feat(s2n-quic-tls): record server's ConnectionInfo in s2n-quic's TLS Connection (#2906)

Author: boquan-fang

quic/s2n-quic-core/src/crypto/tls.rs

@@ -1,11 +1,12 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+use crate::path::{LocalAddress, RemoteAddress};
 #[cfg(feature = "alloc")]
 use alloc::vec::Vec;
 #[cfg(feature = "alloc")]
 pub use bytes::{Bytes, BytesMut};
-use core::{any::Any, fmt::Debug};
+use core::{any::Any, fmt::Debug, net::SocketAddr};
 use zerocopy::{FromBytes, IntoBytes, Unaligned};
 
 mod error;
@@ -23,6 +24,25 @@ pub mod slow_tls;
 #[cfg(feature = "std")]
 pub mod offload;
 
+/// Holds connection address information for establishing a TLS session.
+/// This includes both the local and remote addresses.
+#[derive(Debug, Clone, Copy)]
+#[non_exhaustive]
+pub struct ConnectionInfo {
+    pub local_address: SocketAddr,
+    pub remote_address: SocketAddr,
+}
+
+impl ConnectionInfo {
+    #[doc(hidden)]
+    pub fn new(local_address: LocalAddress, remote_address: RemoteAddress) -> Self {
+        Self {
+            local_address: local_address.into(),
+            remote_address: remote_address.into(),
+        }
+    }
+}
+
 /// Holds all application parameters which are exchanged within the TLS handshake.
 #[derive(Debug)]
 pub struct ApplicationParameters<'a> {
@@ -206,6 +226,7 @@ pub trait Endpoint: 'static + Sized + Send {
     fn new_server_session<Params: s2n_codec::EncoderValue>(
         &mut self,
         transport_parameters: &Params,
+        connection_info: ConnectionInfo,
     ) -> Self::Session;
 
     fn new_client_session<Params: s2n_codec::EncoderValue>(

quic/s2n-quic-core/src/crypto/tls/null.rs

@@ -88,6 +88,7 @@ impl<T: Send + Clone + 'static + std::fmt::Debug> crypto::tls::Endpoint for Endp
     fn new_server_session<Params: s2n_codec::EncoderValue>(
         &mut self,
         transport_parameters: &Params,
+        _connection_info: tls::ConnectionInfo,
     ) -> Self::Session {
         let params = transport_parameters.encode_to_vec().into();
         Session::Server(server::TlsSession::Init {

quic/s2n-quic-core/src/crypto/tls/offload.rs

@@ -3,7 +3,7 @@
 use crate::{
     application,
     crypto::{
-        tls::{self, NamedGroup, TlsSession},
+        tls::{self, ConnectionInfo, NamedGroup, TlsSession},
         CryptoSuite,
     },
     sync::spsc::{channel, Receiver, SendSlice, Sender},
@@ -76,9 +76,11 @@ where
     fn new_server_session<Params: s2n_codec::EncoderValue>(
         &mut self,
         transport_parameters: &Params,
+        connection_info: ConnectionInfo,
     ) -> Self::Session {
         OffloadSession::new(
-            self.inner.new_server_session(transport_parameters),
+            self.inner
+                .new_server_session(transport_parameters, connection_info),
             &self.executor,
             self.exporter.clone(),
             self.channel_capacity,

quic/s2n-quic-core/src/crypto/tls/slow_tls.rs

@@ -26,8 +26,11 @@ impl<E: tls::Endpoint> tls::Endpoint for SlowEndpoint<E> {
     fn new_server_session<Params: s2n_codec::EncoderValue>(
         &mut self,
         transport_parameters: &Params,
+        connection_info: tls::ConnectionInfo,
     ) -> Self::Session {
-        let inner_session = self.endpoint.new_server_session(transport_parameters);
+        let inner_session = self
+            .endpoint
+            .new_server_session(transport_parameters, connection_info);
         SlowSession {
             defer: DEFER_COUNT,
             inner_session,

quic/s2n-quic-core/src/crypto/tls/testing.rs

@@ -8,10 +8,16 @@ use crate::{
     crypto::{
         header_crypto::{LONG_HEADER_MASK, SHORT_HEADER_MASK},
         scatter, tls,
-        tls::{ApplicationParameters, CipherSuite, NamedGroup, TlsExportError, TlsSession},
+        tls::{
+            ApplicationParameters, CipherSuite, ConnectionInfo, NamedGroup, TlsExportError,
+            TlsSession,
+        },
         CryptoSuite, HeaderKey, Key,
     },
-    endpoint, transport,
+    endpoint,
+    inet::SocketAddressV4,
+    path::{LocalAddress, RemoteAddress},
+    transport,
     transport::parameters::{ClientTransportParameters, ServerTransportParameters},
 };
 use alloc::sync::Arc;
@@ -69,6 +75,7 @@ impl super::Endpoint for Endpoint {
     fn new_server_session<Params: EncoderValue>(
         &mut self,
         _transport_parameters: &Params,
+        _connection_info: ConnectionInfo,
     ) -> Self::Session {
         Session
     }
@@ -155,7 +162,7 @@ pub struct Pair<S: tls::Session, C: tls::Session> {
     pub server_name: ServerName,
 }
 
-fn server_params() -> Bytes {
+pub fn server_params() -> Bytes {
     ServerTransportParameters {
         initial_max_data: 123.try_into().unwrap(),
         ..Default::default()
@@ -185,7 +192,12 @@ impl<S: tls::Session, C: tls::Session> Pair<S, C> {
     {
         use crate::crypto::InitialKey;
 
-        let server = server_endpoint.new_server_session(&&server_params()[..]);
+        // This testing pair doesn't use tls::ConnectionInfo. Hence, we can create random local/remote addresses to pass in new_server_session
+        let local_address: LocalAddress = SocketAddressV4::new([127, 0, 0, 1], 443).into();
+        let remote_address: RemoteAddress = SocketAddressV4::new([127, 0, 0, 1], 12345).into();
+        let connection_info = tls::ConnectionInfo::new(local_address, remote_address);
+
+        let server = server_endpoint.new_server_session(&&server_params()[..], connection_info);
         let mut server_context =
             Context::new(endpoint::Type::Server, ServerState::WaitingClientHello);
         server_context.initial.crypto = Some(S::InitialKey::new_server(server_name.as_bytes()));

quic/s2n-quic-rustls/src/client.rs

@@ -71,6 +71,7 @@ impl tls::Endpoint for Client {
     fn new_server_session<Params: EncoderValue>(
         &mut self,
         _transport_parameters: &Params,
+        _connection_info: tls::ConnectionInfo,
     ) -> Self::Session {
         panic!("cannot create a server session from a client config");
     }

quic/s2n-quic-rustls/src/server.rs

@@ -69,6 +69,7 @@ impl tls::Endpoint for Server {
     fn new_server_session<Params: EncoderValue>(
         &mut self,
         transport_parameters: &Params,
+        _connection_info: tls::ConnectionInfo,
     ) -> Self::Session {
         //= https://www.rfc-editor.org/rfc/rfc9001#section-8.2
         //# Endpoints MUST send the quic_transport_parameters extension;

quic/s2n-quic-tests/Cargo.toml

@@ -31,5 +31,9 @@ zerocopy = { version = "0.8", features = ["derive"] }
 [target.'cfg(not(target_arch = "x86"))'.dependencies]
 quiche = "0.24"
 
+# s2n-tls is required by ch_callback_server_local_address_test and doesn't build on Windows
+[target.'cfg(not(target_os = "windows"))'.dependencies]
+s2n-tls = "0.3.31"
+
 [target.'cfg(unix)'.dependencies]
 s2n-quic = { path = "../s2n-quic", features = ["provider-event-tracing", "provider-tls-s2n", "unstable-provider-io-testing", "unstable-provider-dc", "unstable-provider-packet-interceptor", "unstable-provider-random", "unstable-offload-tls", "unstable_client_hello"] }

quic/s2n-quic-tests/src/tests.rs

@@ -11,6 +11,7 @@ use s2n_quic::{
             self as io, network::Packet, primary, rand, spawn, test, time::delay, Model,
         },
         packet_interceptor::Loss,
+        tls,
     },
     Client, Server,
 };
@@ -53,6 +54,9 @@ mod tls_context;
 #[cfg(not(target_arch = "x86"))]
 mod zero_length_cid_client_connection_migration;
 
+// The ClientHelloCallback trait is only available with s2n-tls
+#[cfg(not(target_os = "windows"))]
+mod ch_callback_connection_info;
 // TODO: https://github.com/aws/s2n-quic/issues/1726
 //
 // The rustls tls provider is used on windows and has different

quic/s2n-quic-tests/src/tests/ch_callback_connection_info.rs

@@ -0,0 +1,103 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use super::*;
+use s2n_quic_core::crypto::tls::ConnectionInfo;
+use s2n_tls::{
+    callbacks::{ClientHelloCallback, ConnectionFuture},
+    error::Error as S2nError,
+};
+use std::{
+    pin::Pin,
+    sync::{Arc, Mutex},
+};
+
+struct TestClientHelloHandle {
+    // The ClientHelloCallback trait requires `&self` as a immutable reference.
+    // We use Arc<Mutex<>> to enable interior mutability - allowing us to mutate the recorded
+    // ConnectionInfo through an immutable reference.
+    recorded_info: Arc<Mutex<Option<ConnectionInfo>>>,
+}
+
+impl TestClientHelloHandle {
+    pub fn new(recorded_info: Arc<Mutex<Option<ConnectionInfo>>>) -> Self {
+        Self { recorded_info }
+    }
+}
+
+impl ClientHelloCallback for TestClientHelloHandle {
+    fn on_client_hello(
+        &self,
+        connection: &mut s2n_tls::connection::Connection,
+    ) -> Result<Option<Pin<Box<dyn ConnectionFuture>>>, S2nError> {
+        let connection_info = connection.application_context::<ConnectionInfo>();
+
+        assert!(connection_info.is_some());
+        if let Some(info) = connection_info {
+            *self.recorded_info.lock().unwrap() = Some(*info);
+        }
+
+        Ok(None)
+    }
+}
+
+/// Tests that ConnectionInfo is accessible in the client hello callback and contains
+/// the correct local (server) and remote (client) socket addresses.
+///
+/// This test:
+/// 1. Creates a server with a client hello callback that records ConnectionInfo
+/// 2. Records the actual server and client socket addresses during connection setup
+/// 3. Verifies that the ConnectionInfo captured in the callback matches the expected addresses
+///
+/// Note: Uses interior mutability (Arc<Mutex<>>) to store data from the callback since
+/// ClientHelloCallback requires an immutable reference (&self).
+#[test]
+#[cfg_attr(miri, ignore)]
+fn ch_callback_connection_info_test() {
+    let model = Model::default();
+
+    let ch_callback_handle_inner = Arc::new(Mutex::new(None));
+    let ch_callback_handle_inner_clone = ch_callback_handle_inner.clone();
+
+    let mut server_local_address = None;
+    let mut server_remote_address = None;
+
+    test(model.clone(), |handle| {
+        let server_tls = tls::s2n_tls::Server::builder()
+            .with_certificate(certificates::CERT_PEM, certificates::KEY_PEM)
+            .unwrap()
+            .with_client_hello_handler(TestClientHelloHandle::new(ch_callback_handle_inner_clone))
+            .unwrap()
+            .build()
+            .unwrap();
+
+        let server = Server::builder()
+            .with_io(handle.builder().build()?)?
+            .with_tls(server_tls)?
+            .with_event(tracing_events(true, model.clone()))?
+            .with_random(Random::with_seed(456))?
+            .start()?;
+
+        let server_addr = start_server(server)?;
+        server_local_address = Some(server_addr);
+
+        let client = build_client(handle, model.clone(), true)?;
+        server_remote_address = Some(client.local_addr().unwrap());
+
+        start_client(client, server_addr, Data::new(1000))?;
+
+        Ok(server_addr)
+    })
+    .unwrap();
+
+    let connection_info = ch_callback_handle_inner.lock().unwrap().unwrap();
+
+    // Verify that the ConnectionInfo contains the exact server local address
+    assert_eq!(connection_info.local_address, server_local_address.unwrap());
+
+    // Verify that the ConnectionInfo contains the exact server's remote address (client's local address)
+    assert_eq!(
+        connection_info.remote_address,
+        server_remote_address.unwrap()
+    );
+}