -26,16 +26,16 @@
 #include "tls/s2n_config.h"
 #include "tls/s2n_crypto.h"
 #include "tls/s2n_early_data.h"
+#include "tls/s2n_ecc_preferences.h"
 #include "tls/s2n_handshake.h"
+#include "tls/s2n_kem_preferences.h"
+#include "tls/s2n_key_update.h"
 #include "tls/s2n_prf.h"
 #include "tls/s2n_quic_support.h"
+#include "tls/s2n_record.h"
+#include "tls/s2n_security_policies.h"
 #include "tls/s2n_tls_parameters.h"
 #include "tls/s2n_x509_validator.h"
-#include "tls/s2n_key_update.h"
-#include "tls/s2n_kem_preferences.h"
-#include "tls/s2n_ecc_preferences.h"
-#include "tls/s2n_security_policies.h"
-#include "tls/s2n_record.h"
 
 #include "crypto/s2n_hash.h"
 #include "crypto/s2n_hmac.h"

data/aws-crt-ffi/crt/s2n/tls/s2n_handshake_hashes.h

@@ -30,14 +30,8 @@ struct s2n_handshake_hashes {
     struct s2n_hash_state md5_sha1;
 
     /* TLS1.3 requires transcript hash digests to calculate secrets.
-     * Because the transcript hash may be updated again before we
-     * calculate a secret that requires a specific state, we store
-     * copies of digests used for secret derivation.
      */
-    uint8_t client_hello_digest[S2N_TLS13_SECRET_MAX_LEN];
-    uint8_t server_hello_digest[S2N_TLS13_SECRET_MAX_LEN];
-    uint8_t server_finished_digest[S2N_TLS13_SECRET_MAX_LEN];
-    uint8_t client_finished_digest[S2N_TLS13_SECRET_MAX_LEN];
+    uint8_t transcript_hash_digest[S2N_TLS13_SECRET_MAX_LEN];
 
     /* To avoid allocating memory for hash objects, we reuse one temporary hash object.
      * Do NOT rely on this hash state maintaining its value outside of the current context.

data/aws-crt-ffi/crt/s2n/tls/s2n_handshake_io.c

@@ -1008,6 +1008,7 @@ static int s2n_handshake_write_io(struct s2n_connection *conn)
     POSIX_GUARD(s2n_stuffer_wipe(&conn->handshake.io));
 
     /* Update the secrets, if necessary */
+    POSIX_GUARD_RESULT(s2n_tls13_secrets_update(conn));
     POSIX_GUARD_RESULT(s2n_tls13_key_schedule_update(conn));
 
     /* Advance the state machine */
@@ -1139,6 +1140,7 @@ static S2N_RESULT s2n_finish_read(struct s2n_connection *conn)
 
     RESULT_GUARD_POSIX(s2n_handshake_conn_update_hashes(conn));
     RESULT_GUARD_POSIX(s2n_stuffer_wipe(&conn->handshake.io));
+    RESULT_GUARD(s2n_tls13_secrets_update(conn));
     RESULT_GUARD(s2n_tls13_key_schedule_update(conn));
     RESULT_GUARD_POSIX(s2n_advance_message(conn));
     return S2N_RESULT_OK;