Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add async cert validation support #5110

Merged
merged 13 commits into from
Feb 20, 2025
Merged

feat: add async cert validation support #5110

merged 13 commits into from
Feb 20, 2025
+218 −39

Conversation

CarolYeh910
Copy link
Contributor

@CarolYeh910 CarolYeh910 commented Feb 12, 2025
edited by lrstewart
Loading

Release Summary:

Adds async support to s2n_cert_validation_callback

Description of changes:

The async validation function should throw an S2N_ERR_ASYNC_BLOCKED error when neither s2n_cert_validation_accept() or s2n_cert_validation_reject() are called by the validation callback. After the application finishes processing and updates the callback status (i.e. the cert_validation_info struct) using either API, the application can retry the handshake and complete the validation. To implement this feature, we should consider how to handle the re-entry case. Below are the changes I made:

  1. Moved the cert_validation_info struct into s2n_x509_validator to extend its lifetime, so we can update or check the status after the callback is finished.
  2. Created a bool variable cert_validation_cb_invoked in s2n_x509_validator to identify a re-entry as well as a helper function s2n_x509_validator_handle_cert_validation_callback_result() to check the callback status (e.g. if cert_validation_info.finished is false, bail with S2N_ERR_ASYNC_BLOCKED).
  3. Pulled the major validation process into a new function and updated the control flow with the bool variable in s2n_x509_validator_validate_cert_chain(). On the re-entry case, we only check callback status and do not repeat the validation process.
  4. Retrying the handshake will trigger s2n_handle_retry_state(), which invokes s2n_server_cert_recv() or s2n_client_cert_recv() without updating the stuffer read cursor. It may cause stuffer out of data while retrying these two functions. One solution is to copy the stuffer from conn->handshake.io and restore it after the validation is completed.
  5. Added async test cases (in both TLS 1.3 and 1.2 versions) and implemented self-talk unit tests for the async use case.

Testing:

Confirmed the self-talk unit tests passed both on the client side and on the server side.

$ cmake --build build/ --target test -- ARGS="-L unit -R s2n_cert_validation_callback_test --output-on-failure"

Running tests...
Test project /home/ubuntu/s2n-tls/build
    Start 18: s2n_cert_validation_callback_test
1/1 Test #18: s2n_cert_validation_callback_test ...   Passed    0.73 sec

100% tests passed, 0 tests failed out of 1

Label Time Summary:
unit    =   0.73 sec*proc (1 test)

Total Test time (real) =   0.74 sec

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Feb 12, 2025
@goatgoose goatgoose self-requested a review February 12, 2025 02:35
goatgoose
goatgoose reviewed Feb 12, 2025
View reviewed changes
api/unstable/crl.h Outdated Show resolved Hide resolved
api/unstable/crl.h Outdated Show resolved Hide resolved
api/unstable/crl.h Outdated Show resolved Hide resolved
tls/s2n_client_cert.c Outdated Show resolved Hide resolved
tls/s2n_client_cert.c Outdated Show resolved Hide resolved
tls/s2n_x509_validator.h Outdated Show resolved Hide resolved
tests/unit/s2n_cert_validation_callback_test.c Show resolved Hide resolved
tests/unit/s2n_cert_validation_callback_test.c Outdated Show resolved Hide resolved
tests/unit/s2n_cert_validation_callback_test.c Outdated Show resolved Hide resolved
tests/unit/s2n_cert_validation_callback_test.c Outdated Show resolved Hide resolved
goatgoose
goatgoose reviewed Feb 14, 2025
View reviewed changes
tls/s2n_client_cert.c Outdated Show resolved Hide resolved
tls/s2n_client_cert.c Outdated Show resolved Hide resolved
tls/s2n_server_cert.c Outdated Show resolved Hide resolved
tls/s2n_x509_validator.c Outdated Show resolved Hide resolved
tls/s2n_x509_validator.c Show resolved Hide resolved
tests/unit/s2n_cert_validation_callback_test.c Outdated Show resolved Hide resolved
tests/unit/s2n_cert_validation_callback_test.c Outdated Show resolved Hide resolved
tests/unit/s2n_cert_validation_callback_test.c Outdated Show resolved Hide resolved
api/unstable/crl.h Outdated Show resolved Hide resolved
goatgoose
goatgoose approved these changes Feb 17, 2025
View reviewed changes
api/unstable/crl.h Outdated Show resolved Hide resolved
tests/unit/s2n_cert_validation_callback_test.c Outdated Show resolved Hide resolved
lrstewart
lrstewart reviewed Feb 18, 2025
View reviewed changes
api/unstable/crl.h Outdated Show resolved Hide resolved
api/unstable/crl.h Outdated Show resolved Hide resolved
tls/s2n_x509_validator.c Show resolved Hide resolved
tls/s2n_x509_validator.c Outdated Show resolved Hide resolved
@CarolYeh910 CarolYeh910 added this pull request to the merge queue Feb 20, 2025
Merged via the queue into aws:main with commit f8904b1 Feb 20, 2025
46 checks passed
@CarolYeh910 CarolYeh910 deleted the async-cert-validation branch February 20, 2025 03:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goatgoose goatgoose goatgoose approved these changes

@lrstewart lrstewart lrstewart approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@CarolYeh910 @goatgoose @lrstewart