1 /* 2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"). 5 * You may not use this file except in compliance with the License. 6 * A copy of the License is located at 7 * 8 * http://aws.amazon.com/apache2.0 9 * 10 * or in the "license" file accompanying this file. This file is distributed 11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 * express or implied. See the License for the specific language governing 13 * permissions and limitations under the License. 14 */ 15 16 #pragma once 17 18 #include "utils/s2n_blob.h" 19 20 #include "stuffer/s2n_stuffer.h" 21 22 #define S2N_STATE_LIFETIME_IN_NANOS 54000000000000 /* 15 hours */ 23 #define S2N_TLS12_STATE_SIZE_IN_BYTES (1 + 8 + 1 + S2N_TLS_CIPHER_SUITE_LEN + S2N_TLS_SECRET_LEN + 1) 24 #define S2N_TLS13_FIXED_STATE_SIZE 21 25 #define S2N_TLS13_FIXED_EARLY_DATA_STATE_SIZE 3 26 27 #define S2N_TLS_SESSION_CACHE_TTL (6 * 60 * 60) 28 #define S2N_TICKET_KEY_NAME_LEN 16 29 #define S2N_TICKET_AAD_IMPLICIT_LEN 12 30 #define S2N_TICKET_AAD_LEN (S2N_TICKET_AAD_IMPLICIT_LEN + S2N_TICKET_KEY_NAME_LEN) 31 #define S2N_AES256_KEY_LEN 32 32 #define ONE_SEC_IN_NANOS 1000000000 33 #define ONE_MILLISEC_IN_NANOS 1000000 34 #define ONE_WEEK_IN_SEC 604800 35 #define S2N_TLS12_TICKET_SIZE_IN_BYTES (S2N_TICKET_KEY_NAME_LEN + S2N_TLS_GCM_IV_LEN + \ 36 S2N_TLS12_STATE_SIZE_IN_BYTES + S2N_TLS_GCM_TAG_LEN) 37 38 #define S2N_TICKET_ENCRYPT_DECRYPT_KEY_LIFETIME_IN_NANOS 7200000000000 /* 2 hours */ 39 #define S2N_TICKET_DECRYPT_KEY_LIFETIME_IN_NANOS 46800000000000 /* 13 hours */ 40 #define S2N_STATE_FORMAT_LEN 1 41 #define S2N_TICKET_LIFETIME_HINT_LEN 4 42 #define S2N_SESSION_TICKET_SIZE_LEN 2 43 #define S2N_GREATER_OR_EQUAL 1 44 #define S2N_LESS_THAN -1 45 46 #define S2N_TLS12_SESSION_SIZE S2N_STATE_FORMAT_LEN + \ 47 S2N_SESSION_TICKET_SIZE_LEN + \ 48 S2N_TLS12_TICKET_SIZE_IN_BYTES + \ 49 S2N_TLS12_STATE_SIZE_IN_BYTES 50 51 struct s2n_connection; 52 struct s2n_config; 53 54 struct s2n_ticket_key { 55 unsigned char key_name[S2N_TICKET_KEY_NAME_LEN]; 56 uint8_t aes_key[S2N_AES256_KEY_LEN]; 57 uint8_t implicit_aad[S2N_TICKET_AAD_IMPLICIT_LEN]; 58 uint64_t intro_timestamp; 59 }; 60 61 struct s2n_ticket_key_weight { 62 double key_weight; 63 uint8_t key_index; 64 }; 65 66 struct s2n_ticket_fields { 67 struct s2n_blob session_secret; 68 uint32_t ticket_age_add; 69 }; 70 71 struct s2n_session_ticket { 72 struct s2n_blob ticket_data; 73 uint32_t session_lifetime; 74 }; 75 76 extern struct s2n_ticket_key *s2n_find_ticket_key(struct s2n_config *config, const uint8_t *name); 77 extern int s2n_encrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *to); 78 extern int s2n_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *from); 79 extern int s2n_encrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *to); 80 extern int s2n_decrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *from); 81 extern int s2n_config_is_encrypt_decrypt_key_available(struct s2n_config *config); 82 extern int s2n_verify_unique_ticket_key(struct s2n_config *config, uint8_t *hash, uint16_t *insert_index); 83 extern int s2n_config_wipe_expired_ticket_crypto_keys(struct s2n_config *config, int8_t expired_key_index); 84 extern int s2n_config_store_ticket_key(struct s2n_config *config, struct s2n_ticket_key *key); 85 86 typedef enum { 87 S2N_STATE_WITH_SESSION_ID = 0, 88 S2N_STATE_WITH_SESSION_TICKET 89 } s2n_client_tls_session_state_format; 90 91 typedef enum { 92 S2N_TLS12_SERIALIZED_FORMAT_VERSION = 1, 93 S2N_TLS13_SERIALIZED_FORMAT_VERSION, 94 } s2n_serial_format_version; 95 96 extern int s2n_allowed_to_cache_connection(struct s2n_connection *conn); 97 extern int s2n_resume_from_cache(struct s2n_connection *conn); 98 S2N_RESULT s2n_store_to_cache(struct s2n_connection *conn); 99 S2N_RESULT s2n_connection_get_session_state_size(struct s2n_connection *conn, size_t *state_size); 100