s2n-tls icon indicating copy to clipboard operation
s2n-tls copied to clipboard

Published 20 hours ago verified publisher icon aws

Add s2n_is_handshake_complete() API

Open fwsGonzo opened this issue 7 years ago • 7 comments 

typedef enum {
  CLIENT_HELLO=0,
  SERVER_HELLO,
  SERVER_CERT,
  SERVER_NEW_SESSION_TICKET,
  SERVER_CERT_STATUS,
  SERVER_KEY,
  SERVER_CERT_REQ,
  SERVER_HELLO_DONE,
  CLIENT_CERT,
  CLIENT_KEY,
  CLIENT_CERT_VERIFY,
  CLIENT_CHANGE_CIPHER_SPEC,
  CLIENT_FINISHED,
  SERVER_CHANGE_CIPHER_SPEC,
  SERVER_FINISHED,
  APPLICATION_DATA
} message_type_t;
extern "C" message_type_t s2n_conn_get_current_message_type(struct s2n_connection *conn);

...

  inline bool TLS_stream::handshake_completed() const noexcept
  {
    return APPLICATION_DATA == s2n_conn_get_current_message_type(this->m_conn);
  }

Is there a better way to ask for is_handshake_complete() than copying parts of the source code out?

fwsGonzo avatar Sep 21 '18 13:09 fwsGonzo

Are you looking for something that will tell you exactly when the last message of the handshake is received? Or just that a TLS connection was successfully negotiated?

For the latter, the examples in the /bin folder are pretty helpful. In particular, the negotiate function has an example of the conditions to look for.

lurkshark avatar Sep 25 '18 22:09 lurkshark

Yes, I would like to be able to ask a s2n_connection if the negotiation is completed. And APPLICATION_DATA seems to be just that. It's just not publicly accessible to my knowledge at the moment of writing.

My TLS streams are async, and I would like to not have to statekeep this little bit myself. Especially when the information is readily available in s2n_connection.

fwsGonzo avatar Sep 26 '18 08:09 fwsGonzo

Does the example linked-to in my previous comment meet your use case?

lurkshark avatar Sep 26 '18 19:09 lurkshark

Does the example linked-to in my previous comment meet your use case?

The s2n_negotiate call is not enough to later on, at an arbitrary time, determine if the handshake was completed.

fwsGonzo avatar Sep 27 '18 09:09 fwsGonzo

Ahh, I understand a bit better. It seems like it would definitely be possible to surface this as a separate API. Currently (if you're looking for something to unblock yourself), that s2n_negotiate function actually starts with a similar check as to what you have in the original post.

Basically it sounds like you're asking for an API that looks something like this:

int s2n_is_handshake_complete(struct s2n_connection *conn)
{
    if (ACTIVE_STATE(conn).writer == 'B') {
        return 1;
    }
    return 0;
}

While I was taking a peek through the code I noticed a macro that does this, maybe that can just be surfaced or built-on?

lurkshark avatar Sep 27 '18 21:09 lurkshark

Yes, the macro looks like the best contender so far. Making that into its own s2n_handshake_completed would be awesome for an async stream. :ok_hand:

fwsGonzo avatar Sep 28 '18 18:09 fwsGonzo

I ended up adding this here: https://github.com/awslabs/s2n/pull/906/commits/cc96f68767404e60bc5bd8dbd1598267cbb648b7 seen at https://github.com/awslabs/s2n/pull/906

fwsGonzo avatar Nov 29 '18 14:11 fwsGonzo