aws-crt 0.1.5 → 0.1.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/aws-crt-ffi/CMakeLists.txt +49 -41
- data/aws-crt-ffi/crt/aws-c-auth/CMakeLists.txt +0 -10
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/credentials.h +3 -2
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/private/credentials_utils.h +4 -4
- data/aws-crt-ffi/crt/aws-c-auth/source/auth.c +1 -14
- data/aws-crt-ffi/crt/aws-c-auth/source/aws_imds_client.c +206 -68
- data/aws-crt-ffi/crt/aws-c-auth/source/aws_signing.c +5 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_cached.c +6 -6
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_default_chain.c +16 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_ecs.c +0 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_process.c +0 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_sts_web_identity.c +0 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_x509.c +10 -7
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_utils.c +35 -26
- data/aws-crt-ffi/crt/aws-c-auth/source/signable_chunk.c +3 -2
- data/aws-crt-ffi/crt/aws-c-auth/tests/CMakeLists.txt +3 -2
- data/aws-crt-ffi/crt/aws-c-auth/tests/aws_imds_client_test.c +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/tests/credentials_provider_ecs_tests.c +3 -0
- data/aws-crt-ffi/crt/aws-c-auth/tests/credentials_provider_process_tests.c +65 -16
- data/aws-crt-ffi/crt/aws-c-auth/tests/credentials_tests.c +125 -0
- data/aws-crt-ffi/crt/aws-c-auth/tests/sigv4_signing_tests.c +68 -46
- data/aws-crt-ffi/crt/aws-c-cal/CMakeLists.txt +8 -3
- data/aws-crt-ffi/crt/aws-c-cal/bin/run_x_platform_fuzz_corpus/main.c +9 -0
- data/aws-crt-ffi/crt/aws-c-cal/builder.json +11 -3
- data/aws-crt-ffi/crt/aws-c-cal/cmake/aws-c-cal-config.cmake +14 -5
- data/aws-crt-ffi/crt/aws-c-cal/source/darwin/securityframework_ecc.c +6 -6
- data/aws-crt-ffi/crt/aws-c-cal/source/windows/bcrypt_ecc.c +12 -12
- data/aws-crt-ffi/crt/aws-c-cal/tests/test_case_helper.h +14 -14
- data/aws-crt-ffi/crt/aws-c-common/CMakeLists.txt +21 -1
- data/aws-crt-ffi/crt/aws-c-common/README.md +8 -0
- data/aws-crt-ffi/crt/aws-c-common/cmake/AwsCFlags.cmake +20 -5
- data/aws-crt-ffi/crt/aws-c-common/cmake/AwsFeatureTests.cmake +7 -1
- data/aws-crt-ffi/crt/aws-c-common/format-check.sh +1 -1
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/byte_buf.h +14 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/config.h.in +1 -0
- data/aws-crt-ffi/crt/{aws-c-auth/include/aws/auth → aws-c-common/include/aws/common}/external/cJSON.h +82 -74
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/json.h +335 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/logging.h +1 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/math.inl +2 -2
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/private/json_impl.h +22 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/testing/aws_test_harness.h +2 -0
- data/aws-crt-ffi/crt/aws-c-common/source/byte_buf.c +36 -0
- data/aws-crt-ffi/crt/aws-c-common/source/common.c +5 -2
- data/aws-crt-ffi/crt/aws-c-common/source/external/cJSON.c +3113 -0
- data/aws-crt-ffi/crt/aws-c-common/source/file.c +9 -0
- data/aws-crt-ffi/crt/aws-c-common/source/json.c +348 -0
- data/aws-crt-ffi/crt/aws-c-common/source/logging.c +7 -2
- data/aws-crt-ffi/crt/aws-c-common/source/posix/system_info.c +8 -0
- data/aws-crt-ffi/crt/aws-c-common/source/ref_count.c +3 -1
- data/aws-crt-ffi/crt/aws-c-common/source/windows/file.c +47 -0
- data/aws-crt-ffi/crt/aws-c-common/source/windows/system_info.c +2 -1
- data/aws-crt-ffi/crt/aws-c-common/tests/CMakeLists.txt +5 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/byte_buf_test.c +69 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/json_test.c +134 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/memtrace_test.c +6 -2
- data/aws-crt-ffi/crt/aws-c-event-stream/README.md +18 -35
- data/aws-crt-ffi/crt/aws-c-event-stream/include/aws/event-stream/event_stream.h +21 -2
- data/aws-crt-ffi/crt/aws-c-event-stream/include/aws/event-stream/event_stream_rpc_client.h +14 -2
- data/aws-crt-ffi/crt/aws-c-event-stream/include/aws/event-stream/event_stream_rpc_server.h +13 -0
- data/aws-crt-ffi/crt/aws-c-event-stream/include/aws/event-stream/private/event_stream_rpc_priv.h +7 -7
- data/aws-crt-ffi/crt/aws-c-event-stream/source/event_stream.c +257 -141
- data/aws-crt-ffi/crt/aws-c-event-stream/source/event_stream_channel_handler.c +1 -1
- data/aws-crt-ffi/crt/aws-c-event-stream/source/event_stream_rpc_client.c +31 -8
- data/aws-crt-ffi/crt/aws-c-event-stream/source/event_stream_rpc_server.c +63 -10
- data/aws-crt-ffi/crt/aws-c-event-stream/tests/CMakeLists.txt +2 -0
- data/aws-crt-ffi/crt/aws-c-event-stream/tests/event_stream_rpc_client_connection_test.c +157 -106
- data/aws-crt-ffi/crt/aws-c-event-stream/tests/event_stream_rpc_server_connection_test.c +168 -1
- data/aws-crt-ffi/crt/aws-c-event-stream/tests/message_deserializer_test.c +4 -2
- data/aws-crt-ffi/crt/aws-c-http/CMakeLists.txt +1 -0
- data/aws-crt-ffi/crt/aws-c-http/README.md +8 -0
- data/aws-crt-ffi/crt/aws-c-http/bin/elasticurl/main.c +1 -1
- data/aws-crt-ffi/crt/aws-c-http/builder.json +4 -3
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/connection.h +8 -1
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/connection_manager.h +45 -1
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/http2_stream_manager.h +63 -12
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/connection_impl.h +2 -1
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/h2_connection.h +20 -2
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/h2_frames.h +1 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/h2_stream.h +42 -13
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/http2_stream_manager_impl.h +17 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/http_impl.h +3 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/random_access_set.h +10 -3
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/request_response_impl.h +3 -17
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/request_response.h +108 -4
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/statistics.h +22 -0
- data/aws-crt-ffi/crt/aws-c-http/source/connection.c +8 -3
- data/aws-crt-ffi/crt/aws-c-http/source/connection_manager.c +22 -3
- data/aws-crt-ffi/crt/aws-c-http/source/connection_monitor.c +32 -14
- data/aws-crt-ffi/crt/aws-c-http/source/h1_connection.c +14 -0
- data/aws-crt-ffi/crt/aws-c-http/source/h1_encoder.c +7 -4
- data/aws-crt-ffi/crt/aws-c-http/source/h2_connection.c +161 -45
- data/aws-crt-ffi/crt/aws-c-http/source/h2_decoder.c +37 -8
- data/aws-crt-ffi/crt/aws-c-http/source/h2_frames.c +13 -1
- data/aws-crt-ffi/crt/aws-c-http/source/h2_stream.c +345 -87
- data/aws-crt-ffi/crt/aws-c-http/source/hpack.c +3 -0
- data/aws-crt-ffi/crt/aws-c-http/source/http.c +3 -0
- data/aws-crt-ffi/crt/aws-c-http/source/http2_stream_manager.c +266 -39
- data/aws-crt-ffi/crt/aws-c-http/source/random_access_set.c +9 -3
- data/aws-crt-ffi/crt/aws-c-http/source/request_response.c +80 -20
- data/aws-crt-ffi/crt/aws-c-http/source/statistics.c +11 -0
- data/aws-crt-ffi/crt/aws-c-http/tests/CMakeLists.txt +28 -1
- data/aws-crt-ffi/crt/aws-c-http/tests/fuzz/fuzz_h2_decoder_correct.c +5 -3
- data/aws-crt-ffi/crt/aws-c-http/tests/h2_test_helper.c +133 -29
- data/aws-crt-ffi/crt/aws-c-http/tests/h2_test_helper.h +6 -0
- data/aws-crt-ffi/crt/aws-c-http/tests/py_localhost/README.md +40 -0
- data/aws-crt-ffi/crt/aws-c-http/tests/py_localhost/non_tls_server.py +56 -0
- data/aws-crt-ffi/crt/aws-c-http/tests/py_localhost/server.py +329 -0
- data/aws-crt-ffi/crt/aws-c-http/tests/test_connection_manager.c +1 -1
- data/aws-crt-ffi/crt/aws-c-http/tests/test_connection_monitor.c +2 -2
- data/aws-crt-ffi/crt/aws-c-http/tests/test_h1_client.c +47 -34
- data/aws-crt-ffi/crt/aws-c-http/tests/test_h1_encoder.c +4 -4
- data/aws-crt-ffi/crt/aws-c-http/tests/test_h1_server.c +15 -12
- data/aws-crt-ffi/crt/aws-c-http/tests/test_h2_client.c +582 -25
- data/aws-crt-ffi/crt/aws-c-http/tests/test_h2_encoder.c +3 -3
- data/aws-crt-ffi/crt/aws-c-http/tests/test_localhost_integ.c +530 -0
- data/aws-crt-ffi/crt/aws-c-http/tests/test_stream_manager.c +459 -67
- data/aws-crt-ffi/crt/aws-c-io/CMakeLists.txt +4 -0
- data/aws-crt-ffi/crt/aws-c-io/builder.json +3 -2
- data/aws-crt-ffi/crt/aws-c-io/include/aws/io/channel.h +21 -0
- data/aws-crt-ffi/crt/aws-c-io/include/aws/io/io.h +3 -0
- data/aws-crt-ffi/crt/aws-c-io/include/aws/io/socket.h +6 -0
- data/aws-crt-ffi/crt/aws-c-io/include/aws/io/stream.h +35 -5
- data/aws-crt-ffi/crt/aws-c-io/include/aws/io/tls_channel_handler.h +211 -15
- data/aws-crt-ffi/crt/aws-c-io/source/channel.c +56 -30
- data/aws-crt-ffi/crt/aws-c-io/source/darwin/secure_transport_tls_channel_handler.c +0 -24
- data/aws-crt-ffi/crt/aws-c-io/source/io.c +9 -0
- data/aws-crt-ffi/crt/aws-c-io/source/{pkcs11.c → pkcs11_lib.c} +162 -22
- data/aws-crt-ffi/crt/aws-c-io/source/pkcs11_private.h +18 -20
- data/aws-crt-ffi/crt/aws-c-io/source/pkcs11_tls_op_handler.c +221 -0
- data/aws-crt-ffi/crt/aws-c-io/source/posix/socket.c +135 -81
- data/aws-crt-ffi/crt/aws-c-io/source/retry_strategy.c +12 -8
- data/aws-crt-ffi/crt/aws-c-io/source/s2n/s2n_tls_channel_handler.c +252 -215
- data/aws-crt-ffi/crt/aws-c-io/source/stream.c +65 -82
- data/aws-crt-ffi/crt/aws-c-io/source/tls_channel_handler.c +188 -57
- data/aws-crt-ffi/crt/aws-c-io/source/windows/iocp/socket.c +271 -256
- data/aws-crt-ffi/crt/aws-c-io/tests/CMakeLists.txt +21 -12
- data/aws-crt-ffi/crt/aws-c-io/tests/channel_test.c +32 -4
- data/aws-crt-ffi/crt/aws-c-io/tests/io_lib_test.c +37 -0
- data/aws-crt-ffi/crt/aws-c-io/tests/pkcs11_test.c +412 -93
- data/aws-crt-ffi/crt/aws-c-io/tests/resources/ec_unittests.crt +15 -0
- data/aws-crt-ffi/crt/aws-c-io/tests/resources/ec_unittests.key +5 -0
- data/aws-crt-ffi/crt/aws-c-io/tests/resources/ec_unittests.p12 +0 -0
- data/aws-crt-ffi/crt/aws-c-io/tests/resources/ec_unittests.p8 +5 -0
- data/aws-crt-ffi/crt/aws-c-io/tests/resources/generateCerts.sh +24 -15
- data/aws-crt-ffi/crt/aws-c-io/tests/socket_test.c +72 -1
- data/aws-crt-ffi/crt/s2n/CMakeLists.txt +6 -1
- data/aws-crt-ffi/crt/s2n/bindings/rust/Cargo.toml +1 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/generate/src/main.rs +105 -82
- data/aws-crt-ffi/crt/s2n/bindings/rust/generate.sh +1 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/Cargo.toml +2 -2
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/src/raw/config.rs +1 -1
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-sys/Cargo.toml +1 -1
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-sys/build.rs +84 -30
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-sys/src/lib.rs +4 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/Cargo.toml +21 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/examples/certs/cert.pem +14 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/examples/certs/key.pem +8 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/examples/client.rs +45 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/examples/server.rs +60 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/src/lib.rs +150 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/tests/handshake.rs +51 -0
- data/aws-crt-ffi/crt/s2n/crypto/s2n_drbg.c +98 -77
- data/aws-crt-ffi/crt/s2n/crypto/s2n_drbg.h +10 -7
- data/aws-crt-ffi/crt/s2n/crypto/s2n_openssl.h +2 -0
- data/aws-crt-ffi/crt/s2n/error/s2n_errno.c +1 -1
- data/aws-crt-ffi/crt/s2n/error/s2n_errno.h +1 -0
- data/aws-crt-ffi/crt/s2n/s2n.mk +7 -0
- data/aws-crt-ffi/crt/s2n/tests/cbmc/templates/scripts/repository.py +233 -0
- data/aws-crt-ffi/crt/s2n/tests/cbmc/templates/scripts/setup-proof.py +8 -7
- data/aws-crt-ffi/crt/s2n/tests/cbmc/templates/scripts/setup.py +17 -18
- data/aws-crt-ffi/crt/s2n/tests/cbmc/templates/scripts/util.py +41 -23
- data/aws-crt-ffi/crt/s2n/tests/fuzz/LD_PRELOAD/global_overrides.c +3 -3
- data/aws-crt-ffi/crt/s2n/tests/integration/s2n_client_endpoint_handshake_test.py +2 -2
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/Makefile +13 -42
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/README.md +6 -1
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/common.py +118 -53
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/configuration.py +108 -88
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/conftest.py +6 -3
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/constants.py +6 -4
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/fixtures.py +21 -12
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/global_flags.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/processes.py +62 -19
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/providers.py +304 -48
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_client_authentication.py +20 -11
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_cross_compatibility.py +41 -17
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_dynamic_record_sizes.py +6 -3
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_early_data.py +105 -48
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_external_psk.py +160 -76
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_fragmentation.py +59 -26
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_happy_path.py +42 -28
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_hello_retry_requests.py +33 -13
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_key_update.py +29 -11
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_ocsp.py +138 -0
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_pq_handshake.py +103 -36
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_session_resumption.py +52 -25
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_signature_algorithms.py +47 -21
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_sni_match.py +13 -9
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_sslyze.py +88 -17
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_version_negotiation.py +71 -22
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_well_known_endpoints.py +4 -3
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/tox.ini +1 -0
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/utils.py +50 -15
- data/aws-crt-ffi/crt/s2n/tests/litani/CHANGELOG +131 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/CONTRIBUTING.md +16 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/README.md +36 -14
- data/aws-crt-ffi/crt/s2n/tests/litani/THIRD-PARTY +205 -41
- data/aws-crt-ffi/crt/s2n/tests/litani/doc/bin/build-html-doc +7 -7
- data/aws-crt-ffi/crt/s2n/tests/litani/doc/configure +27 -23
- data/aws-crt-ffi/crt/s2n/tests/litani/doc/src/man/litani-add-job.scdoc +7 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/doc/src/man/litani-dump-run.scdoc +7 -5
- data/aws-crt-ffi/crt/s2n/tests/litani/doc/src/man/litani-transform-jobs.scdoc +248 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/doc/src/man/litani.scdoc +2 -2
- data/aws-crt-ffi/crt/s2n/tests/litani/doc/templates/index.jinja.html +4 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/add-root-node/README +12 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/add-root-node/original-run.sh +52 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/add-root-node/run-all.py +71 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/no-standalone-transform/README +13 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/no-standalone-transform/run-1.sh +34 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/no-standalone-transform/run-2.sh +35 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/no-standalone-transform/run-3.sh +34 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/no-standalone-transform/run-all.py +60 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/README.md +10 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/assumptions.html +42 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/file.dat +7 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/histogram.dat +7 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/run-1.sh +41 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/run-2.sh +47 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/run-3.sh +41 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/run-all.py +34 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/scripts/fib-table.py +40 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/scripts/fib.plt +5 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/scripts/fib.py +32 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/scripts/sin-output.py +40 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/scripts/sin.plt +5 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/scripts/sin.py +30 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/templates/fib-table.jinja.html +45 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/examples/rich-output/templates/sin-output.jinja.html +30 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/lib/add_job.py +55 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/lib/graph.py +2 -2
- data/aws-crt-ffi/crt/s2n/tests/litani/lib/litani.py +6 -1
- data/aws-crt-ffi/crt/s2n/tests/litani/lib/litani_report.py +18 -21
- data/aws-crt-ffi/crt/s2n/tests/litani/lib/ninja.py +2 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/lib/run_printer.py +26 -7
- data/aws-crt-ffi/crt/s2n/tests/litani/lib/transform_jobs.py +84 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/litani +28 -33
- data/aws-crt-ffi/crt/s2n/tests/litani/script/release +220 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/templates/dashboard.jinja.html +78 -15
- data/aws-crt-ffi/crt/s2n/tests/litani/templates/pipeline.jinja.html +21 -5
- data/aws-crt-ffi/crt/s2n/tests/litani/test/README +15 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/run +56 -33
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/custom_stages.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/cwd.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/dump_run.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/graph_line_break.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/html_node.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/job_id_env.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/multiproc_dump_run.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/no_pool_serialize.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/no_pool_serialize_graph.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/no_timed_out.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/no_timed_out_timeout_ignored.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/no_timed_out_timeout_ok.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/pipeline_order.py +53 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/pool_serialize.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/pool_serialize_graph.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/single_pool.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/timed_out.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/timed_out_subprocess.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/timed_out_subprocess_multi_shell.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/timed_out_subprocess_shell.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/timed_out_timeout_ignored.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/timed_out_timeout_ok.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/transform_delete_job.py +54 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/transform_modify_job.py +46 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/transform_no_change_job.py +44 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/e2e/tests/zero_pool.py +1 -0
- data/aws-crt-ffi/crt/s2n/tests/litani/test/run +82 -12
- data/aws-crt-ffi/crt/s2n/tests/s2n_test.h +58 -33
- data/aws-crt-ffi/crt/s2n/tests/testlib/s2n_key_schedule_testlib.c +18 -6
- data/aws-crt-ffi/crt/s2n/tests/testlib/s2n_pq_kat_test_utils.c +4 -4
- data/aws-crt-ffi/crt/s2n/tests/testlib/s2n_testlib.h +2 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_hello_retry_test.c +66 -2
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_connection_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_drbg_test.c +34 -14
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_fork_generation_number_test.c +28 -5
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_mem_usage_test.c +6 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_override_openssl_random_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_random_test.c +60 -41
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_self_talk_broken_pipe_test.c +2 -2
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_handshake_early_data_test.c +3 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_hybrid_shared_secret_test.c +9 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_key_schedule_rfc8448_test.c +31 -130
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_key_schedule_test.c +2 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_pq_handshake_test.c +11 -6
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_secrets_rfc8448_test.c +19 -21
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_secrets_test.c +109 -60
- data/aws-crt-ffi/crt/s2n/tls/s2n_config.c +1 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_config.h +1 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_connection.c +29 -24
- data/aws-crt-ffi/crt/s2n/tls/s2n_connection.h +5 -5
- data/aws-crt-ffi/crt/s2n/tls/s2n_handshake_hashes.h +1 -7
- data/aws-crt-ffi/crt/s2n/tls/s2n_handshake_io.c +2 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_handshake_transcript.c +0 -44
- data/aws-crt-ffi/crt/s2n/tls/s2n_internal.h +0 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_quic_support.h +1 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_tls13_key_schedule.c +1 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_tls13_secrets.c +84 -44
- data/aws-crt-ffi/crt/s2n/tls/s2n_tls13_secrets.h +3 -9
- data/aws-crt-ffi/crt/s2n/utils/s2n_blob.h +15 -8
- data/aws-crt-ffi/crt/s2n/utils/s2n_fork_detection.c +2 -6
- data/aws-crt-ffi/crt/s2n/utils/s2n_random.c +9 -9
- data/aws-crt-ffi/src/input_stream.c +32 -15
- data/ext/compile.rb +13 -5
- data/lib/aws-crt/platforms.rb +14 -5
- data/lib/aws-crt/string_blob.rb +3 -3
- metadata +61 -7
- data/aws-crt-ffi/crt/aws-c-auth/source/external/cJSON.c +0 -2987
- data/aws-crt-ffi/crt/aws-c-auth/tests/external/cJSON.c +0 -2986
- data/aws-crt-ffi/crt/aws-c-io/tests/error_test.c +0 -20
@@ -33,6 +33,9 @@ const int server_hello_message_num = 1;
|
|
33
33
|
const s2n_mode modes[] = { S2N_CLIENT, S2N_SERVER };
|
34
34
|
|
35
35
|
S2N_RESULT s2n_extract_early_secret(struct s2n_psk *psk);
|
36
|
+
S2N_RESULT s2n_tls13_extract_secret(struct s2n_connection *conn, s2n_extract_secret_type_t secret_type);
|
37
|
+
S2N_RESULT s2n_tls13_derive_secret(struct s2n_connection *conn, s2n_extract_secret_type_t secret_type,
|
38
|
+
s2n_mode mode, struct s2n_blob *secret);
|
36
39
|
|
37
40
|
int main(int argc, char **argv)
|
38
41
|
{
|
@@ -74,8 +77,9 @@ int main(int argc, char **argv)
|
|
74
77
|
conn->secure.cipher_suite = cipher_suite;
|
75
78
|
|
76
79
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_EARLY_SECRET));
|
77
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.
|
80
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
|
78
81
|
early_secret.data, early_secret.size);
|
82
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_EARLY_SECRET);
|
79
83
|
}
|
80
84
|
}
|
81
85
|
|
@@ -159,8 +163,9 @@ int main(int argc, char **argv)
|
|
159
163
|
EXPECT_NOT_NULL(conn->kex_params.client_ecc_evp_params.evp_pkey);
|
160
164
|
|
161
165
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_HANDSHAKE_SECRET));
|
162
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.
|
166
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
|
163
167
|
handshake_secret.data, handshake_secret.size);
|
168
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_HANDSHAKE_SECRET);
|
164
169
|
}
|
165
170
|
|
166
171
|
/* Client */
|
@@ -180,8 +185,9 @@ int main(int argc, char **argv)
|
|
180
185
|
EXPECT_NOT_NULL(conn->kex_params.client_ecc_evp_params.evp_pkey);
|
181
186
|
|
182
187
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_HANDSHAKE_SECRET));
|
183
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.
|
188
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
|
184
189
|
handshake_secret.data, handshake_secret.size);
|
190
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_HANDSHAKE_SECRET);
|
185
191
|
}
|
186
192
|
}
|
187
193
|
#endif
|
@@ -246,8 +252,7 @@ int main(int argc, char **argv)
|
|
246
252
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
|
247
253
|
conn->secure.cipher_suite = cipher_suite;
|
248
254
|
EXPECT_OK(s2n_connection_set_test_handshake_secret(conn, &handshake_secret));
|
249
|
-
|
250
|
-
hash.data, hash.size);
|
255
|
+
EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, SERVER_HELLO, &hash));
|
251
256
|
|
252
257
|
EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_HANDSHAKE_SECRET, S2N_CLIENT,
|
253
258
|
&derived_secret));
|
@@ -315,8 +320,7 @@ int main(int argc, char **argv)
|
|
315
320
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
|
316
321
|
conn->secure.cipher_suite = cipher_suite;
|
317
322
|
EXPECT_OK(s2n_connection_set_test_handshake_secret(conn, &handshake_secret));
|
318
|
-
|
319
|
-
hash.data, hash.size);
|
323
|
+
EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, SERVER_HELLO, &hash));
|
320
324
|
|
321
325
|
EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_HANDSHAKE_SECRET, S2N_SERVER,
|
322
326
|
&derived_secret));
|
@@ -360,8 +364,9 @@ int main(int argc, char **argv)
|
|
360
364
|
EXPECT_OK(s2n_connection_set_test_handshake_secret(conn, &handshake_secret));
|
361
365
|
|
362
366
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_MASTER_SECRET));
|
363
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.
|
367
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
|
364
368
|
master_secret.data, master_secret.size);
|
369
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_MASTER_SECRET);
|
365
370
|
}
|
366
371
|
}
|
367
372
|
|
@@ -398,15 +403,12 @@ int main(int argc, char **argv)
|
|
398
403
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
|
399
404
|
conn->secure.cipher_suite = cipher_suite;
|
400
405
|
EXPECT_OK(s2n_connection_set_test_master_secret(conn, &master_secret));
|
401
|
-
|
402
|
-
hash.data, hash.size);
|
406
|
+
EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, SERVER_FINISHED, &hash));
|
403
407
|
|
404
408
|
EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_MASTER_SECRET, S2N_CLIENT,
|
405
409
|
&derived_secret));
|
406
410
|
EXPECT_EQUAL(derived_secret.size, secret.size);
|
407
411
|
EXPECT_BYTEARRAY_EQUAL(derived_secret.data, secret.data, secret.size);
|
408
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_app_secret,
|
409
|
-
secret.data, secret.size);
|
410
412
|
}
|
411
413
|
}
|
412
414
|
|
@@ -445,16 +447,13 @@ int main(int argc, char **argv)
|
|
445
447
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
|
446
448
|
conn->secure.cipher_suite = cipher_suite;
|
447
449
|
EXPECT_OK(s2n_connection_set_test_master_secret(conn, &master_secret));
|
448
|
-
|
449
|
-
hash.data, hash.size);
|
450
|
+
EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, SERVER_FINISHED, &hash));
|
450
451
|
|
451
452
|
EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_MASTER_SECRET, S2N_SERVER,
|
452
453
|
&derived_secret));
|
453
454
|
|
454
455
|
EXPECT_EQUAL(derived_secret.size, secret.size);
|
455
456
|
EXPECT_BYTEARRAY_EQUAL(derived_secret.data, secret.data, secret.size);
|
456
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.server_app_secret,
|
457
|
-
secret.data, secret.size);
|
458
457
|
}
|
459
458
|
}
|
460
459
|
|
@@ -493,8 +492,7 @@ int main(int argc, char **argv)
|
|
493
492
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
|
494
493
|
conn->secure.cipher_suite = cipher_suite;
|
495
494
|
EXPECT_OK(s2n_connection_set_test_master_secret(conn, &master_secret));
|
496
|
-
|
497
|
-
hash.data, hash.size);
|
495
|
+
EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, CLIENT_FINISHED, &hash));
|
498
496
|
|
499
497
|
EXPECT_OK(s2n_derive_resumption_master_secret(conn));
|
500
498
|
EXPECT_EQUAL(derived_secret.size, secret.size);
|
@@ -546,8 +544,9 @@ int main(int argc, char **argv)
|
|
546
544
|
/* Early secret retrieved and saved for connection */
|
547
545
|
conn->psk_params.chosen_psk = psk;
|
548
546
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_EARLY_SECRET));
|
549
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.
|
547
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret,
|
550
548
|
early_secret.data, early_secret.size);
|
549
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_EARLY_SECRET);
|
551
550
|
}
|
552
551
|
}
|
553
552
|
|
@@ -611,8 +610,7 @@ int main(int argc, char **argv)
|
|
611
610
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(modes[i]), s2n_connection_ptr_free);
|
612
611
|
conn->secure.cipher_suite = cipher_suite;
|
613
612
|
EXPECT_OK(s2n_connection_set_test_early_secret(conn, &early_secret));
|
614
|
-
|
615
|
-
hash.data, hash.size);
|
613
|
+
EXPECT_OK(s2n_connection_set_test_transcript_hash(conn, CLIENT_HELLO, &hash));
|
616
614
|
|
617
615
|
EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_EARLY_SECRET, S2N_CLIENT,
|
618
616
|
&derived_secret));
|
@@ -22,6 +22,10 @@
|
|
22
22
|
|
23
23
|
#include "crypto/s2n_ecc_evp.h"
|
24
24
|
|
25
|
+
S2N_RESULT s2n_tls13_extract_secret(struct s2n_connection *conn, s2n_extract_secret_type_t secret_type);
|
26
|
+
S2N_RESULT s2n_tls13_derive_secret(struct s2n_connection *conn, s2n_extract_secret_type_t secret_type,
|
27
|
+
s2n_mode mode, struct s2n_blob *secret);
|
28
|
+
|
25
29
|
static S2N_RESULT s2n_set_test_key_shares(struct s2n_connection *conn, const struct s2n_ecc_named_curve *curve)
|
26
30
|
{
|
27
31
|
conn->kex_params.server_ecc_evp_params.negotiated_curve = curve;
|
@@ -64,6 +68,10 @@ int main(int argc, char **argv)
|
|
64
68
|
for (size_t curve_i = 0; curve_i < curves->count; curve_i++) {
|
65
69
|
for (size_t m1_i = 0; m1_i < s2n_array_len(modes); m1_i++) {
|
66
70
|
for (size_t m2_i = 0; m2_i < s2n_array_len(modes); m2_i++) {
|
71
|
+
if (curr_type > next_type) {
|
72
|
+
/* Secret schedule MUST be evaluated in order */
|
73
|
+
continue;
|
74
|
+
}
|
67
75
|
test_cases[test_cases_count] = (struct s2n_tls13_secrets_test_case) {
|
68
76
|
.curr_secret_type = curr_type,
|
69
77
|
.next_secret_type = next_type,
|
@@ -101,11 +109,11 @@ int main(int argc, char **argv)
|
|
101
109
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
|
102
110
|
s2n_connection_ptr_free);
|
103
111
|
conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
|
104
|
-
conn->secrets.tls13.
|
112
|
+
conn->secrets.tls13.extract_secret_type = S2N_EARLY_SECRET;
|
105
113
|
|
106
114
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_EARLY_SECRET));
|
107
|
-
EXPECT_EQUAL(conn->secrets.tls13.
|
108
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.
|
115
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_EARLY_SECRET);
|
116
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
|
109
117
|
}
|
110
118
|
|
111
119
|
/* Generate all secrets sequentially */
|
@@ -113,26 +121,20 @@ int main(int argc, char **argv)
|
|
113
121
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
|
114
122
|
s2n_connection_ptr_free);
|
115
123
|
conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
116
|
-
conn->secrets.tls13.
|
124
|
+
conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
|
117
125
|
|
118
126
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_EARLY_SECRET));
|
119
|
-
EXPECT_EQUAL(conn->secrets.tls13.
|
120
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.
|
121
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
|
122
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
|
127
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_EARLY_SECRET);
|
128
|
+
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
|
123
129
|
|
124
130
|
EXPECT_OK(s2n_set_test_key_shares(conn, &s2n_ecc_curve_secp256r1));
|
125
131
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_HANDSHAKE_SECRET));
|
126
|
-
EXPECT_EQUAL(conn->secrets.tls13.
|
127
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.
|
128
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
|
129
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
|
132
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_HANDSHAKE_SECRET);
|
133
|
+
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
|
130
134
|
|
131
135
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_MASTER_SECRET));
|
132
|
-
EXPECT_EQUAL(conn->secrets.tls13.
|
133
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.
|
134
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
|
135
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
|
136
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_MASTER_SECRET);
|
137
|
+
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
|
136
138
|
}
|
137
139
|
|
138
140
|
/* Generate all secrets at once (backfill) */
|
@@ -140,14 +142,12 @@ int main(int argc, char **argv)
|
|
140
142
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
|
141
143
|
s2n_connection_ptr_free);
|
142
144
|
conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
|
143
|
-
conn->secrets.tls13.
|
145
|
+
conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
|
144
146
|
EXPECT_OK(s2n_set_test_key_shares(conn, &s2n_ecc_curve_secp256r1));
|
145
147
|
|
146
148
|
EXPECT_OK(s2n_tls13_extract_secret(conn, S2N_MASTER_SECRET));
|
147
|
-
EXPECT_EQUAL(conn->secrets.tls13.
|
148
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.
|
149
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
|
150
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
|
149
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_MASTER_SECRET);
|
150
|
+
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
|
151
151
|
}
|
152
152
|
|
153
153
|
/* All valid parameter combinations should succeed */
|
@@ -155,7 +155,7 @@ int main(int argc, char **argv)
|
|
155
155
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(test_cases[i].conn_mode),
|
156
156
|
s2n_connection_ptr_free);
|
157
157
|
conn->secure.cipher_suite = test_cases[i].cipher_suite;
|
158
|
-
conn->secrets.tls13.
|
158
|
+
conn->secrets.tls13.extract_secret_type = test_cases[i].curr_secret_type;
|
159
159
|
EXPECT_OK(s2n_set_test_key_shares(conn, test_cases[i].curve));
|
160
160
|
EXPECT_OK(s2n_tls13_extract_secret(conn, test_cases[i].next_secret_type));
|
161
161
|
}
|
@@ -163,6 +163,13 @@ int main(int argc, char **argv)
|
|
163
163
|
|
164
164
|
/* Test: s2n_tls13_derive_secret */
|
165
165
|
{
|
166
|
+
const uint32_t handshake_type = NEGOTIATED | FULL_HANDSHAKE;
|
167
|
+
const int message_nums[] = {
|
168
|
+
[S2N_EARLY_SECRET] = 0,
|
169
|
+
[S2N_HANDSHAKE_SECRET] = 1,
|
170
|
+
[S2N_MASTER_SECRET] = 5,
|
171
|
+
};
|
172
|
+
|
166
173
|
/* Safety */
|
167
174
|
{
|
168
175
|
struct s2n_blob blob = { 0 };
|
@@ -186,13 +193,36 @@ int main(int argc, char **argv)
|
|
186
193
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
|
187
194
|
s2n_connection_ptr_free);
|
188
195
|
conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
|
189
|
-
conn->secrets.tls13.
|
196
|
+
conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
|
190
197
|
|
191
198
|
EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_EARLY_SECRET, S2N_SERVER, &output));
|
192
199
|
EXPECT_BYTEARRAY_NOT_EQUAL(output.data, empty_secret, sizeof(empty_secret));
|
193
200
|
}
|
194
201
|
|
195
|
-
/*
|
202
|
+
/* Fails if correct transcript digest not available */
|
203
|
+
{
|
204
|
+
uint8_t output_bytes[S2N_TLS13_SECRET_MAX_LEN] = { 0 };
|
205
|
+
struct s2n_blob output = { 0 };
|
206
|
+
EXPECT_SUCCESS(s2n_blob_init(&output, output_bytes, sizeof(output_bytes)));
|
207
|
+
|
208
|
+
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
|
209
|
+
s2n_connection_ptr_free);
|
210
|
+
conn->actual_protocol_version = S2N_TLS13;
|
211
|
+
conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
|
212
|
+
conn->handshake.handshake_type = handshake_type;
|
213
|
+
EXPECT_OK(s2n_set_test_key_shares(conn, &s2n_ecc_curve_secp256r1));
|
214
|
+
|
215
|
+
/* Fails with incorrect transcript */
|
216
|
+
conn->handshake.message_number = message_nums[S2N_HANDSHAKE_SECRET];
|
217
|
+
EXPECT_ERROR_WITH_ERRNO(s2n_tls13_derive_secret(conn, S2N_MASTER_SECRET, S2N_SERVER, &output),
|
218
|
+
S2N_ERR_SECRET_SCHEDULE_STATE);
|
219
|
+
|
220
|
+
/* Succeeds with correct transcript */
|
221
|
+
conn->handshake.message_number = message_nums[S2N_MASTER_SECRET];
|
222
|
+
EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_MASTER_SECRET, S2N_SERVER, &output));
|
223
|
+
}
|
224
|
+
|
225
|
+
/* Calculates previous extract secrets if necessary */
|
196
226
|
{
|
197
227
|
uint8_t output_bytes[S2N_TLS13_SECRET_MAX_LEN] = { 0 };
|
198
228
|
struct s2n_blob output = { 0 };
|
@@ -201,14 +231,15 @@ int main(int argc, char **argv)
|
|
201
231
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
|
202
232
|
s2n_connection_ptr_free);
|
203
233
|
conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
|
204
|
-
conn->
|
234
|
+
conn->actual_protocol_version = S2N_TLS13;
|
235
|
+
conn->handshake.handshake_type = handshake_type;
|
236
|
+
conn->handshake.message_number = message_nums[S2N_HANDSHAKE_SECRET];
|
205
237
|
EXPECT_OK(s2n_set_test_key_shares(conn, &s2n_ecc_curve_secp256r1));
|
206
238
|
|
239
|
+
conn->secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
|
207
240
|
EXPECT_OK(s2n_tls13_derive_secret(conn, S2N_HANDSHAKE_SECRET, S2N_SERVER, &output));
|
208
|
-
EXPECT_EQUAL(conn->secrets.tls13.
|
209
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.
|
210
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.handshake_secret, empty_secret, sizeof(empty_secret));
|
211
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
|
241
|
+
EXPECT_EQUAL(conn->secrets.tls13.extract_secret_type, S2N_HANDSHAKE_SECRET);
|
242
|
+
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
|
212
243
|
EXPECT_BYTEARRAY_NOT_EQUAL(output.data, empty_secret, sizeof(empty_secret));
|
213
244
|
}
|
214
245
|
|
@@ -221,7 +252,10 @@ int main(int argc, char **argv)
|
|
221
252
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(test_cases[i].conn_mode),
|
222
253
|
s2n_connection_ptr_free);
|
223
254
|
conn->secure.cipher_suite = test_cases[i].cipher_suite;
|
224
|
-
conn->secrets.tls13.
|
255
|
+
conn->secrets.tls13.extract_secret_type = test_cases[i].curr_secret_type;
|
256
|
+
conn->actual_protocol_version = S2N_TLS13;
|
257
|
+
conn->handshake.handshake_type = handshake_type;
|
258
|
+
conn->handshake.message_number = message_nums[test_cases[i].next_secret_type];
|
225
259
|
EXPECT_OK(s2n_set_test_key_shares(conn, test_cases[i].curve));
|
226
260
|
EXPECT_OK(s2n_tls13_derive_secret(conn, test_cases[i].next_secret_type, test_cases[i].secret_mode, &output));
|
227
261
|
EXPECT_BYTEARRAY_NOT_EQUAL(output.data, empty_secret, sizeof(empty_secret));
|
@@ -240,22 +274,16 @@ int main(int argc, char **argv)
|
|
240
274
|
conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
241
275
|
conn->actual_protocol_version = S2N_TLS13;
|
242
276
|
|
243
|
-
|
244
|
-
|
245
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
|
246
|
-
|
247
|
-
EXPECT_OK(s2n_connection_set_test_early_secret(conn, &test_secret));
|
248
|
-
EXPECT_OK(s2n_connection_set_test_handshake_secret(conn, &test_secret));
|
249
|
-
EXPECT_OK(s2n_connection_set_test_master_secret(conn, &test_secret));
|
277
|
+
EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.extract_secret, test_secret.data, test_secret.size);
|
278
|
+
EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_early_secret, test_secret.data, test_secret.size);
|
250
279
|
EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_handshake_secret, test_secret.data, test_secret.size);
|
251
280
|
EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.server_handshake_secret, test_secret.data, test_secret.size);
|
252
281
|
EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_app_secret, test_secret.data, test_secret.size);
|
253
282
|
EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.server_app_secret, test_secret.data, test_secret.size);
|
254
283
|
EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.resumption_master_secret, test_secret.data, test_secret.size);
|
255
284
|
|
256
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.
|
257
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.
|
258
|
-
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
|
285
|
+
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
|
286
|
+
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_early_secret, empty_secret, sizeof(empty_secret));
|
259
287
|
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_handshake_secret, empty_secret, sizeof(empty_secret));
|
260
288
|
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.server_handshake_secret, empty_secret, sizeof(empty_secret));
|
261
289
|
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_app_secret, empty_secret, sizeof(empty_secret));
|
@@ -264,9 +292,8 @@ int main(int argc, char **argv)
|
|
264
292
|
|
265
293
|
EXPECT_OK(s2n_tls13_secrets_clean(conn));
|
266
294
|
|
267
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.
|
268
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.
|
269
|
-
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.master_secret, empty_secret, sizeof(empty_secret));
|
295
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.extract_secret, empty_secret, sizeof(empty_secret));
|
296
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_early_secret, empty_secret, sizeof(empty_secret));
|
270
297
|
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_handshake_secret, empty_secret, sizeof(empty_secret));
|
271
298
|
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.server_handshake_secret, empty_secret, sizeof(empty_secret));
|
272
299
|
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_app_secret, empty_secret, sizeof(empty_secret));
|
@@ -286,12 +313,13 @@ int main(int argc, char **argv)
|
|
286
313
|
EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, S2N_NONE_SECRET, S2N_CLIENT, &result), S2N_ERR_SAFETY);
|
287
314
|
EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, -1, S2N_CLIENT, &result), S2N_ERR_SAFETY);
|
288
315
|
EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, 100, S2N_CLIENT, &result), S2N_ERR_SAFETY);
|
316
|
+
EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, S2N_EARLY_SECRET, S2N_SERVER, &result), S2N_ERR_SAFETY);
|
289
317
|
|
290
|
-
conn.secrets.tls13.
|
318
|
+
conn.secrets.tls13.extract_secret_type = S2N_NONE_SECRET;
|
291
319
|
EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_get(&conn, S2N_HANDSHAKE_SECRET, S2N_CLIENT, &result), S2N_ERR_SAFETY);
|
292
320
|
}
|
293
321
|
|
294
|
-
/* Retrieves
|
322
|
+
/* Retrieves a secret */
|
295
323
|
{
|
296
324
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
|
297
325
|
s2n_connection_ptr_free);
|
@@ -300,7 +328,7 @@ int main(int argc, char **argv)
|
|
300
328
|
|
301
329
|
EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_handshake_secret,
|
302
330
|
test_secret.data, test_secret.size);
|
303
|
-
conn->secrets.tls13.
|
331
|
+
conn->secrets.tls13.extract_secret_type = S2N_HANDSHAKE_SECRET;
|
304
332
|
|
305
333
|
struct s2n_blob result = { 0 };
|
306
334
|
uint8_t result_bytes[S2N_TLS13_SECRET_MAX_LEN] = { 0 };
|
@@ -311,29 +339,50 @@ int main(int argc, char **argv)
|
|
311
339
|
EXPECT_TRUE(result.size <= S2N_TLS13_SECRET_MAX_LEN);
|
312
340
|
EXPECT_BYTEARRAY_EQUAL(result.data, test_secret.data, result.size);
|
313
341
|
}
|
342
|
+
}
|
314
343
|
|
315
|
-
|
344
|
+
/* s2n_tls13_secrets_update */
|
345
|
+
{
|
346
|
+
/* Safety */
|
347
|
+
EXPECT_ERROR_WITH_ERRNO(s2n_tls13_secrets_update(NULL), S2N_ERR_NULL);
|
348
|
+
|
349
|
+
/* Derives early secret on CLIENT_HELLO */
|
316
350
|
{
|
317
351
|
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
|
318
352
|
s2n_connection_ptr_free);
|
319
353
|
conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
320
354
|
conn->actual_protocol_version = S2N_TLS13;
|
355
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_early_secret,
|
356
|
+
empty_secret, sizeof(empty_secret));
|
321
357
|
|
322
|
-
|
323
|
-
|
324
|
-
|
325
|
-
|
358
|
+
/* Early secret not derived if early data not requested */
|
359
|
+
conn->early_data_state = S2N_EARLY_DATA_NOT_REQUESTED;
|
360
|
+
EXPECT_OK(s2n_tls13_secrets_update(conn));
|
361
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_early_secret,
|
362
|
+
empty_secret, sizeof(empty_secret));
|
326
363
|
|
327
|
-
|
328
|
-
|
329
|
-
|
330
|
-
|
331
|
-
|
364
|
+
/* Early secret not derived if early data rejected */
|
365
|
+
conn->early_data_state = S2N_EARLY_DATA_REJECTED;
|
366
|
+
EXPECT_OK(s2n_tls13_secrets_update(conn));
|
367
|
+
EXPECT_BYTEARRAY_EQUAL(conn->secrets.tls13.client_early_secret,
|
368
|
+
empty_secret, sizeof(empty_secret));
|
332
369
|
|
333
|
-
|
334
|
-
|
335
|
-
|
336
|
-
|
370
|
+
/* Early secret derived if early data requested */
|
371
|
+
conn->early_data_state = S2N_EARLY_DATA_REQUESTED;
|
372
|
+
EXPECT_OK(s2n_tls13_secrets_update(conn));
|
373
|
+
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_early_secret,
|
374
|
+
empty_secret, sizeof(empty_secret));
|
375
|
+
|
376
|
+
/* Clear secret */
|
377
|
+
EXPECT_MEMCPY_SUCCESS(conn->secrets.tls13.client_early_secret,
|
378
|
+
empty_secret, sizeof(empty_secret));
|
379
|
+
|
380
|
+
/* Early secret derived if early data accepted */
|
381
|
+
conn->early_data_state = S2N_EARLY_DATA_ACCEPTED;
|
382
|
+
EXPECT_OK(s2n_tls13_secrets_update(conn));
|
383
|
+
EXPECT_BYTEARRAY_NOT_EQUAL(conn->secrets.tls13.client_early_secret,
|
384
|
+
empty_secret, sizeof(empty_secret));
|
385
|
+
}
|
337
386
|
|
338
387
|
/* Derives handshake secrets on SERVER_HELLO */
|
339
388
|
{
|
@@ -18,11 +18,11 @@
|
|
18
18
|
#include "api/s2n.h"
|
19
19
|
#include "crypto/s2n_certificate.h"
|
20
20
|
#include "crypto/s2n_dhe.h"
|
21
|
+
#include "tls/s2n_psk.h"
|
21
22
|
#include "tls/s2n_resume.h"
|
22
23
|
#include "tls/s2n_x509_validator.h"
|
23
24
|
#include "utils/s2n_blob.h"
|
24
25
|
#include "utils/s2n_set.h"
|
25
|
-
#include "tls/s2n_psk.h"
|
26
26
|
|
27
27
|
#define S2N_MAX_TICKET_KEYS 48
|
28
28
|
#define S2N_MAX_TICKET_KEY_HASHES 500 /* 10KB */
|
@@ -35,6 +35,7 @@
|
|
35
35
|
#include "tls/s2n_connection_evp_digests.h"
|
36
36
|
#include "tls/s2n_handshake.h"
|
37
37
|
#include "tls/s2n_kem.h"
|
38
|
+
#include "tls/s2n_internal.h"
|
38
39
|
#include "tls/s2n_prf.h"
|
39
40
|
#include "tls/s2n_record.h"
|
40
41
|
#include "tls/s2n_resume.h"
|
@@ -80,6 +81,10 @@ static int s2n_connection_init_hmacs(struct s2n_connection *conn)
|
|
80
81
|
return 0;
|
81
82
|
}
|
82
83
|
|
84
|
+
/* Allocates and initializes memory for a new connection.
|
85
|
+
*
|
86
|
+
* Since customers can reuse a connection, ensure that values on the connection are
|
87
|
+
* initialized in `s2n_connection_wipe` where possible. */
|
83
88
|
struct s2n_connection *s2n_connection_new(s2n_mode mode)
|
84
89
|
{
|
85
90
|
struct s2n_blob blob = {0};
|
@@ -93,24 +98,8 @@ struct s2n_connection *s2n_connection_new(s2n_mode mode)
|
|
93
98
|
|
94
99
|
PTR_GUARD_POSIX(s2n_connection_set_config(conn, s2n_fetch_default_config()));
|
95
100
|
|
101
|
+
/* `mode` is initialized here since its passed in as a parameter. */
|
96
102
|
conn->mode = mode;
|
97
|
-
conn->blinding = S2N_BUILT_IN_BLINDING;
|
98
|
-
conn->close_notify_queued = 0;
|
99
|
-
conn->client_session_resumed = 0;
|
100
|
-
conn->session_id_len = 0;
|
101
|
-
conn->verify_host_fn = NULL;
|
102
|
-
conn->data_for_verify_host = NULL;
|
103
|
-
conn->verify_host_fn_overridden = 0;
|
104
|
-
conn->data_for_verify_host = NULL;
|
105
|
-
conn->send = NULL;
|
106
|
-
conn->recv = NULL;
|
107
|
-
conn->send_io_context = NULL;
|
108
|
-
conn->recv_io_context = NULL;
|
109
|
-
conn->corked_io = 0;
|
110
|
-
conn->context = NULL;
|
111
|
-
conn->security_policy_override = NULL;
|
112
|
-
conn->ticket_lifetime_hint = 0;
|
113
|
-
conn->session_ticket_status = S2N_NO_TICKET;
|
114
103
|
|
115
104
|
/* Allocate the fixed-size stuffers */
|
116
105
|
blob = (struct s2n_blob) {0};
|
@@ -152,13 +141,15 @@ struct s2n_connection *s2n_connection_new(s2n_mode mode)
|
|
152
141
|
PTR_GUARD_POSIX(s2n_stuffer_growable_alloc(&conn->in, 0));
|
153
142
|
PTR_GUARD_POSIX(s2n_stuffer_growable_alloc(&conn->handshake.io, 0));
|
154
143
|
PTR_GUARD_POSIX(s2n_stuffer_growable_alloc(&conn->client_hello.raw_message, 0));
|
155
|
-
PTR_GUARD_POSIX(s2n_connection_wipe(conn));
|
156
144
|
PTR_GUARD_RESULT(s2n_timer_start(conn->config, &conn->write_timer));
|
157
145
|
|
158
|
-
/*
|
159
|
-
*
|
160
|
-
|
161
|
-
|
146
|
+
/* NOTE: s2n_connection_wipe MUST be called last in this function.
|
147
|
+
*
|
148
|
+
* s2n_connection_wipe is used for initializing values but also used by customers to
|
149
|
+
* reset/reuse the connection. Calling it last ensures that s2n_connection_wipe is
|
150
|
+
* implemented correctly and safe.
|
151
|
+
*/
|
152
|
+
PTR_GUARD_POSIX(s2n_connection_wipe(conn));
|
162
153
|
return conn;
|
163
154
|
}
|
164
155
|
|
@@ -512,6 +503,12 @@ int s2n_connection_free_handshake(struct s2n_connection *conn)
|
|
512
503
|
return 0;
|
513
504
|
}
|
514
505
|
|
506
|
+
/* An idempotent operation which initializes values on the connection.
|
507
|
+
*
|
508
|
+
* Called in order to reuse a connection structure for a new connection. Should wipe
|
509
|
+
* any persistent memory, free any temporary memory, and set all fields back to their
|
510
|
+
* defaults.
|
511
|
+
*/
|
515
512
|
int s2n_connection_wipe(struct s2n_connection *conn)
|
516
513
|
{
|
517
514
|
/* First make a copy of everything we'd like to save, which isn't very much. */
|
@@ -537,13 +534,11 @@ int s2n_connection_wipe(struct s2n_connection *conn)
|
|
537
534
|
/* Some required structures might have been freed to conserve memory between handshakes.
|
538
535
|
* Restore them.
|
539
536
|
*/
|
540
|
-
|
541
537
|
if (!conn->handshake.hashes) {
|
542
538
|
POSIX_GUARD_RESULT(s2n_handshake_hashes_new(&conn->handshake.hashes));
|
543
539
|
}
|
544
540
|
POSIX_GUARD_RESULT(s2n_handshake_hashes_wipe(conn->handshake.hashes));
|
545
541
|
struct s2n_handshake_hashes *handshake_hashes = conn->handshake.hashes;
|
546
|
-
|
547
542
|
if (!conn->prf_space) {
|
548
543
|
POSIX_GUARD_RESULT(s2n_prf_new(conn));
|
549
544
|
}
|
@@ -575,6 +570,9 @@ int s2n_connection_wipe(struct s2n_connection *conn)
|
|
575
570
|
POSIX_GUARD(s2n_free(&conn->peer_quic_transport_parameters));
|
576
571
|
POSIX_GUARD(s2n_free(&conn->server_early_data_context));
|
577
572
|
POSIX_GUARD(s2n_free(&conn->tls13_ticket_fields.session_secret));
|
573
|
+
/* TODO: Simplify cookie_stuffer implementation.
|
574
|
+
* https://github.com/aws/s2n-tls/issues/3287 */
|
575
|
+
POSIX_GUARD(s2n_stuffer_free(&conn->cookie_stuffer));
|
578
576
|
|
579
577
|
/* Allocate memory for handling handshakes */
|
580
578
|
POSIX_GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_LARGE_RECORD_LENGTH));
|
@@ -658,6 +656,13 @@ int s2n_connection_wipe(struct s2n_connection *conn)
|
|
658
656
|
conn->actual_protocol_version = s2n_highest_protocol_version;
|
659
657
|
}
|
660
658
|
|
659
|
+
/* Initialize remaining values */
|
660
|
+
conn->blinding = S2N_BUILT_IN_BLINDING;
|
661
|
+
conn->session_ticket_status = S2N_NO_TICKET;
|
662
|
+
/* Initialize the cookie stuffer with zero length. If a cookie extension
|
663
|
+
* is received, the stuffer will be resized according to the cookie length */
|
664
|
+
POSIX_GUARD(s2n_stuffer_growable_alloc(&conn->cookie_stuffer, 0));
|
665
|
+
|
661
666
|
return 0;
|
662
667
|
}
|
663
668
|
|
@@ -26,16 +26,16 @@
|
|
26
26
|
#include "tls/s2n_config.h"
|
27
27
|
#include "tls/s2n_crypto.h"
|
28
28
|
#include "tls/s2n_early_data.h"
|
29
|
+
#include "tls/s2n_ecc_preferences.h"
|
29
30
|
#include "tls/s2n_handshake.h"
|
31
|
+
#include "tls/s2n_kem_preferences.h"
|
32
|
+
#include "tls/s2n_key_update.h"
|
30
33
|
#include "tls/s2n_prf.h"
|
31
34
|
#include "tls/s2n_quic_support.h"
|
35
|
+
#include "tls/s2n_record.h"
|
36
|
+
#include "tls/s2n_security_policies.h"
|
32
37
|
#include "tls/s2n_tls_parameters.h"
|
33
38
|
#include "tls/s2n_x509_validator.h"
|
34
|
-
#include "tls/s2n_key_update.h"
|
35
|
-
#include "tls/s2n_kem_preferences.h"
|
36
|
-
#include "tls/s2n_ecc_preferences.h"
|
37
|
-
#include "tls/s2n_security_policies.h"
|
38
|
-
#include "tls/s2n_record.h"
|
39
39
|
|
40
40
|
#include "crypto/s2n_hash.h"
|
41
41
|
#include "crypto/s2n_hmac.h"
|
@@ -30,14 +30,8 @@ struct s2n_handshake_hashes {
|
|
30
30
|
struct s2n_hash_state md5_sha1;
|
31
31
|
|
32
32
|
/* TLS1.3 requires transcript hash digests to calculate secrets.
|
33
|
-
* Because the transcript hash may be updated again before we
|
34
|
-
* calculate a secret that requires a specific state, we store
|
35
|
-
* copies of digests used for secret derivation.
|
36
33
|
*/
|
37
|
-
uint8_t
|
38
|
-
uint8_t server_hello_digest[S2N_TLS13_SECRET_MAX_LEN];
|
39
|
-
uint8_t server_finished_digest[S2N_TLS13_SECRET_MAX_LEN];
|
40
|
-
uint8_t client_finished_digest[S2N_TLS13_SECRET_MAX_LEN];
|
34
|
+
uint8_t transcript_hash_digest[S2N_TLS13_SECRET_MAX_LEN];
|
41
35
|
|
42
36
|
/* To avoid allocating memory for hash objects, we reuse one temporary hash object.
|
43
37
|
* Do NOT rely on this hash state maintaining its value outside of the current context.
|
@@ -1008,6 +1008,7 @@ static int s2n_handshake_write_io(struct s2n_connection *conn)
|
|
1008
1008
|
POSIX_GUARD(s2n_stuffer_wipe(&conn->handshake.io));
|
1009
1009
|
|
1010
1010
|
/* Update the secrets, if necessary */
|
1011
|
+
POSIX_GUARD_RESULT(s2n_tls13_secrets_update(conn));
|
1011
1012
|
POSIX_GUARD_RESULT(s2n_tls13_key_schedule_update(conn));
|
1012
1013
|
|
1013
1014
|
/* Advance the state machine */
|
@@ -1139,6 +1140,7 @@ static S2N_RESULT s2n_finish_read(struct s2n_connection *conn)
|
|
1139
1140
|
|
1140
1141
|
RESULT_GUARD_POSIX(s2n_handshake_conn_update_hashes(conn));
|
1141
1142
|
RESULT_GUARD_POSIX(s2n_stuffer_wipe(&conn->handshake.io));
|
1143
|
+
RESULT_GUARD(s2n_tls13_secrets_update(conn));
|
1142
1144
|
RESULT_GUARD(s2n_tls13_key_schedule_update(conn));
|
1143
1145
|
RESULT_GUARD_POSIX(s2n_advance_message(conn));
|
1144
1146
|
return S2N_RESULT_OK;
|