From 635b8967741a5299ee649612f24fa8b4653a702b Mon Sep 17 00:00:00 2001 From: Apoorv Kothari Date: Fri, 8 Mar 2024 17:27:17 -0800 Subject: [PATCH 01/11] docs: document s2n_cert_auth_type behavior --- api/s2n.h | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/api/s2n.h b/api/s2n.h index f30d59876a0..743fe4d0234 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2291,7 +2291,31 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st /** * Used to declare what type of client certificate authentication to use. * - * Currently the default for s2n-tls is for neither the server side or the client side to use Client (aka Mutual) authentication. + * Currently the default for s2n-tls is for neither the server side or the client side to use + * Client (aka Mutual) authentication. + * + * A s2n_connection will enforce client certificate authentication (mTLS) differently based on + * the s2n_cert_auth_type and s2n_mode of the connection. + * + * Server connection behavior: + * - None: don't send CLIENT_CERT_REQ and therefore don't perform client authentication. + * - Optional: send CLIENT_CERT_REQ and expect a CLIENT_CERT message. Validate the client + * certificate or simply continue with the handshake if CLIENT_CERT is empty. + * - Required: send CLIENT_CERT_REQ and expect a CLIENT_CERT message. Validate the client + * certificate or abort the handshake if CLIENT_CERT is empty. + * + * Client connection behavior: + * - None: if a CLIENT_CERT_REQ is received: abort the handshake. + * - Optional: if a CLIENT_CERT_REQ is received: send a CLIENT_CERT with the client's + * certificate. CLIENT_CERT is empty if no client certificate have been set. + * - Required: expect to receive a CLIENT_CERT_REQ. If no CLIENT_CERT_REQ is received then + * abort the handshake. Send a CLIENT_CERT with the client's certificate. Abort the handshake + * if no client certificate have been set. + * + * - 'CLIENT_CERT_REQ': represents the CertificateRequest message sent by the server to request + * client certificate authentication. + * - 'CLIENT_CERT': upon receiving a CLIENT_CERT_REQ, the client will respond with its certificate + * in a CLIENT_CERT message. */ typedef enum { S2N_CERT_AUTH_NONE, From bef39d628be8db8eeb6ea782ac8c38a17814124e Mon Sep 17 00:00:00 2001 From: Apoorv Kothari Date: Mon, 29 Apr 2024 11:36:10 -0700 Subject: [PATCH 02/11] docs --- api/s2n.h | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/api/s2n.h b/api/s2n.h index 743fe4d0234..953b59e86b8 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2291,31 +2291,31 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st /** * Used to declare what type of client certificate authentication to use. * - * Currently the default for s2n-tls is for neither the server side or the client side to use - * Client (aka Mutual) authentication. - * * A s2n_connection will enforce client certificate authentication (mTLS) differently based on - * the s2n_cert_auth_type and s2n_mode of the connection. + * the s2n_cert_auth_type and s2n_mode(client/server) of the connection, as described below. The + * **default** behavior is used if the application hasn't set an override via + * `s2n_config_set_client_auth_type()` or `s2n_connection_set_client_auth_type()`. + * + * Client authentication involves the following TLS messages: + * - 'CLIENT_CERT_REQ': represents the CertificateRequest message sent by the server to request + * client certificate authentication. + * - 'CLIENT_CERT': upon receiving a CLIENT_CERT_REQ, the client should respond with its certificate + * in a CLIENT_CERT message. * - * Server connection behavior: - * - None: don't send CLIENT_CERT_REQ and therefore don't perform client authentication. + * **Server connection behavior:** + * - None(**default**): don't send CLIENT_CERT_REQ and therefore don't perform client authentication. * - Optional: send CLIENT_CERT_REQ and expect a CLIENT_CERT message. Validate the client * certificate or simply continue with the handshake if CLIENT_CERT is empty. * - Required: send CLIENT_CERT_REQ and expect a CLIENT_CERT message. Validate the client * certificate or abort the handshake if CLIENT_CERT is empty. * - * Client connection behavior: - * - None: if a CLIENT_CERT_REQ is received: abort the handshake. - * - Optional: if a CLIENT_CERT_REQ is received: send a CLIENT_CERT with the client's - * certificate. CLIENT_CERT is empty if no client certificate have been set. - * - Required: expect to receive a CLIENT_CERT_REQ. If no CLIENT_CERT_REQ is received then - * abort the handshake. Send a CLIENT_CERT with the client's certificate. Abort the handshake - * if no client certificate have been set. - * - * - 'CLIENT_CERT_REQ': represents the CertificateRequest message sent by the server to request - * client certificate authentication. - * - 'CLIENT_CERT': upon receiving a CLIENT_CERT_REQ, the client will respond with its certificate - * in a CLIENT_CERT message. + * **Client connection behavior:** + * - None: if a CLIENT_CERT_REQ is received abort the handshake. + * - Optional(**default**): if a CLIENT_CERT_REQ is received, send a CLIENT_CERT with the client's + * certificate. The CLIENT_CERT will be empty if no client certificate have been set. + * - Required: expect to receive a CLIENT_CERT_REQ, aborting the handshake if it is not received. + * Send a CLIENT_CERT with the client's certificate, aborting the handshake if no client + * certificate have been set. */ typedef enum { S2N_CERT_AUTH_NONE, From c18633c99c9d2e196ed5b422a87add9300150d67 Mon Sep 17 00:00:00 2001 From: apoorvko Date: Tue, 28 May 2024 14:26:24 -0700 Subject: [PATCH 03/11] update docs --- api/s2n.h | 33 ++++++++++++--------------------- 1 file changed, 12 insertions(+), 21 deletions(-) diff --git a/api/s2n.h b/api/s2n.h index 953b59e86b8..63b3c4baa51 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2296,27 +2296,18 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * **default** behavior is used if the application hasn't set an override via * `s2n_config_set_client_auth_type()` or `s2n_connection_set_client_auth_type()`. * - * Client authentication involves the following TLS messages: - * - 'CLIENT_CERT_REQ': represents the CertificateRequest message sent by the server to request - * client certificate authentication. - * - 'CLIENT_CERT': upon receiving a CLIENT_CERT_REQ, the client should respond with its certificate - * in a CLIENT_CERT message. - * - * **Server connection behavior:** - * - None(**default**): don't send CLIENT_CERT_REQ and therefore don't perform client authentication. - * - Optional: send CLIENT_CERT_REQ and expect a CLIENT_CERT message. Validate the client - * certificate or simply continue with the handshake if CLIENT_CERT is empty. - * - Required: send CLIENT_CERT_REQ and expect a CLIENT_CERT message. Validate the client - * certificate or abort the handshake if CLIENT_CERT is empty. - * - * **Client connection behavior:** - * - None: if a CLIENT_CERT_REQ is received abort the handshake. - * - Optional(**default**): if a CLIENT_CERT_REQ is received, send a CLIENT_CERT with the client's - * certificate. The CLIENT_CERT will be empty if no client certificate have been set. - * - Required: expect to receive a CLIENT_CERT_REQ, aborting the handshake if it is not received. - * Send a CLIENT_CERT with the client's certificate, aborting the handshake if no client - * certificate have been set. - */ + * **Server behavior:** + * - None(**default**): don't request client authentication. + * - Optional: request the client's certificate and validate if it's non-empty. + * - Required: request the client's certificate and validate it. + * + * **Client behavior:** + * - None: abort the handshake if the server requests client authentication. + * - Optional(**default**): send the client's certificate (can be empty if not set) if the + * server requested client authentication. + * - Required: send the client's certificate. Terminate the handshake if the server doesn't request + * client authentication or if the application hasn't specified a client certificate. + typedef enum { S2N_CERT_AUTH_NONE, S2N_CERT_AUTH_REQUIRED, From c5818d6087a00e2c35e5717898167bc127e255a2 Mon Sep 17 00:00:00 2001 From: apoorvko Date: Wed, 29 May 2024 14:11:00 -0700 Subject: [PATCH 04/11] update --- api/s2n.h | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/api/s2n.h b/api/s2n.h index 63b3c4baa51..9149ee4c094 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2293,21 +2293,25 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * * A s2n_connection will enforce client certificate authentication (mTLS) differently based on * the s2n_cert_auth_type and s2n_mode(client/server) of the connection, as described below. The - * **default** behavior is used if the application hasn't set an override via + * default behavior is used if the application hasn't set an override via * `s2n_config_set_client_auth_type()` or `s2n_connection_set_client_auth_type()`. * * **Server behavior:** - * - None(**default**): don't request client authentication. - * - Optional: request the client's certificate and validate if it's non-empty. - * - Required: request the client's certificate and validate it. + * - None(**default**): don't request client authentication. Abort the handshake if the client + * sends its certificate. + * - Optional: request the client's certificate and validate if it's non-empty. Abort the + * handshake if the client doesn't send its certificate (can be empty). + * - Required: request the client's certificate and validate it. Abort the handshake if the + * client doesn't send its certificate or sends an empty certificate. * * **Client behavior:** * - None: abort the handshake if the server requests client authentication. - * - Optional(**default**): send the client's certificate (can be empty if not set) if the - * server requested client authentication. - * - Required: send the client's certificate. Terminate the handshake if the server doesn't request - * client authentication or if the application hasn't specified a client certificate. - + * - Optional(**default**): send the client's certificate if the server requested client + * authentication. An empty certificate will be sent if the application hasn't provided a + * client certificate. + * - Required: send the client's certificate. Abort the handshake if the server doesn't request + * client authentication or if the application hasn't provided a client certificate. + */ typedef enum { S2N_CERT_AUTH_NONE, S2N_CERT_AUTH_REQUIRED, From 6ccfc623e7f27212c950764965721125599f2f0d Mon Sep 17 00:00:00 2001 From: apoorvko Date: Wed, 29 May 2024 14:13:18 -0700 Subject: [PATCH 05/11] update --- api/s2n.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/s2n.h b/api/s2n.h index 9149ee4c094..e8553887ce1 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2297,7 +2297,7 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * `s2n_config_set_client_auth_type()` or `s2n_connection_set_client_auth_type()`. * * **Server behavior:** - * - None(**default**): don't request client authentication. Abort the handshake if the client + * - None(default): don't request client authentication. Abort the handshake if the client * sends its certificate. * - Optional: request the client's certificate and validate if it's non-empty. Abort the * handshake if the client doesn't send its certificate (can be empty). @@ -2306,7 +2306,7 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * * **Client behavior:** * - None: abort the handshake if the server requests client authentication. - * - Optional(**default**): send the client's certificate if the server requested client + * - Optional(default): send the client's certificate if the server requested client * authentication. An empty certificate will be sent if the application hasn't provided a * client certificate. * - Required: send the client's certificate. Abort the handshake if the server doesn't request From bdef9e1e0052383b7e741f21f1f623ff87dd7eb2 Mon Sep 17 00:00:00 2001 From: apoorvko Date: Wed, 29 May 2024 15:44:11 -0700 Subject: [PATCH 06/11] update --- api/s2n.h | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/api/s2n.h b/api/s2n.h index e8553887ce1..8304201bbfb 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2292,24 +2292,20 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * Used to declare what type of client certificate authentication to use. * * A s2n_connection will enforce client certificate authentication (mTLS) differently based on - * the s2n_cert_auth_type and s2n_mode(client/server) of the connection, as described below. The - * default behavior is used if the application hasn't set an override via - * `s2n_config_set_client_auth_type()` or `s2n_connection_set_client_auth_type()`. - * - * **Server behavior:** - * - None(default): don't request client authentication. Abort the handshake if the client - * sends its certificate. - * - Optional: request the client's certificate and validate if it's non-empty. Abort the - * handshake if the client doesn't send its certificate (can be empty). - * - Required: request the client's certificate and validate it. Abort the handshake if the - * client doesn't send its certificate or sends an empty certificate. - * - * **Client behavior:** - * - None: abort the handshake if the server requests client authentication. - * - Optional(default): send the client's certificate if the server requested client - * authentication. An empty certificate will be sent if the application hasn't provided a - * client certificate. - * - Required: send the client's certificate. Abort the handshake if the server doesn't request + * the `s2n_cert_auth_type` and `s2n_mode` (client/server) of the connection, as described below. + * + * Server behavior: + * - None(default): Will not request client authentication. + * - Optional: Request the client's certificate and validate it. If no certificate is sent then + * no validation is performed. + * - Required: Request the client's certificate and validate it. Abort the handshake if the + * client doesn't send its certificate. + * + * Client behavior: + * - None: Abort the handshake if the server requests client authentication. + * - Optional(default): Sends the application provided client certificate if the server + * requests client authentication. + * - Required: Send the client certificate. Abort the handshake if the server doesn't request * client authentication or if the application hasn't provided a client certificate. */ typedef enum { From a391f787ff9f3ed719679f7725f9804ab87a5909 Mon Sep 17 00:00:00 2001 From: apoorvko Date: Wed, 29 May 2024 15:46:52 -0700 Subject: [PATCH 07/11] update --- api/s2n.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/s2n.h b/api/s2n.h index 8304201bbfb..4ca632d4167 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2296,10 +2296,10 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * * Server behavior: * - None(default): Will not request client authentication. - * - Optional: Request the client's certificate and validate it. If no certificate is sent then + * - Optional: Request the client's certificate and validate it. If no certificate is received then * no validation is performed. - * - Required: Request the client's certificate and validate it. Abort the handshake if the - * client doesn't send its certificate. + * - Required: Request the client's certificate and validate it. Abort the handshake if a client + * certificate not recieved. * * Client behavior: * - None: Abort the handshake if the server requests client authentication. From b230d717bfcd412681ca49abed46f662be1e00f4 Mon Sep 17 00:00:00 2001 From: Apoorv Kothari Date: Fri, 31 May 2024 00:10:10 -0700 Subject: [PATCH 08/11] update --- api/s2n.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/api/s2n.h b/api/s2n.h index 4ca632d4167..6908e06275d 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2295,18 +2295,18 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * the `s2n_cert_auth_type` and `s2n_mode` (client/server) of the connection, as described below. * * Server behavior: - * - None(default): Will not request client authentication. + * - None (default): Will not request client authentication. * - Optional: Request the client's certificate and validate it. If no certificate is received then - * no validation is performed. + * no validation is performed. * - Required: Request the client's certificate and validate it. Abort the handshake if a client - * certificate not recieved. + * certificate is not received. * * Client behavior: * - None: Abort the handshake if the server requests client authentication. - * - Optional(default): Sends the application provided client certificate if the server - * requests client authentication. + * - Optional (default): Sends the application provided client certificate if the server + * requests client authentication. * - Required: Send the client certificate. Abort the handshake if the server doesn't request - * client authentication or if the application hasn't provided a client certificate. + * client authentication or if the application hasn't provided a client certificate. */ typedef enum { S2N_CERT_AUTH_NONE, From 86815db1ddc2783abff36ef84235ae172eef593f Mon Sep 17 00:00:00 2001 From: apoorvko Date: Fri, 31 May 2024 09:57:34 -0700 Subject: [PATCH 09/11] update --- api/s2n.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/s2n.h b/api/s2n.h index 6908e06275d..4e618df9e7c 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2303,8 +2303,8 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * * Client behavior: * - None: Abort the handshake if the server requests client authentication. - * - Optional (default): Sends the application provided client certificate if the server - * requests client authentication. + * - Optional (default): Sends the client certificate if the server requests client + * authentication. No certificate is sent if the application hasn't provided a certificate. * - Required: Send the client certificate. Abort the handshake if the server doesn't request * client authentication or if the application hasn't provided a client certificate. */ From 50bd1706b6831a56988eea7065bf60cf4f61d70e Mon Sep 17 00:00:00 2001 From: apoorvko Date: Fri, 31 May 2024 10:00:58 -0700 Subject: [PATCH 10/11] update --- api/s2n.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/s2n.h b/api/s2n.h index 4e618df9e7c..741caa8d300 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2306,7 +2306,7 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * - Optional (default): Sends the client certificate if the server requests client * authentication. No certificate is sent if the application hasn't provided a certificate. * - Required: Send the client certificate. Abort the handshake if the server doesn't request - * client authentication or if the application hasn't provided a client certificate. + * client authentication or if the application hasn't provided a certificate. */ typedef enum { S2N_CERT_AUTH_NONE, From 4456f0f8bc4e48aa1456d90e420c0c0136b70bc0 Mon Sep 17 00:00:00 2001 From: apoorvko Date: Mon, 3 Jun 2024 00:40:27 -0700 Subject: [PATCH 11/11] update --- api/s2n.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/s2n.h b/api/s2n.h index 741caa8d300..b4772922665 100644 --- a/api/s2n.h +++ b/api/s2n.h @@ -2299,7 +2299,7 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st * - Optional: Request the client's certificate and validate it. If no certificate is received then * no validation is performed. * - Required: Request the client's certificate and validate it. Abort the handshake if a client - * certificate is not received. + * certificate is not received. * * Client behavior: * - None: Abort the handshake if the server requests client authentication.