Cleanup

aws · Jul 15, 2024 · 5659434 · 5659434
1 parent 661b8c8
commit 5659434
Show file tree

Hide file tree

Showing 10 changed files with 37 additions and 89 deletions.
diff --git a/tests/unit/s2n_client_psk_extension_test.c b/tests/unit/s2n_client_psk_extension_test.c
@@ -82,7 +82,7 @@ static S2N_RESULT s2n_setup_encrypted_ticket(struct s2n_connection *conn, struct
     RESULT_CHECKED_MEMCPY(conn->tls13_ticket_fields.session_secret.data, test_secret_data, sizeof(test_secret_data));
 
     /* Create a valid resumption psk identity */
-    RESULT_GUARD(s2n_encrypt_session_ticket(conn, output));
+    RESULT_GUARD(s2n_resume_encrypt_session_ticket(conn, output));
     output->blob.size = s2n_stuffer_data_available(output);
 
     return S2N_RESULT_OK;

diff --git a/tests/unit/s2n_extended_master_secret_test.c b/tests/unit/s2n_extended_master_secret_test.c
@@ -50,7 +50,7 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_stuffer_init(&ticket, &ticket_blob));
 
             /* Encrypt the ticket with EMS data */
-            EXPECT_OK(s2n_encrypt_session_ticket(conn, &ticket));
+            EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &ticket));
 
             EXPECT_SUCCESS(s2n_connection_wipe(conn));
             EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
@@ -89,7 +89,7 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_stuffer_init(&ticket, &ticket_blob));
 
             /* Encrypt the ticket without EMS data */
-            EXPECT_OK(s2n_encrypt_session_ticket(conn, &ticket));
+            EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &ticket));
 
             EXPECT_SUCCESS(s2n_connection_wipe(conn));
             EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
@@ -126,7 +126,7 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_stuffer_init(&ticket, &ticket_blob));
 
             /* Encrypt the ticket with EMS data */
-            EXPECT_OK(s2n_encrypt_session_ticket(conn, &ticket));
+            EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &ticket));
 
             EXPECT_SUCCESS(s2n_connection_wipe(conn));
             EXPECT_SUCCESS(s2n_connection_set_config(conn, config));

diff --git a/tests/unit/s2n_psk_offered_test.c b/tests/unit/s2n_psk_offered_test.c
@@ -30,7 +30,7 @@ static S2N_RESULT s2n_setup_encrypted_ticket(struct s2n_connection *conn, struct
     RESULT_CHECKED_MEMCPY(conn->tls13_ticket_fields.session_secret.data, test_secret_data, sizeof(test_secret_data));
 
     /* Create a valid resumption psk identity */
-    RESULT_GUARD(s2n_encrypt_session_ticket(conn, output));
+    RESULT_GUARD(s2n_resume_encrypt_session_ticket(conn, output));
     output->blob.size = s2n_stuffer_data_available(output);
 
     return S2N_RESULT_OK;

diff --git a/tests/unit/s2n_resume_test.c b/tests/unit/s2n_resume_test.c
@@ -1281,7 +1281,7 @@ int main(int argc, char **argv)
         };
     };
 
-    /* s2n_encrypt_session_ticket */
+    /* s2n_resume_encrypt_session_ticket */
     {
         /* Session ticket keys. Taken from test vectors in https://tools.ietf.org/html/rfc5869 */
         uint8_t ticket_key_name[16] = "2016.07.26.15\0";
@@ -1312,13 +1312,13 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_stuffer_write_bytes(&secret_stuffer, test_master_secret.data, S2N_TLS_SECRET_LEN));
             conn->secure->cipher_suite = &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256;
 
-            EXPECT_OK(s2n_encrypt_session_ticket(conn, &conn->client_ticket_to_decrypt));
+            EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &conn->client_ticket_to_decrypt));
             EXPECT_NOT_EQUAL(s2n_stuffer_data_available(&conn->client_ticket_to_decrypt), 0);
 
             /* Wiping the master secret to prove that the decryption function actually writes the master secret */
             memset(conn->secrets.version.tls12.master_secret, 0, test_master_secret.size);
 
-            EXPECT_OK(s2n_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt));
+            EXPECT_OK(s2n_resume_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt));
             EXPECT_EQUAL(s2n_stuffer_data_available(&conn->client_ticket_to_decrypt), 0);
 
             /* Check decryption was successful by comparing master key */
@@ -1355,8 +1355,8 @@ int main(int argc, char **argv)
             /* This secret is smaller than the maximum secret length */
             EXPECT_TRUE(conn->tls13_ticket_fields.session_secret.size < S2N_TLS_SECRET_LEN);
 
-            EXPECT_OK(s2n_encrypt_session_ticket(conn, &output));
-            EXPECT_OK(s2n_decrypt_session_ticket(conn, &output));
+            EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &output));
+            EXPECT_OK(s2n_resume_decrypt_session_ticket(conn, &output));
 
             EXPECT_EQUAL(s2n_stuffer_data_available(&output), 0);
 
@@ -1397,8 +1397,8 @@ int main(int argc, char **argv)
             /* This secret is equal to the maximum secret length */
             EXPECT_EQUAL(conn->tls13_ticket_fields.session_secret.size, S2N_TLS_SECRET_LEN);
 
-            EXPECT_OK(s2n_encrypt_session_ticket(conn, &output));
-            EXPECT_OK(s2n_decrypt_session_ticket(conn, &output));
+            EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &output));
+            EXPECT_OK(s2n_resume_decrypt_session_ticket(conn, &output));
 
             EXPECT_EQUAL(s2n_stuffer_data_available(&output), 0);
 
@@ -1440,8 +1440,8 @@ int main(int argc, char **argv)
             conn->tls13_ticket_fields = (struct s2n_ticket_fields){ .ticket_age_add = 1 };
             EXPECT_SUCCESS(s2n_dup(&test_master_secret, &conn->tls13_ticket_fields.session_secret));
 
-            EXPECT_OK(s2n_encrypt_session_ticket(conn, &output));
-            EXPECT_OK(s2n_decrypt_session_ticket(conn, &output));
+            EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &output));
+            EXPECT_OK(s2n_resume_decrypt_session_ticket(conn, &output));
 
             EXPECT_EQUAL(s2n_stuffer_data_available(&output), 0);
 

diff --git a/tests/unit/s2n_session_ticket_test.c b/tests/unit/s2n_session_ticket_test.c
@@ -1087,7 +1087,7 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_config_free(client_config));
     };
 
-    /* s2n_decrypt_session_ticket fails to decrypt when presented with a valid ticket_key, valid iv and invalid encrypted blob */
+    /* s2n_resume_decrypt_session_ticket fails to decrypt when presented with a valid ticket_key, valid iv and invalid encrypted blob */
     {
         EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
         EXPECT_NOT_NULL(server_config = s2n_config_new());
@@ -1107,13 +1107,13 @@ int main(int argc, char **argv)
         POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, invalid_en_data, sizeof(invalid_en_data)));
 
         server_conn->session_ticket_status = S2N_DECRYPT_TICKET;
-        EXPECT_ERROR_WITH_ERRNO(s2n_decrypt_session_ticket(server_conn, &server_conn->client_ticket_to_decrypt), S2N_ERR_DECRYPT);
+        EXPECT_ERROR_WITH_ERRNO(s2n_resume_decrypt_session_ticket(server_conn, &server_conn->client_ticket_to_decrypt), S2N_ERR_DECRYPT);
 
         EXPECT_SUCCESS(s2n_connection_free(server_conn));
         EXPECT_SUCCESS(s2n_config_free(server_config));
     };
 
-    /* s2n_decrypt_session_ticket fails with a key not found error when presented with an invalid ticket_key, valid iv and invalid encrypted blob */
+    /* s2n_resume_decrypt_session_ticket fails with a key not found error when presented with an invalid ticket_key, valid iv and invalid encrypted blob */
     {
         EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
         EXPECT_NOT_NULL(server_config = s2n_config_new());
@@ -1133,7 +1133,7 @@ int main(int argc, char **argv)
         POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, invalid_en_data, sizeof(invalid_en_data)));
 
         server_conn->session_ticket_status = S2N_DECRYPT_TICKET;
-        EXPECT_ERROR_WITH_ERRNO(s2n_decrypt_session_ticket(server_conn, &server_conn->client_ticket_to_decrypt), S2N_ERR_KEY_USED_IN_SESSION_TICKET_NOT_FOUND);
+        EXPECT_ERROR_WITH_ERRNO(s2n_resume_decrypt_session_ticket(server_conn, &server_conn->client_ticket_to_decrypt), S2N_ERR_KEY_USED_IN_SESSION_TICKET_NOT_FOUND);
 
         EXPECT_SUCCESS(s2n_connection_free(server_conn));
         EXPECT_SUCCESS(s2n_config_free(server_config));

diff --git a/tls/s2n_handshake_io.c b/tls/s2n_handshake_io.c
@@ -1046,7 +1046,7 @@ int s2n_conn_set_handshake_type(struct s2n_connection *conn)
             /* We reuse the session if a valid TLS12 ticket is provided.
              * Otherwise, we will perform a full handshake and then generate
              * a new session ticket. */
-            if (s2n_result_is_ok(s2n_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt))) {
+            if (s2n_result_is_ok(s2n_resume_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt))) {
                 return S2N_SUCCESS;
             }
 

diff --git a/tls/s2n_psk.c b/tls/s2n_psk.c
@@ -326,8 +326,8 @@ int s2n_offered_psk_list_choose_psk(struct s2n_offered_psk_list *psk_list, struc
         POSIX_GUARD(s2n_stuffer_init(&ticket_stuffer, &psk->identity));
         POSIX_GUARD(s2n_stuffer_skip_write(&ticket_stuffer, psk->identity.size));
 
-        /* s2n_decrypt_session_ticket appends a new PSK with the decrypted values. */
-        POSIX_GUARD_RESULT(s2n_decrypt_session_ticket(psk_list->conn, &ticket_stuffer));
+        /* s2n_resume_decrypt_session_ticket appends a new PSK with the decrypted values. */
+        POSIX_GUARD_RESULT(s2n_resume_decrypt_session_ticket(psk_list->conn, &ticket_stuffer));
     }
 
     struct s2n_psk *chosen_psk = NULL;

diff --git a/tls/s2n_resume.c b/tls/s2n_resume.c
@@ -462,7 +462,7 @@ int s2n_resume_from_cache(struct s2n_connection *conn)
     struct s2n_stuffer from = { 0 };
     POSIX_GUARD(s2n_stuffer_init(&from, &entry));
     POSIX_GUARD(s2n_stuffer_write(&from, &entry));
-    POSIX_GUARD(s2n_decrypt_session_cache(conn, &from));
+    POSIX_GUARD(s2n_resume_decrypt_session_cache(conn, &from));
 
     return 0;
 }
@@ -689,7 +689,7 @@ int s2n_compute_weight_of_encrypt_decrypt_keys(struct s2n_config *config,
     POSIX_BAIL(S2N_ERR_ENCRYPT_DECRYPT_KEY_SELECTION_FAILED);
 }
 
-/* This function is used in s2n_encrypt_session_ticket in order for s2n to
+/* This function is used in s2n_resume_encrypt_session_ticket in order for s2n to
  * choose a key in encrypt-decrypt state from all of the keys added to config
  */
 struct s2n_ticket_key *s2n_get_ticket_encrypt_decrypt_key(struct s2n_config *config)
@@ -736,7 +736,7 @@ struct s2n_ticket_key *s2n_get_ticket_encrypt_decrypt_key(struct s2n_config *con
     return ticket_key;
 }
 
-/* This function is used in s2n_decrypt_session_ticket in order for s2n to
+/* This function is used in s2n_resume_decrypt_session_ticket in order for s2n to
  * find the matching key that was used for encryption.
  */
 struct s2n_ticket_key *s2n_find_ticket_key(struct s2n_config *config, const uint8_t name[S2N_TICKET_KEY_NAME_LEN])
@@ -769,7 +769,7 @@ struct s2n_ticket_key *s2n_find_ticket_key(struct s2n_config *config, const uint
     return NULL;
 }
 
-S2N_RESULT s2n_encrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *to)
+S2N_RESULT s2n_resume_encrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *to)
 {
     RESULT_ENSURE_REF(conn);
     RESULT_ENSURE_REF(to);
@@ -827,7 +827,7 @@ S2N_RESULT s2n_encrypt_session_ticket(struct s2n_connection *conn, struct s2n_st
     return S2N_RESULT_OK;
 }
 
-S2N_RESULT s2n_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *from)
+S2N_RESULT s2n_resume_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *from)
 {
     RESULT_ENSURE_REF(conn);
     RESULT_ENSURE_REF(from);
@@ -875,7 +875,7 @@ S2N_RESULT s2n_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_st
     RESULT_GUARD_POSIX(s2n_aes256_gcm.io.aead.decrypt(&aes_ticket_key, &iv, &aad_blob, &en_blob, &en_blob));
     RESULT_GUARD(s2n_aes256_gcm.destroy_key(&aes_ticket_key));
 
-    /* Read and parse decrypted state */
+    /* Parse decrypted state */
     struct s2n_blob state_blob = { 0 };
     uint32_t state_blob_size = en_blob_size - S2N_TLS_GCM_TAG_LEN;
     RESULT_GUARD_POSIX(s2n_blob_init(&state_blob, en_blob.data, state_blob_size));
@@ -884,7 +884,7 @@ S2N_RESULT s2n_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_st
     RESULT_GUARD_POSIX(s2n_stuffer_skip_write(&state_stuffer, state_blob_size));
     RESULT_GUARD(s2n_deserialize_resumption_state(conn, &from->blob, &state_stuffer));
 
-    if (s2n_connection_get_protocol_version(conn) >= S2N_TLS13) {
+    if (s2n_connection_get_protocol_version(conn) >= S2N_TLS13 || conn->config->use_session_cache) {
         return S2N_RESULT_OK;
     }
 
@@ -902,66 +902,14 @@ S2N_RESULT s2n_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_st
 
 int s2n_encrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *to)
 {
-    POSIX_GUARD_RESULT(s2n_encrypt_session_ticket(conn, to));
+    POSIX_GUARD_RESULT(s2n_resume_encrypt_session_ticket(conn, to));
     return S2N_SUCCESS;
 }
 
-int s2n_decrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *from)
+int s2n_resume_decrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *from)
 {
-    struct s2n_ticket_key *key = NULL;
-    struct s2n_session_key aes_ticket_key = { 0 };
-    struct s2n_blob aes_key_blob = { 0 };
-
-    uint8_t key_name[S2N_TICKET_KEY_NAME_LEN] = { 0 };
-
-    uint8_t iv_data[S2N_TLS_GCM_IV_LEN] = { 0 };
-    struct s2n_blob iv = { 0 };
-    POSIX_GUARD(s2n_blob_init(&iv, iv_data, sizeof(iv_data)));
-
-    uint8_t aad_data[S2N_TICKET_AAD_LEN] = { 0 };
-    struct s2n_blob aad_blob = { 0 };
-    POSIX_GUARD(s2n_blob_init(&aad_blob, aad_data, sizeof(aad_data)));
-    struct s2n_stuffer aad = { 0 };
-
-    uint8_t s_data[S2N_TLS12_STATE_SIZE_IN_BYTES] = { 0 };
-    struct s2n_blob state_blob = { 0 };
-    POSIX_GUARD(s2n_blob_init(&state_blob, s_data, sizeof(s_data)));
-    struct s2n_stuffer state = { 0 };
-
-    uint8_t en_data[S2N_TLS12_STATE_SIZE_IN_BYTES + S2N_TLS_GCM_TAG_LEN] = { 0 };
-    struct s2n_blob en_blob = { 0 };
-    POSIX_GUARD(s2n_blob_init(&en_blob, en_data, sizeof(en_data)));
-
-    POSIX_GUARD(s2n_stuffer_read_bytes(from, key_name, s2n_array_len(key_name)));
-
-    key = s2n_find_ticket_key(conn->config, key_name);
-
-    /* Key has expired; do full handshake with New Session Ticket (NST) */
-    POSIX_ENSURE(key != NULL, S2N_ERR_KEY_USED_IN_SESSION_TICKET_NOT_FOUND);
-
-    POSIX_GUARD(s2n_stuffer_read(from, &iv));
-
-    POSIX_GUARD(s2n_blob_init(&aes_key_blob, key->aes_key, S2N_AES256_KEY_LEN));
-    POSIX_GUARD(s2n_session_key_alloc(&aes_ticket_key));
-    POSIX_GUARD_RESULT(s2n_aes256_gcm.init(&aes_ticket_key));
-    POSIX_GUARD_RESULT(s2n_aes256_gcm.set_decryption_key(&aes_ticket_key, &aes_key_blob));
-
-    POSIX_GUARD(s2n_stuffer_init(&aad, &aad_blob));
-    POSIX_GUARD(s2n_stuffer_write_bytes(&aad, key->implicit_aad, S2N_TICKET_AAD_IMPLICIT_LEN));
-    POSIX_GUARD(s2n_stuffer_write_bytes(&aad, key->key_name, S2N_TICKET_KEY_NAME_LEN));
-
-    POSIX_GUARD(s2n_stuffer_read(from, &en_blob));
-
-    POSIX_GUARD(s2n_aes256_gcm.io.aead.decrypt(&aes_ticket_key, &iv, &aad_blob, &en_blob, &en_blob));
-    POSIX_GUARD_RESULT(s2n_aes256_gcm.destroy_key(&aes_ticket_key));
-    POSIX_GUARD(s2n_session_key_free(&aes_ticket_key));
-
-    POSIX_GUARD(s2n_stuffer_init(&state, &state_blob));
-    POSIX_GUARD(s2n_stuffer_write_bytes(&state, en_data, S2N_TLS12_STATE_SIZE_IN_BYTES));
-
-    POSIX_GUARD_RESULT(s2n_deserialize_resumption_state(conn, NULL, &state));
-
-    return 0;
+    POSIX_GUARD_RESULT(s2n_resume_decrypt_session_ticket(conn, from));
+    return S2N_SUCCESS;
 }
 
 /* This function is used to remove all or just one expired key from server config */

diff --git a/tls/s2n_resume.h b/tls/s2n_resume.h
@@ -71,10 +71,10 @@ struct s2n_session_ticket {
 };
 
 struct s2n_ticket_key *s2n_find_ticket_key(struct s2n_config *config, const uint8_t name[S2N_TICKET_KEY_NAME_LEN]);
-S2N_RESULT s2n_encrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *to);
-S2N_RESULT s2n_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *from);
+S2N_RESULT s2n_resume_encrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *to);
+S2N_RESULT s2n_resume_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *from);
 int s2n_encrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *to);
-int s2n_decrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *from);
+int s2n_resume_decrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *from);
 S2N_RESULT s2n_config_is_encrypt_key_available(struct s2n_config *config);
 int s2n_verify_unique_ticket_key(struct s2n_config *config, uint8_t *hash, uint16_t *insert_index);
 int s2n_config_wipe_expired_ticket_crypto_keys(struct s2n_config *config, int8_t expired_key_index);

diff --git a/tls/s2n_server_new_session_ticket.c b/tls/s2n_server_new_session_ticket.c
@@ -92,7 +92,7 @@ int s2n_server_nst_send(struct s2n_connection *conn)
      *# NewSessionTicket handshake message.
      **/
     POSIX_GUARD(s2n_stuffer_init(&to, &entry));
-    if (!conn->config->use_tickets || s2n_result_is_error(s2n_encrypt_session_ticket(conn, &to))) {
+    if (!conn->config->use_tickets || s2n_result_is_error(s2n_resume_encrypt_session_ticket(conn, &to))) {
         POSIX_GUARD(s2n_stuffer_write_uint32(&conn->handshake.io, 0));
         POSIX_GUARD(s2n_stuffer_write_uint16(&conn->handshake.io, 0));
 
@@ -310,7 +310,7 @@ S2N_RESULT s2n_tls13_server_nst_write(struct s2n_connection *conn, struct s2n_st
     /* Write ticket */
     struct s2n_stuffer_reservation ticket_size = { 0 };
     RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint16(output, &ticket_size));
-    RESULT_GUARD(s2n_encrypt_session_ticket(conn, output));
+    RESULT_GUARD(s2n_resume_encrypt_session_ticket(conn, output));
     RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&ticket_size));
 
     RESULT_GUARD_POSIX(s2n_extension_list_send(S2N_EXTENSION_LIST_NST, conn, output));