Merge branch 'main' into sslv3-ossl-1-0-2-handshake-fix

.gitignore

@@ -40,3 +40,5 @@ build/
 result
 result-*
 *.class
+# Exclude rust build directories
+*target/

bin/common.c

@@ -489,9 +489,15 @@ uint8_t unsafe_verify_host(const char *host_name, size_t host_name_len, void *da
         return (uint8_t) (strcasecmp(suffix, host_name + 1) == 0);
     }
 
-    if (strcasecmp(host_name, "localhost") == 0 || strcasecmp(host_name, "127.0.0.1") == 0) {
-        return (uint8_t) (strcasecmp(verify_data->trusted_host, "localhost") == 0
-                || strcasecmp(verify_data->trusted_host, "127.0.0.1") == 0);
+    /* If we're connecting to localhost, accept any values that represent localhost */
+    bool is_localhost = (strcasecmp(verify_data->trusted_host, "localhost") == 0);
+    is_localhost |= (strcasecmp(verify_data->trusted_host, "127.0.0.1") == 0);
+    if (is_localhost) {
+        bool match = (strcasecmp(host_name, "localhost") == 0);
+        match |= (strcasecmp(host_name, "127.0.0.1") == 0);
+        /* Some of our older test certificates use odd common names */
+        match |= (strcasecmp(host_name, "s2nTestServer") == 0);
+        return (uint8_t) match;
     }
 
     return (uint8_t) (strcasecmp(host_name, verify_data->trusted_host) == 0);

bin/s2nc.c

@@ -47,6 +47,28 @@
 #define OPT_SERIALIZE_OUT      1008
 #define OPT_DESERIALIZE_IN     1009
 
+/* This should match the final cert in the s2nd default_certificate_chain */
+const char default_trusted_cert[] =
+        "-----BEGIN CERTIFICATE-----"
+        "MIIC/jCCAeagAwIBAgIUFFjxpSf0mUsrVbyLPQhccDYfixowDQYJKoZIhvcNAQEL"
+        "BQAwFjEUMBIGA1UEAwwLczJuVGVzdFJvb3QwIBcNMjAwMTI0MDEwODIyWhgPMjEx"
+        "OTEyMzEwMTA4MjJaMBYxFDASBgNVBAMMC3MyblRlc3RSb290MIIBIjANBgkqhkiG"
+        "9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3AaOAlkcxJHryCI9SfwB9q4PA53hv5tz4ZL"
+        "be37b69v58mfP+D18cWIBHUmkmN6gWWoWZ/9hv75pxcNXW0zPn7+wOVvXLUjtmkq"
+        "1IGT/mykhasw00viaBFAuBHZ5iLwfc4/cjUFAPVCKLmfv5Xs7TJVzWA/0mR4r1h8"
+        "uFqqXczkVMklIbsOIrlZXz8ifQs3DpFA2FeoziEh+Pcb4c3QBPgCHFDEGyTSdqo9"
+        "+NbS+iRlw0T6tqUOpC0DdKXo/3mJNBmy4XPahTi9zgsu7b+UVqemL7eXXf/iSr5y"
+        "iwJKJjz+N/rLpcF1VJtF8q0fpHagzljQaN7/emjg7BplUUyLawIDAQABo0IwQDAP"
+        "BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTDmXkyQEJ7ZciyE4KF7wAJKDxMfDAO"
+        "BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAFobyhsc7mYoGaA7N4Pp"
+        "it+MQZZNzWte5vWal/3/2V7ZGrJsgeCPwLblzzTmey85RilX6ovMQHEqT1vBFSHq"
+        "nntMZnHkEl2QLU8XopJWR4MXK7LzjjQYaXiZhGbJbtylVSfATAa/ZzdgjBx1C8aD"
+        "IM1+ELGCP/UHD0YEJkFoxSUwXGAXoV8I+cPDAWHC6VnC4mY8qubhx95FpX02ERnz"
+        "1Cw2YWtntyO8P52dEJD1+0EJjtVX4Bj5wwgJHHbDkPP1IzFrR/uBC2LCjtRY+UtZ"
+        "kfoDfWu2tslkLK7/LaC5qZyCPKnpPHLLz8gUWKlvbuejM99FTlBg/tcH+bv5x7WB"
+        "MZ8="
+        "-----END CERTIFICATE-----";
+
 /*
  * s2nc is an example client that uses many s2n-tls APIs.
  * It is intended for testing purposes only, and should not be used in production.
@@ -616,6 +638,8 @@ int main(int argc, char *const *argv)
             GUARD_EXIT(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key), "Error setting certificate/key");
         }
 
+        GUARD_EXIT(s2n_config_add_pem_to_trust_store(config, default_trusted_cert),
+                "Error adding default cert to trust store.");
         if (ca_file || ca_dir) {
             GUARD_EXIT(s2n_config_wipe_trust_store(config), "Error wiping trust store");
             if (s2n_config_set_verification_ca_location(config, ca_file, ca_dir) < 0) {

bindings/rust/s2n-tls/Cargo.toml

@@ -12,9 +12,11 @@ license = "Apache-2.0"
 default = []
 unstable-fingerprint = ["s2n-tls-sys/unstable-fingerprint"]
 unstable-ktls = ["s2n-tls-sys/unstable-ktls"]
+unstable-renegotiate = ["s2n-tls-sys/unstable-renegotiate"]
 quic = ["s2n-tls-sys/quic"]
 fips = ["s2n-tls-sys/fips"]
 pq = ["s2n-tls-sys/pq"]
+unstable-testing = []
 
 [dependencies]
 errno = { version = "0.3" }
@@ -26,6 +28,8 @@ hex = "0.4"
 [dev-dependencies]
 futures-test = "0.3"
 openssl = "0.10"
+openssl-sys = "0.9"
+foreign-types = "0.3"
 temp-env = "0.3"
 checkers = "0.6"
 # newer versions require rust 1.66, see https://github.com/aws/s2n-tls/issues/4241

bindings/rust/s2n-tls/src/callbacks/pkey.rs

@@ -73,7 +73,7 @@ impl PrivateKeyOperation {
     /// The size of the slice returned by [`input()`]
     pub fn input_size(&self) -> Result<usize, Error> {
         let mut size = 0;
-        unsafe { s2n_async_pkey_op_get_input_size(self.raw.as_ptr(), &mut size) }.into_result()?;
+        unsafe { s2n_async_pkey_op_get_input_size(self.as_ptr(), &mut size) }.into_result()?;
         size.try_into().map_err(|_| Error::INVALID_INPUT)
     }
 
@@ -84,8 +84,7 @@ impl PrivateKeyOperation {
     pub fn input(&self, buf: &mut [u8]) -> Result<(), Error> {
         let buf_len: u32 = buf.len().try_into().map_err(|_| Error::INVALID_INPUT)?;
         let buf_ptr = buf.as_ptr() as *mut u8;
-        unsafe { s2n_async_pkey_op_get_input(self.raw.as_ptr(), buf_ptr, buf_len) }
-            .into_result()?;
+        unsafe { s2n_async_pkey_op_get_input(self.as_ptr(), buf_ptr, buf_len) }.into_result()?;
         Ok(())
     }
 
@@ -94,11 +93,15 @@ impl PrivateKeyOperation {
         let buf_len: u32 = buf.len().try_into().map_err(|_| Error::INVALID_INPUT)?;
         let buf_ptr = buf.as_ptr();
         unsafe {
-            s2n_async_pkey_op_set_output(self.raw.as_ptr(), buf_ptr, buf_len).into_result()?;
-            s2n_async_pkey_op_apply(self.raw.as_ptr(), conn.as_ptr()).into_result()?;
+            s2n_async_pkey_op_set_output(self.as_ptr(), buf_ptr, buf_len).into_result()?;
+            s2n_async_pkey_op_apply(self.as_ptr(), conn.as_ptr()).into_result()?;
         }
         Ok(())
     }
+
+    pub(crate) fn as_ptr(&self) -> *mut s2n_async_pkey_op {
+        self.raw.as_ptr()
+    }
 }
 
 impl Drop for PrivateKeyOperation {

bindings/rust/s2n-tls/src/config.rs

@@ -1,6 +1,8 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+#[cfg(feature = "unstable-renegotiate")]
+use crate::renegotiate::RenegotiateCallback;
 use crate::{
     callbacks::*,
     enums::*,
@@ -436,12 +438,12 @@ impl Builder {
             verify_host(host_name, host_name_len, handler)
         }
 
-        self.config.context_mut().verify_host_callback = Some(Box::new(handler));
+        self.context_mut().verify_host_callback = Some(Box::new(handler));
         unsafe {
             s2n_config_set_verify_host_callback(
                 self.as_mut_ptr(),
                 Some(verify_host_cb_fn),
-                self.config.context_mut() as *mut Context as *mut c_void,
+                self.context_mut() as *mut Context as *mut c_void,
             )
             .into_result()?;
         }
@@ -490,7 +492,7 @@ impl Builder {
         }
 
         let handler = Box::new(handler);
-        let context = self.config.context_mut();
+        let context = self.context_mut();
         context.client_hello_callback = Some(handler);
 
         unsafe {
@@ -511,7 +513,7 @@ impl Builder {
     ) -> Result<&mut Self, Error> {
         // Store callback in config context
         let handler = Box::new(handler);
-        let context = self.config.context_mut();
+        let context = self.context_mut();
         context.connection_initializer = Some(handler);
         Ok(self)
     }
@@ -540,14 +542,14 @@ impl Builder {
 
         // Store callback in context
         let handler = Box::new(handler);
-        let context = self.config.context_mut();
+        let context = self.context_mut();
         context.session_ticket_callback = Some(handler);
 
         unsafe {
             s2n_config_set_session_ticket_cb(
                 self.as_mut_ptr(),
                 Some(session_ticket_cb),
-                self.config.context_mut() as *mut Context as *mut c_void,
+                self.context_mut() as *mut Context as *mut c_void,
             )
             .into_result()
         }?;
@@ -577,7 +579,7 @@ impl Builder {
         }
 
         let handler = Box::new(handler);
-        let context = self.config.context_mut();
+        let context = self.context_mut();
         context.private_key_callback = Some(handler);
 
         unsafe {
@@ -611,13 +613,13 @@ impl Builder {
         }
 
         let handler = Box::new(handler);
-        let context = self.config.context_mut();
+        let context = self.context_mut();
         context.wall_clock = Some(handler);
         unsafe {
             s2n_config_set_wall_clock(
                 self.as_mut_ptr(),
                 Some(clock_cb),
-                self.config.context_mut() as *mut _ as *mut c_void,
+                self.context_mut() as *mut _ as *mut c_void,
             )
             .into_result()?;
         }
@@ -648,13 +650,13 @@ impl Builder {
         }
 
         let handler = Box::new(handler);
-        let context = self.config.context_mut();
+        let context = self.context_mut();
         context.monotonic_clock = Some(handler);
         unsafe {
             s2n_config_set_monotonic_clock(
                 self.as_mut_ptr(),
                 Some(clock_cb),
-                self.config.context_mut() as *mut _ as *mut c_void,
+                self.context_mut() as *mut _ as *mut c_void,
             )
             .into_result()?;
         }
@@ -762,9 +764,20 @@ impl Builder {
         Ok(self.config)
     }
 
-    fn as_mut_ptr(&mut self) -> *mut s2n_config {
+    pub(crate) fn as_mut_ptr(&mut self) -> *mut s2n_config {
         self.config.as_mut_ptr()
     }
+
+    /// Retrieve a mutable reference to the [`Context`] stored on the config.
+    pub(crate) fn context_mut(&mut self) -> &mut Context {
+        let mut ctx = core::ptr::null_mut();
+        unsafe {
+            s2n_config_get_ctx(self.as_mut_ptr(), &mut ctx)
+                .into_result()
+                .unwrap();
+            &mut *(ctx as *mut Context)
+        }
+    }
 }
 
 #[cfg(feature = "quic")]
@@ -797,6 +810,8 @@ pub(crate) struct Context {
     pub(crate) connection_initializer: Option<Box<dyn ConnectionInitializer>>,
     pub(crate) wall_clock: Option<Box<dyn WallClock>>,
     pub(crate) monotonic_clock: Option<Box<dyn MonotonicClock>>,
+    #[cfg(feature = "unstable-renegotiate")]
+    pub(crate) renegotiate: Option<Box<dyn RenegotiateCallback>>,
 }
 
 impl Default for Context {
@@ -814,6 +829,8 @@ impl Default for Context {
             connection_initializer: None,
             wall_clock: None,
             monotonic_clock: None,
+            #[cfg(feature = "unstable-renegotiate")]
+            renegotiate: None,
         }
     }
 }