fix: refactor negotiate loop to fix issue with async callback (#5641)

Author: maddeleine

bindings/rust/standard/integration/src/mtls.rs

@@ -425,13 +425,8 @@ where
     pair
 }
 
-// As of 2025-11-24: s2n as client (TLS 1.2, 1.3) and s2n as
-// server (TLS 1.3) hang due to a multi-message async cert validation bug.
-// s2n incorrectly clears queued handshake messages, causing
-// poll_negotiate() to spin forever. Remove #[ignore] once fixed.
 // s2n client with async callback, rustls server
 #[test]
-#[ignore = "Hangs due to multi-message bug in async cert validation"]
 fn s2n_client_async_callback() {
     // TLS 1.2
     let (client, handle, rx) = {
@@ -463,12 +458,9 @@ fn s2n_client_async_callback() {
 }
 
 // rustls client, s2n server with async callback
-// Rustls TLS 1.2 clients do not send multiple handshake messages in a
-// single record, so s2n never hits the multi-message async-callback
-// bug that appears in TLS 1.3. These tests are split by protocol
-// version until the multi-message bug is fixed.
 #[test]
-fn s2n_server_async_callback_tls12() {
+fn s2n_server_async_callback() {
+    // TLS 1.2
     let client = rustls_mtls_client(SigType::Rsa2048, &rustls::version::TLS12);
     let (server, handle, rx) = {
         let builder = s2n_mtls_base_builder(SigType::Rsa2048);
@@ -478,11 +470,8 @@ fn s2n_server_async_callback_tls12() {
     };
     let _pair =
         test_async_server_callback::<RustlsConnection, S2NConnection>(&client, &server, handle, rx);
-}
 
-#[test]
-#[ignore = "Hangs due to multi-message bug in async cert validation"]
-fn s2n_server_async_callback_tls13() {
+    // TLS 1.3
     crate::capability_check::required_capability(
         &[crate::capability_check::Capability::Tls13],
         || {

tests/unit/s2n_multi_message_test.c

@@ -0,0 +1,172 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+#include "api/s2n.h"
+#include "s2n_test.h"
+#include "testlib/s2n_testlib.h"
+#include "tls/s2n_tls.h"
+/* Just to get access to advance_message */
+#include "tls/s2n_handshake_io.c"
+
+struct test_data {
+    uint8_t message_type;
+    int (*handler)(struct s2n_connection *conn);
+};
+
+struct s2n_cert_cb_ctx {
+    struct s2n_cert_validation_info *info;
+};
+
+static int s2n_test_cert_validation_cb(struct s2n_connection *conn, struct s2n_cert_validation_info *info, void *ctx)
+{
+    struct s2n_cert_cb_ctx *data = (struct s2n_cert_cb_ctx *) ctx;
+
+    data->info = info;
+
+    /* Returning success since we will accept asynchronously */
+    return S2N_SUCCESS;
+}
+
+struct s2n_sig_cb_ctx {
+    struct s2n_async_offload_op *op;
+};
+
+static int s2n_test_signature_verification_cb(struct s2n_connection *conn, struct s2n_async_offload_op *op, void *ctx)
+{
+    struct s2n_sig_cb_ctx *data = (struct s2n_sig_cb_ctx *) ctx;
+
+    data->op = op;
+
+    /* Returning success since we will perform the operation asynchronously */
+    return S2N_SUCCESS;
+}
+
+int main(int argc, char **argv)
+{
+    BEGIN_TEST();
+
+    if (s2n_is_tls13_fully_supported()) {
+        DEFER_CLEANUP(struct s2n_cert_chain_and_key *chain_and_key = NULL, s2n_cert_chain_and_key_ptr_free);
+        EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
+                S2N_DEFAULT_TEST_CERT_CHAIN, S2N_DEFAULT_TEST_PRIVATE_KEY));
+
+        DEFER_CLEANUP(struct s2n_config *server_config = s2n_config_new(), s2n_config_ptr_free);
+        EXPECT_NOT_NULL(server_config);
+        /* Policy that will negotiate TLS1.3 */
+        EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20251014"));
+        EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
+        EXPECT_SUCCESS(s2n_config_set_verification_ca_location(server_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
+        EXPECT_SUCCESS(s2n_config_set_client_auth_type(server_config, S2N_CERT_AUTH_REQUIRED));
+
+        DEFER_CLEANUP(struct s2n_config *client_config = s2n_config_new(), s2n_config_ptr_free);
+        EXPECT_NOT_NULL(client_config);
+        /* Policy that will negotiate TLS1.3 */
+        EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20251014"));
+        EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(client_config, chain_and_key));
+        EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
+        EXPECT_SUCCESS(s2n_config_set_client_auth_type(client_config, S2N_CERT_AUTH_REQUIRED));
+
+        /* This test checks that our async callbacks which interrupt the reading of handshake messages do not
+         * affect the server's processing of multiple handshake messages in one record.
+         * This case requires special testing because these async callbacks will exit the s2n_negotiate
+         * loop with handshake data left unread and we want to ensure that they re-enter and process
+         * the leftover data successfully.
+         */
+        {
+            DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
+            EXPECT_NOT_NULL(client_conn);
+            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
+            EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
+            EXPECT_SUCCESS(s2n_connection_set_blinding(client_conn, S2N_SELF_SERVICE_BLINDING));
+
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free);
+            EXPECT_NOT_NULL(server_conn);
+
+            /* Add a cert validation callback. In this case we will store the cert validation info
+            * when the callback triggers and accept the cert outside of the callback. */
+            struct s2n_cert_cb_ctx cert_cb_ctx = { 0 };
+            EXPECT_SUCCESS(s2n_config_set_cert_validation_cb(server_config, s2n_test_cert_validation_cb, &cert_cb_ctx));
+
+            /* Add a signature verify callback */
+            struct s2n_sig_cb_ctx sig_cb_ctx = { 0 };
+            EXPECT_SUCCESS(s2n_config_set_async_offload_callback(server_config, S2N_ASYNC_OFFLOAD_PKEY_VERIFY,
+                    s2n_test_signature_verification_cb, &sig_cb_ctx));
+
+            EXPECT_SUCCESS(s2n_connection_set_blinding(server_conn, S2N_SELF_SERVICE_BLINDING));
+            EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
+
+            DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
+            EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
+            EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
+
+            /* Stop client before sending its last flight of messages */
+            EXPECT_OK(s2n_negotiate_test_server_and_client_until_message(server_conn, client_conn, CLIENT_CERT));
+
+            struct test_data message_arr[] = {
+                { .message_type = TLS_CERTIFICATE, .handler = s2n_client_cert_send },
+                { .message_type = TLS_CERT_VERIFY, .handler = s2n_tls13_cert_verify_send },
+                { .message_type = TLS_FINISHED, .handler = s2n_tls13_client_finished_send }
+            };
+
+            /* We have to manually call the state machine handler and update the handshake hashes
+            * because s2n-tls is not designed to send multiple handshake messages per record. */
+            for (size_t i = 0; i < s2n_array_len(message_arr); i++) {
+                /* Write handshake message */
+                EXPECT_SUCCESS(s2n_stuffer_write_uint8(&client_conn->handshake.io, message_arr[i].message_type));
+                struct s2n_stuffer_reservation reservation = { 0 };
+                EXPECT_SUCCESS(s2n_stuffer_reserve_uint24(&client_conn->handshake.io, &reservation));
+                EXPECT_SUCCESS(message_arr[i].handler(client_conn));
+                EXPECT_SUCCESS(s2n_stuffer_write_vector_size(&reservation));
+                EXPECT_SUCCESS(s2n_advance_message(client_conn));
+
+                /* Update transcript hash with handshake message */
+                struct s2n_blob data = { 0 };
+                uint32_t len = s2n_stuffer_data_available(&client_conn->handshake.io);
+                uint8_t *bytes = s2n_stuffer_raw_read(&client_conn->handshake.io, len);
+                EXPECT_NOT_NULL(bytes);
+                EXPECT_SUCCESS(s2n_blob_init(&data, bytes, len));
+                EXPECT_SUCCESS(s2n_conn_update_handshake_hashes(client_conn, &data));
+                EXPECT_SUCCESS(s2n_stuffer_skip_read(&client_conn->handshake.io,
+                        s2n_stuffer_data_available(&client_conn->handshake.io)));
+            }
+
+            EXPECT_SUCCESS(s2n_stuffer_reread(&client_conn->handshake.io));
+
+            /* Writes all messages in the handshake buffer to the same record */
+            s2n_blocked_status blocked = S2N_NOT_BLOCKED;
+            EXPECT_OK(s2n_handshake_message_send(client_conn, TLS_HANDSHAKE, &blocked));
+
+            /* Handshake will block until the server accepts the client cert */
+            for (int i = 0; i < 3; i++) {
+                EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server_conn, client_conn),
+                        S2N_ERR_ASYNC_BLOCKED);
+            }
+            EXPECT_SUCCESS(s2n_cert_validation_accept(cert_cb_ctx.info));
+
+            /* Handshake will block until the server verifies client signature */
+            for (int i = 0; i < 3; i++) {
+                EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server_conn, client_conn),
+                        S2N_ERR_ASYNC_BLOCKED);
+            }
+
+            EXPECT_SUCCESS(s2n_async_offload_op_perform(sig_cb_ctx.op));
+
+            /* Handshake completes successfully after server accepts client cert */
+            EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
+        }
+    }
+
+    END_TEST();
+}

tls/s2n_connection.c

@@ -1326,9 +1326,6 @@ S2N_CLEANUP_RESULT s2n_connection_apply_error_blinding(struct s2n_connection **c
         return S2N_RESULT_OK;
     }
 
-    /* Ensure that conn->in doesn't contain any leftover invalid or unauthenticated data. */
-    RESULT_GUARD_POSIX(s2n_stuffer_wipe(&(*conn)->in));
-
     int error_code = s2n_errno;
     int error_type = s2n_error_get_type(error_code);
 
@@ -1343,6 +1340,9 @@ S2N_CLEANUP_RESULT s2n_connection_apply_error_blinding(struct s2n_connection **c
             break;
     }
 
+    /* Ensure that conn->in doesn't contain any leftover invalid or unauthenticated data. */
+    RESULT_GUARD_POSIX(s2n_stuffer_wipe(&(*conn)->in));
+
     switch (error_code) {
         /* Don't invoke blinding on some of the common errors.
          *