aws · maddeleine · May 7, 2024 · May 1, 2024 · May 2, 2024 · May 2, 2024
diff --git a/bin/common.c b/bin/common.c
@@ -376,6 +376,17 @@ int s2n_set_common_server_config(int max_early_data, struct s2n_config *config,
 
 int s2n_setup_server_connection(struct s2n_connection *conn, int fd, struct s2n_config *config, struct conn_settings settings)
 {
+    if (settings.deserialize_in) {
+        size_t deserialize_length = 0;
+        GUARD_RETURN(get_file_size(settings.deserialize_in, &deserialize_length), "Failed to read serialize-in file size");
+        ENSURE_EXIT(deserialize_length <= UINT32_MAX, "serialize-in file size is too large");
+        uint8_t *mem = malloc(deserialize_length);
+        GUARD_EXIT_NULL(mem);
+        GUARD_RETURN(load_file_to_array(settings.deserialize_in, mem, deserialize_length), "Failed to read serialize-in file");
+        GUARD_RETURN(s2n_connection_deserialize(conn, mem, (uint32_t) deserialize_length), "Failed to deserialize connection");
+        free(mem);
+    }
+
     if (settings.self_service_blinding) {
         s2n_connection_set_blinding(conn, S2N_SELF_SERVICE_BLINDING);
     }

diff --git a/bin/common.h b/bin/common.h
@@ -35,6 +35,14 @@
         }                         \
     } while (0)
 
+#define ENSURE_EXIT(x, msg)       \
+    do {                          \
+        if (!(x)) {               \
+            print_s2n_error(msg); \
+            exit(1);              \
+        }                         \
+    } while (0)
+
 #define GUARD_RETURN(x, msg)      \
     do {                          \
         if ((x) < 0) {            \
@@ -74,6 +82,8 @@ struct conn_settings {
     int max_conns;
     const char *ca_dir;
     const char *ca_file;
+    const char *serialize_out;
+    const char *deserialize_in;
     char *psk_optarg_list[S2N_MAX_PSK_LIST_LENGTH];
     size_t psk_list_len;
 };

diff --git a/bin/s2nc.c b/bin/s2nc.c
@@ -44,6 +44,8 @@
 #define OPT_PREFER_LOW_LATENCY 1005
 #define OPT_PREFER_THROUGHPUT  1006
 #define OPT_BUFFERED_SEND      1007
+#define OPT_SERIALIZE_OUT      1008
+#define OPT_DESERIALIZE_IN     1009
 
 /*
  * s2nc is an example client that uses many s2n-tls APIs.
@@ -95,6 +97,10 @@ void usage()
     fprintf(stderr, "    Path to a file where the session ticket can be stored.\n");
     fprintf(stderr, "  --ticket-in [file path]\n");
     fprintf(stderr, "    Path to session ticket file to resume connection.\n");
+    fprintf(stderr, "  --serialize-out [file path]\n");
+    fprintf(stderr, "    Path to a file where a serialized connection can be stored.\n");
+    fprintf(stderr, "  --deserialize-in [file path]\n");
+    fprintf(stderr, "    Path to a file where a serialized connection lives. Will be used to skip the handshake and start sending encrypted data.\n");
     fprintf(stderr, "  -D,--dynamic\n");
     fprintf(stderr, "    Set dynamic record resize threshold\n");
     fprintf(stderr, "  -t,--timeout\n");
@@ -292,6 +298,8 @@ int main(int argc, char *const *argv)
     bool client_key_input = false;
     const char *ticket_out = NULL;
     char *ticket_in = NULL;
+    const char *serialize_out = NULL;
+    const char *deserialize_in = NULL;
     uint16_t mfl_value = 0;
     uint8_t insecure = 0;
     int reconnect = 0;
@@ -340,6 +348,8 @@ int main(int argc, char *const *argv)
         { "ticket-out", required_argument, 0, OPT_TICKET_OUT },
         { "ticket-in", required_argument, 0, OPT_TICKET_IN },
         { "no-session-ticket", no_argument, 0, 'T' },
+        { "serialize-out", required_argument, 0, OPT_SERIALIZE_OUT },
+        { "deserialize-in", required_argument, 0, OPT_DESERIALIZE_IN },
         { "dynamic", required_argument, 0, 'D' },
         { "timeout", required_argument, 0, 't' },
         { "corked-io", no_argument, 0, 'C' },
@@ -419,6 +429,12 @@ int main(int argc, char *const *argv)
             case OPT_TICKET_IN:
                 ticket_in = optarg;
                 break;
+            case OPT_SERIALIZE_OUT:
+                serialize_out = optarg;
+                break;
+            case OPT_DESERIALIZE_IN:
+                deserialize_in = optarg;
+                break;
             case 'T':
                 session_ticket = 0;
                 break;
@@ -629,13 +645,29 @@ int main(int argc, char *const *argv)
             GUARD_EXIT(s2n_config_set_npn(config, 1), "Error setting npn support");
         }
 
+        if (serialize_out) {
+            GUARD_EXIT(s2n_config_set_serialization_version(config, S2N_SERIALIZED_CONN_V1),
+                    "Error setting serialized version");
+        }
+
         struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
 
         if (conn == NULL) {
             print_s2n_error("Error getting new connection");
             exit(1);
         }
 
+        if (deserialize_in) {
+            size_t deserialize_length = 0;
+            GUARD_EXIT(get_file_size(deserialize_in, &deserialize_length), "Failed to read serialize-in file size");
+            ENSURE_EXIT(deserialize_length <= UINT32_MAX, "serialize-in file size is too large");
+            uint8_t *mem = malloc(deserialize_length);
+            GUARD_EXIT_NULL(mem);
+            GUARD_EXIT(load_file_to_array(deserialize_in, mem, deserialize_length), "Failed to read serialize-in file");
+            GUARD_EXIT(s2n_connection_deserialize(conn, mem, (uint32_t) deserialize_length), "Failed to deserialize connection");
+            free(mem);
+        }
+
         GUARD_EXIT(s2n_connection_set_config(conn, config), "Error setting configuration");
 
         GUARD_EXIT(s2n_set_server_name(conn, server_name), "Error setting server name");
@@ -684,8 +716,7 @@ int main(int argc, char *const *argv)
             }
         }
 
-        /* See echo.c */
-        if (negotiate(conn, sockfd) != 0) {
+        if (!deserialize_in && negotiate(conn, sockfd) != 0) {
             /* Error is printed in negotiate */
             S2N_ERROR_PRESERVE_ERRNO();
         }
@@ -723,6 +754,16 @@ int main(int argc, char *const *argv)
             s2n_connection_set_dynamic_record_threshold(conn, dyn_rec_threshold, dyn_rec_timeout);
         }
 
+        if (serialize_out) {
+            uint32_t serialize_length = 0;
+            GUARD_EXIT(s2n_connection_serialization_length(conn, &serialize_length), "Failed to get serialized connection length");
+            uint8_t *mem = malloc(serialize_length);
+            GUARD_EXIT_NULL(mem);
+            GUARD_EXIT(s2n_connection_serialize(conn, mem, serialize_length), "Failed to get serialized connection");
+            GUARD_EXIT(write_array_to_file(serialize_out, mem, serialize_length), "Failed to write serialized connection to file");
+            free(mem);
+        }
+
         GUARD_EXIT(s2n_connection_free_handshake(conn), "Error freeing handshake memory after negotiation");
 
         if (send_file != NULL) {

diff --git a/bin/s2nd.c b/bin/s2nd.c
@@ -131,7 +131,9 @@ static char default_private_key[] =
         "ggF9KQ0xWz7Km3GXv5+bwM5bcgt1A/s6sZCimXuj3Fle3RqOTF0="
         "-----END RSA PRIVATE KEY-----";
 
-#define OPT_BUFFERED_SEND 1000
+#define OPT_BUFFERED_SEND  1000
+#define OPT_SERIALIZE_OUT  1001
+#define OPT_DESERIALIZE_IN 1002
 
 void usage()
 {
@@ -185,6 +187,10 @@ void usage()
     fprintf(stderr, "    Location of key file used for encryption and decryption of session ticket.\n");
     fprintf(stderr, "  -T,--no-session-ticket\n");
     fprintf(stderr, "    Disable session ticket for resumption.\n");
+    fprintf(stderr, "  --serialize-out [file path]\n");
+    fprintf(stderr, "    Path to a file where a serialized connection can be stored.\n");
+    fprintf(stderr, "  --deserialize-in [file path]\n");
+    fprintf(stderr, "    Path to a file where a serialized connection lives. Will be used to skip the handshake and start sending encrypted data.\n");
     fprintf(stderr, "  -C,--corked-io\n");
     fprintf(stderr, "    Turn on corked io\n");
     fprintf(stderr, "  --non-blocking\n");
@@ -223,7 +229,7 @@ int handle_connection(int fd, struct s2n_config *config, struct conn_settings se
 
     s2n_setup_server_connection(conn, fd, config, settings);
 
-    if (negotiate(conn, fd) != S2N_SUCCESS) {
+    if (!settings.deserialize_in && negotiate(conn, fd) != S2N_SUCCESS) {
         if (settings.mutual_auth) {
             if (!s2n_connection_client_cert_used(conn)) {
                 print_s2n_error("Error: Mutual Auth was required, but not negotiated");
@@ -234,6 +240,16 @@ int handle_connection(int fd, struct s2n_config *config, struct conn_settings se
         S2N_ERROR_PRESERVE_ERRNO();
     }
 
+    if (settings.serialize_out) {
+        uint32_t serialize_length = 0;
+        GUARD_EXIT(s2n_connection_serialization_length(conn, &serialize_length), "Failed to get serialized connection length");
+        uint8_t *mem = malloc(serialize_length);
+        GUARD_EXIT_NULL(mem);
+        GUARD_EXIT(s2n_connection_serialize(conn, mem, serialize_length), "Failed to get serialized connection");
+        GUARD_EXIT(write_array_to_file(settings.serialize_out, mem, serialize_length), "Failed to write serialized connection to file");
+        free(mem);
+    }
+
     GUARD_EXIT(s2n_connection_free_handshake(conn), "Error freeing handshake memory after negotiation");
 
     if (settings.https_server) {
@@ -307,6 +323,8 @@ int main(int argc, char *const *argv)
         { "ca-file", required_argument, 0, 't' },
         { "insecure", no_argument, 0, 'i' },
         { "stk-file", required_argument, 0, 'a' },
+        { "serialize-out", required_argument, 0, OPT_SERIALIZE_OUT },
+        { "deserialize-in", required_argument, 0, OPT_DESERIALIZE_IN },
         { "no-session-ticket", no_argument, 0, 'T' },
         { "corked-io", no_argument, 0, 'C' },
         { "max-conns", optional_argument, 0, 'X' },
@@ -426,6 +444,12 @@ int main(int argc, char *const *argv)
                 send_buffer_size = (uint32_t) send_buffer_size_scanned_value;
                 break;
             }
+            case OPT_SERIALIZE_OUT:
+                conn_settings.serialize_out = optarg;
+                break;
+            case OPT_DESERIALIZE_IN:
+                conn_settings.deserialize_in = optarg;
+                break;
             case 'A':
                 alpn = optarg;
                 break;
@@ -616,6 +640,11 @@ int main(int argc, char *const *argv)
         GUARD_EXIT(s2n_config_set_npn(config, 1), "Error setting npn support");
     }
 
+    if (conn_settings.serialize_out) {
+        GUARD_EXIT(s2n_config_set_serialization_version(config, S2N_SERIALIZED_CONN_V1),
+                "Error setting serialized version");
+    }
+
     FILE *key_log_file = NULL;
 
     if (key_log_path) {