1 /* 2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"). 5 * You may not use this file except in compliance with the License. 6 * A copy of the License is located at 7 * 8 * http://aws.amazon.com/apache2.0 9 * 10 * or in the "license" file accompanying this file. This file is distributed 11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 * express or implied. See the License for the specific language governing 13 * permissions and limitations under the License. 14 */ 15 16 #pragma once 17 18 #include "api/s2n.h" 19 #include "crypto/s2n_certificate.h" 20 #include "crypto/s2n_dhe.h" 21 #include "tls/s2n_resume.h" 22 #include "tls/s2n_x509_validator.h" 23 #include "utils/s2n_blob.h" 24 #include "utils/s2n_set.h" 25 #include "tls/s2n_psk.h" 26 27 #define S2N_MAX_TICKET_KEYS 48 28 #define S2N_MAX_TICKET_KEY_HASHES 500 /* 10KB */ 29 30 struct s2n_cipher_preferences; 31 32 struct s2n_config { 33 /* The following bitfield flags are used in SAW proofs. The positions of 34 * these flags are important, as SAW looks up each flag by their index 35 * in the struct starting from 0. See the comments surrounding 36 * config_bitfield in tests/saw/spec/handshake/handshake_io_lowlevel.saw for 37 * more details. Make sure that any new flags are added after these ones 38 * so that the indices in the SAW proofs do not need to be changed each time. 39 * 40 * START OF SAW-TRACKED BITFIELD FLAGS */ 41 42 unsigned use_tickets:1; 43 44 /* Whether a connection can be used by a QUIC implementation. 45 * See s2n_quic_support.h */ 46 unsigned quic_enabled:1; 47 48 /* END OF SAW-TRACKED BITFIELD FLAGS */ 49 50 unsigned cert_allocated:1; 51 unsigned default_certs_are_explicit:1; 52 unsigned use_session_cache:1; 53 /* if this is FALSE, server will ignore client's Maximum Fragment Length request */ 54 unsigned accept_mfl:1; 55 unsigned check_ocsp:1; 56 unsigned disable_x509_validation:1; 57 unsigned max_verify_cert_chain_depth_set:1; 58 /* Whether to add dss cert type during a server certificate request. 59 * See https://github.com/awslabs/s2n/blob/main/docs/USAGE-GUIDE.md */ 60 unsigned cert_req_dss_legacy_compat_enabled:1; 61 /* Whether any RSA certificates have been configured server-side to send to clients. This is needed so that the 62 * server knows whether or not to self-downgrade to TLS 1.2 if the server is compiled with Openssl 1.0.2 and does 63 * not support RSA PSS signing (which is required for TLS 1.3). */ 64 unsigned is_rsa_cert_configured:1; 65 /* It's possible to use a certificate without loading the private key, 66 * but async signing must be enabled. Use this flag to enforce that restriction. 67 */ 68 unsigned no_signing_key:1; 69 70 struct s2n_dh_params *dhparams; 71 /* Needed until we can deprecate s2n_config_add_cert_chain_and_key. This is 72 * used to release memory allocated only in the deprecated API that the application 73 * does not have a reference to. */ 74 struct s2n_map *domain_name_to_cert_map; 75 struct certs_by_type default_certs_by_type; 76 struct s2n_blob application_protocols; 77 s2n_status_request_type status_request_type; 78 s2n_clock_time_nanoseconds wall_clock; 79 s2n_clock_time_nanoseconds monotonic_clock; 80 81 const struct s2n_security_policy *security_policy; 82 83 void *sys_clock_ctx; 84 void *monotonic_clock_ctx; 85 86 s2n_client_hello_fn *client_hello_cb; 87 s2n_client_hello_cb_mode client_hello_cb_mode; 88 89 void *client_hello_cb_ctx; 90 91 uint64_t session_state_lifetime_in_nanos; 92 93 struct s2n_set *ticket_keys; 94 struct s2n_set *ticket_key_hashes; 95 uint64_t encrypt_decrypt_key_lifetime_in_nanos; 96 uint64_t decrypt_key_lifetime_in_nanos; 97 98 /* If session cache is being used, these must all be set */ 99 s2n_cache_store_callback cache_store; 100 void *cache_store_data; 101 102 s2n_cache_retrieve_callback cache_retrieve; 103 void *cache_retrieve_data; 104 105 s2n_cache_delete_callback cache_delete; 106 void *cache_delete_data; 107 108 s2n_ct_support_level ct_type; 109 110 s2n_cert_auth_type client_cert_auth_type; 111 112 s2n_alert_behavior alert_behavior; 113 114 /* Return TRUE if the host should be trusted, If FALSE this will likely be called again for every host/alternative name 115 * in the certificate. If any respond TRUE. If none return TRUE, the cert will be considered untrusted. */ 116 uint8_t (*verify_host)(const char *host_name, size_t host_name_len, void *data); 117 void *data_for_verify_host; 118 119 /* Application supplied callback to resolve domain name conflicts when loading certs. */ 120 s2n_cert_tiebreak_callback cert_tiebreak_cb; 121 122 uint8_t mfl_code; 123 124 uint8_t initial_tickets_to_send; 125 126 struct s2n_x509_trust_store trust_store; 127 uint16_t max_verify_cert_chain_depth; 128 129 s2n_async_pkey_fn async_pkey_cb; 130 131 s2n_psk_selection_callback psk_selection_cb; 132 void *psk_selection_ctx; 133 134 s2n_key_log_fn key_log_cb; 135 void *key_log_ctx; 136 137 s2n_session_ticket_fn session_ticket_cb; 138 void *session_ticket_ctx; 139 140 s2n_early_data_cb early_data_cb; 141 142 uint32_t server_max_early_data_size; 143 144 s2n_psk_mode psk_mode; 145 146 s2n_async_pkey_validation_mode async_pkey_validation_mode; 147 }; 148 149 int s2n_config_defaults_init(void); 150 extern struct s2n_config *s2n_fetch_default_config(void); 151 int s2n_config_set_unsafe_for_testing(struct s2n_config *config); 152 153 int s2n_config_init_session_ticket_keys(struct s2n_config *config); 154 int s2n_config_free_session_ticket_keys(struct s2n_config *config); 155 156 void s2n_wipe_static_configs(void); 157 extern struct s2n_cert_chain_and_key *s2n_config_get_single_default_cert(struct s2n_config *config); 158 int s2n_config_get_num_default_certs(struct s2n_config *config); 159