SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437
							/*
 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License").
 * You may not use this file except in compliance with the License.
 * A copy of the License is located at
 *
 *  http://aws.amazon.com/apache2.0
 *
 * or in the "license" file accompanying this file. This file is distributed
 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 * express or implied. See the License for the specific language governing
 * permissions and limitations under the License.
 */

#include "tls/s2n_early_data.h"

#include <sys/param.h>

#include "tls/s2n_cipher_suites.h"
#include "tls/s2n_connection.h"
#include "tls/s2n_psk.h"
#include "utils/s2n_mem.h"
#include "utils/s2n_safety.h"

const s2n_early_data_state valid_previous_states[] = {
    [S2N_EARLY_DATA_REQUESTED] = S2N_UNKNOWN_EARLY_DATA_STATE,
    [S2N_EARLY_DATA_NOT_REQUESTED] = S2N_UNKNOWN_EARLY_DATA_STATE,
    [S2N_EARLY_DATA_REJECTED] = S2N_EARLY_DATA_REQUESTED,
    [S2N_EARLY_DATA_ACCEPTED] = S2N_EARLY_DATA_REQUESTED,
    [S2N_END_OF_EARLY_DATA] = S2N_EARLY_DATA_ACCEPTED,
};

S2N_RESULT s2n_connection_set_early_data_state(struct s2n_connection *conn, s2n_early_data_state next_state)
{
    RESULT_ENSURE_REF(conn);
    if (conn->early_data_state == next_state) {
        return S2N_RESULT_OK;
    }
    RESULT_ENSURE(next_state < S2N_EARLY_DATA_STATES_COUNT, S2N_ERR_INVALID_EARLY_DATA_STATE);
    RESULT_ENSURE(next_state != S2N_UNKNOWN_EARLY_DATA_STATE, S2N_ERR_INVALID_EARLY_DATA_STATE);
    RESULT_ENSURE(conn->early_data_state == valid_previous_states[next_state], S2N_ERR_INVALID_EARLY_DATA_STATE);
    conn->early_data_state = next_state;
    return S2N_RESULT_OK;
}

int s2n_connection_set_early_data_expected(struct s2n_connection *conn)
{
    POSIX_ENSURE_REF(conn);
    conn->early_data_expected = true;
    return S2N_SUCCESS;
}

int s2n_connection_set_end_of_early_data(struct s2n_connection *conn)
{
    POSIX_ENSURE_REF(conn);
    conn->early_data_expected = false;
    return S2N_SUCCESS;
}

static S2N_RESULT s2n_early_data_validate(struct s2n_connection *conn)
{
    RESULT_ENSURE_REF(conn);
    RESULT_ENSURE_REF(conn->secure);

    /**
     *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
     *# In order to accept early data, the server MUST have accepted a PSK
     *# cipher suite and selected the first key offered in the client's
     *# "pre_shared_key" extension.
     **/
    RESULT_ENSURE_REF(conn->psk_params.chosen_psk);
    RESULT_ENSURE_EQ(conn->psk_params.chosen_psk_wire_index, 0);

    struct s2n_early_data_config *config = &conn->psk_params.chosen_psk->early_data_config;
    RESULT_ENSURE_GT(config->max_early_data_size, 0);

    /**
     *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
     *# In addition, it MUST verify that the
     *# following values are the same as those associated with the
     *# selected PSK:
     *#
     *# -  The TLS version number
     **/
    RESULT_ENSURE_EQ(config->protocol_version, s2n_connection_get_protocol_version(conn));
    /**
     *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
     *# -  The selected cipher suite
     **/
    RESULT_ENSURE_EQ(config->cipher_suite, conn->secure->cipher_suite);
    /**
     *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
     *# -  The selected ALPN [RFC7301] protocol, if any
     **/
    const size_t app_protocol_size = strlen(conn->application_protocol);
    if (app_protocol_size > 0 || config->application_protocol.size > 0) {
        RESULT_ENSURE_EQ(config->application_protocol.size, app_protocol_size + 1 /* null-terminating char */);
        RESULT_ENSURE_EQ(memcmp(config->application_protocol.data, conn->application_protocol, app_protocol_size), 0);
    }

    return S2N_RESULT_OK;
}

bool s2n_early_data_is_valid_for_connection(struct s2n_connection *conn)
{
    return s2n_result_is_ok(s2n_early_data_validate(conn));
}

S2N_RESULT s2n_early_data_accept_or_reject(struct s2n_connection *conn)
{
    RESULT_ENSURE_REF(conn);
    if (conn->early_data_state != S2N_EARLY_DATA_REQUESTED) {
        return S2N_RESULT_OK;
    }

    if (conn->handshake.early_data_async_state.conn) {
        RESULT_BAIL(S2N_ERR_ASYNC_BLOCKED);
    }

    /**
     *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
     *# If any of these checks fail, the server MUST NOT respond with the
     *# extension
     **/
    if (!s2n_early_data_is_valid_for_connection(conn)) {
        RESULT_GUARD(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_REJECTED));
        return S2N_RESULT_OK;
    }

    /* Even if the connection is valid for early data, the client can't consider
     * early data accepted until the server sends the early data indication. */
    if (conn->mode == S2N_CLIENT) {
        return S2N_RESULT_OK;
    }

    /* The server should reject early data if the application is not prepared to handle it. */
    if (!conn->early_data_expected) {
        RESULT_GUARD(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_REJECTED));
        return S2N_RESULT_OK;
    }

    /* If early data would otherwise be accepted, let the application apply any additional restrictions.
     * For example, an application could use this callback to implement anti-replay protections.
     *
     * This callback can be either synchronous or asynchronous. The handshake will not proceed until
     * the application either accepts or rejects early data.
     */
    RESULT_ENSURE_REF(conn->config);
    if (conn->config->early_data_cb) {
        conn->handshake.early_data_async_state.conn = conn;
        RESULT_ENSURE(conn->config->early_data_cb(conn, &conn->handshake.early_data_async_state) >= S2N_SUCCESS,
                S2N_ERR_CANCELLED);
        if (conn->early_data_state == S2N_EARLY_DATA_REQUESTED) {
            RESULT_BAIL(S2N_ERR_ASYNC_BLOCKED);
        }
    } else {
        RESULT_GUARD(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_ACCEPTED));
    }
    return S2N_RESULT_OK;
}

int s2n_config_set_server_max_early_data_size(struct s2n_config *config, uint32_t max_early_data_size)
{
    POSIX_ENSURE_REF(config);
    config->server_max_early_data_size = max_early_data_size;
    return S2N_SUCCESS;
}

int s2n_connection_set_server_max_early_data_size(struct s2n_connection *conn, uint32_t max_early_data_size)
{
    POSIX_ENSURE_REF(conn);
    conn->server_max_early_data_size = max_early_data_size;
    conn->server_max_early_data_size_overridden = true;
    return S2N_SUCCESS;
}

S2N_RESULT s2n_early_data_get_server_max_size(struct s2n_connection *conn, uint32_t *max_early_data_size)
{
    RESULT_ENSURE_REF(conn);
    RESULT_ENSURE_REF(max_early_data_size);
    if (conn->server_max_early_data_size_overridden) {
        *max_early_data_size = conn->server_max_early_data_size;
    } else {
        RESULT_ENSURE_REF(conn->config);
        *max_early_data_size = conn->config->server_max_early_data_size;
    }
    return S2N_RESULT_OK;
}

int s2n_connection_set_server_early_data_context(struct s2n_connection *conn, const uint8_t *context, uint16_t context_size)
{
    POSIX_ENSURE_REF(conn);
    if (context_size > 0) {
        POSIX_ENSURE_REF(context);
    }

    POSIX_GUARD(s2n_realloc(&conn->server_early_data_context, context_size));
    POSIX_CHECKED_MEMCPY(conn->server_early_data_context.data, context, context_size);
    return S2N_SUCCESS;
}

S2N_CLEANUP_RESULT s2n_early_data_config_free(struct s2n_early_data_config *config)
{
    if (config == NULL) {
        return S2N_RESULT_OK;
    }
    RESULT_GUARD_POSIX(s2n_free(&config->application_protocol));
    RESULT_GUARD_POSIX(s2n_free(&config->context));
    return S2N_RESULT_OK;
}

int s2n_psk_configure_early_data(struct s2n_psk *psk, uint32_t max_early_data_size,
        uint8_t cipher_suite_first_byte, uint8_t cipher_suite_second_byte)
{
    POSIX_ENSURE_REF(psk);

    const uint8_t cipher_suite_iana[] = { cipher_suite_first_byte, cipher_suite_second_byte };
    struct s2n_cipher_suite *cipher_suite = NULL;
    POSIX_GUARD_RESULT(s2n_cipher_suite_from_iana(cipher_suite_iana, sizeof(cipher_suite_iana), &cipher_suite));
    POSIX_ENSURE_REF(cipher_suite);
    POSIX_ENSURE(cipher_suite->prf_alg == psk->hmac_alg, S2N_ERR_INVALID_ARGUMENT);

    psk->early_data_config.max_early_data_size = max_early_data_size;
    psk->early_data_config.protocol_version = S2N_TLS13;
    psk->early_data_config.cipher_suite = cipher_suite;
    return S2N_SUCCESS;
}

int s2n_psk_set_application_protocol(struct s2n_psk *psk, const uint8_t *application_protocol, uint8_t size)
{
    POSIX_ENSURE_REF(psk);
    if (size > 0) {
        POSIX_ENSURE_REF(application_protocol);
    }
    struct s2n_blob *protocol_blob = &psk->early_data_config.application_protocol;
    POSIX_GUARD(s2n_realloc(protocol_blob, size));
    POSIX_CHECKED_MEMCPY(protocol_blob->data, application_protocol, size);
    return S2N_SUCCESS;
}

int s2n_psk_set_early_data_context(struct s2n_psk *psk, const uint8_t *context, uint16_t size)
{
    POSIX_ENSURE_REF(psk);
    if (size > 0) {
        POSIX_ENSURE_REF(context);
    }
    struct s2n_blob *context_blob = &psk->early_data_config.context;
    POSIX_GUARD(s2n_realloc(context_blob, size));
    POSIX_CHECKED_MEMCPY(context_blob->data, context, size);
    return S2N_SUCCESS;
}

S2N_RESULT s2n_early_data_config_clone(struct s2n_psk *new_psk, struct s2n_early_data_config *old_config)
{
    RESULT_ENSURE_REF(old_config);
    RESULT_ENSURE_REF(new_psk);

    struct s2n_early_data_config config_copy = new_psk->early_data_config;

    /* Copy all fields from the old_config EXCEPT the blobs, which we need to reallocate. */
    new_psk->early_data_config = *old_config;
    new_psk->early_data_config.application_protocol = config_copy.application_protocol;
    new_psk->early_data_config.context = config_copy.context;

    /* Clone / realloc blobs */
    RESULT_GUARD_POSIX(s2n_psk_set_application_protocol(new_psk, old_config->application_protocol.data,
            old_config->application_protocol.size));
    RESULT_GUARD_POSIX(s2n_psk_set_early_data_context(new_psk, old_config->context.data,
            old_config->context.size));

    return S2N_RESULT_OK;
}

int s2n_connection_get_early_data_status(struct s2n_connection *conn, s2n_early_data_status_t *status)
{
    POSIX_ENSURE_REF(conn);
    POSIX_ENSURE_REF(status);

    switch (conn->early_data_state) {
        case S2N_EARLY_DATA_STATES_COUNT:
            break;
        case S2N_EARLY_DATA_NOT_REQUESTED:
            *status = S2N_EARLY_DATA_STATUS_NOT_REQUESTED;
            return S2N_SUCCESS;
        case S2N_EARLY_DATA_REJECTED:
            *status = S2N_EARLY_DATA_STATUS_REJECTED;
            return S2N_SUCCESS;
        case S2N_END_OF_EARLY_DATA:
            *status = S2N_EARLY_DATA_STATUS_END;
            return S2N_SUCCESS;
        case S2N_UNKNOWN_EARLY_DATA_STATE:
        case S2N_EARLY_DATA_REQUESTED:
        case S2N_EARLY_DATA_ACCEPTED:
            *status = S2N_EARLY_DATA_STATUS_OK;
            return S2N_SUCCESS;
    }
    POSIX_BAIL(S2N_ERR_INVALID_EARLY_DATA_STATE);
}

static S2N_RESULT s2n_get_remaining_early_data_bytes(struct s2n_connection *conn, uint32_t *early_data_allowed)
{
    RESULT_ENSURE_REF(conn);
    RESULT_ENSURE_REF(early_data_allowed);
    *early_data_allowed = 0;

    uint32_t max_early_data_size = 0;
    RESULT_GUARD_POSIX(s2n_connection_get_max_early_data_size(conn, &max_early_data_size));

    RESULT_ENSURE(max_early_data_size >= conn->early_data_bytes, S2N_ERR_MAX_EARLY_DATA_SIZE);
    *early_data_allowed = (max_early_data_size - conn->early_data_bytes);

    return S2N_RESULT_OK;
}

int s2n_connection_get_remaining_early_data_size(struct s2n_connection *conn, uint32_t *allowed_early_data_size)
{
    POSIX_ENSURE_REF(conn);
    POSIX_ENSURE_REF(allowed_early_data_size);
    *allowed_early_data_size = 0;

    switch (conn->early_data_state) {
        case S2N_EARLY_DATA_STATES_COUNT:
        case S2N_EARLY_DATA_NOT_REQUESTED:
        case S2N_EARLY_DATA_REJECTED:
        case S2N_END_OF_EARLY_DATA:
            *allowed_early_data_size = 0;
            break;
        case S2N_UNKNOWN_EARLY_DATA_STATE:
        case S2N_EARLY_DATA_REQUESTED:
        case S2N_EARLY_DATA_ACCEPTED:
            POSIX_GUARD_RESULT(s2n_get_remaining_early_data_bytes(conn, allowed_early_data_size));
            break;
    }
    return S2N_SUCCESS;
}

int s2n_connection_get_max_early_data_size(struct s2n_connection *conn, uint32_t *max_early_data_size)
{
    POSIX_ENSURE_REF(conn);
    POSIX_ENSURE_REF(max_early_data_size);
    *max_early_data_size = 0;

    uint32_t server_max_early_data_size = 0;
    POSIX_GUARD_RESULT(s2n_early_data_get_server_max_size(conn, &server_max_early_data_size));

    if (conn->psk_params.psk_list.len == 0) {
        /* This method may be called by the server before loading its PSKs.
         * The server can load its PSKs during the handshake, either via the PSK selection callback
         * or by receiving a stateless session ticket.
         *
         * Before that happens, we should make an optimistic assumption of the early data size.
         * That way, the max early data size always decreases (for example, it won't go from 0 -> UINT32_MAX
         * after receiving a PSK in the ClientHello).
         */
        if (conn->mode == S2N_SERVER && !IS_NEGOTIATED(conn)) {
            *max_early_data_size = server_max_early_data_size;
        }
        return S2N_SUCCESS;
    }

    struct s2n_psk *first_psk = NULL;
    POSIX_GUARD_RESULT(s2n_array_get(&conn->psk_params.psk_list, 0, (void **) &first_psk));
    POSIX_ENSURE_REF(first_psk);
    *max_early_data_size = first_psk->early_data_config.max_early_data_size;

    /* For the server, we should use the minimum of the limit retrieved from the ticket
     * and the current limit being set for new tickets.
     *
     * This is defensive: even if more early data was previously allowed, the server may not be
     * willing or able to handle that much early data now.
     *
     * We don't do this for external PSKs because the server has intentionally set the limit
     * while setting up this connection, not during a previous connection.
     */
    if (conn->mode == S2N_SERVER && first_psk->type == S2N_PSK_TYPE_RESUMPTION) {
        *max_early_data_size = MIN(*max_early_data_size, server_max_early_data_size);
    }

    return S2N_SUCCESS;
}

int s2n_config_set_early_data_cb(struct s2n_config *config, s2n_early_data_cb cb)
{
    POSIX_ENSURE_REF(config);
    config->early_data_cb = cb;
    return S2N_SUCCESS;
}

int s2n_offered_early_data_get_context_length(struct s2n_offered_early_data *early_data, uint16_t *context_len)
{
    POSIX_ENSURE_REF(context_len);
    POSIX_ENSURE_REF(early_data);
    struct s2n_connection *conn = early_data->conn;

    POSIX_ENSURE_REF(conn);
    POSIX_ENSURE_REF(conn->psk_params.chosen_psk);
    struct s2n_early_data_config *early_data_config = &conn->psk_params.chosen_psk->early_data_config;

    *context_len = early_data_config->context.size;

    return S2N_SUCCESS;
}

int s2n_offered_early_data_get_context(struct s2n_offered_early_data *early_data, uint8_t *context, uint16_t max_len)
{
    POSIX_ENSURE_REF(context);
    POSIX_ENSURE_REF(early_data);
    struct s2n_connection *conn = early_data->conn;

    POSIX_ENSURE_REF(conn);
    POSIX_ENSURE_REF(conn->psk_params.chosen_psk);
    struct s2n_early_data_config *early_data_config = &conn->psk_params.chosen_psk->early_data_config;

    POSIX_ENSURE(early_data_config->context.size <= max_len, S2N_ERR_INSUFFICIENT_MEM_SIZE);
    POSIX_CHECKED_MEMCPY(context, early_data_config->context.data, early_data_config->context.size);

    return S2N_SUCCESS;
}

int s2n_offered_early_data_reject(struct s2n_offered_early_data *early_data)
{
    POSIX_ENSURE_REF(early_data);
    struct s2n_connection *conn = early_data->conn;
    POSIX_ENSURE_REF(conn);
    POSIX_GUARD_RESULT(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_REJECTED));
    return S2N_SUCCESS;
}

int s2n_offered_early_data_accept(struct s2n_offered_early_data *early_data)
{
    POSIX_ENSURE_REF(early_data);
    struct s2n_connection *conn = early_data->conn;
    POSIX_ENSURE_REF(conn);
    POSIX_GUARD_RESULT(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_ACCEPTED));
    return S2N_SUCCESS;
}