Secure tunnel v3

.github/workflows/ci.yml

@@ -6,7 +6,7 @@ on:
       - 'main'
 
 env:
-  BUILDER_VERSION: v0.9.26
+  BUILDER_VERSION: v0.9.40
   BUILDER_SOURCE: releases
   BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net
   PACKAGE_NAME: aws-c-iot
@@ -105,12 +105,12 @@ jobs:
     runs-on: windows-2019 # windows-2019 is last env with Visual Studio 2015 (v14.0) toolset
     strategy:
       matrix:
-        arch: [Win32, x64]
+        arch: [x86, x64]
     steps:
     - name: Build ${{ env.PACKAGE_NAME }} + consumers
       run: |
         python -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder.pyz')"
-        python builder.pyz build -p ${{ env.PACKAGE_NAME }} --cmake-extra=-Tv140 --cmake-extra=-A${{ matrix.arch }}
+        python builder.pyz build -p ${{ env.PACKAGE_NAME }} --target windows-${{ matrix.arch }} --compiler msvc-14
 
   windows-shared-libs:
     runs-on: windows-2022 # latest
@@ -128,8 +128,8 @@ jobs:
         python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
         chmod a+x builder
         ./builder build -p ${{ env.PACKAGE_NAME }}
-        
-        
+
+
   # Test downstream repos.
   # This should not be required because we can run into a chicken and egg problem if there is a change that needs some fix in a downstream repo.
   downstream:

include/aws/iotdevice/iotdevice.h

@@ -21,7 +21,9 @@ enum aws_iotdevice_error {
     AWS_ERROR_IOTDEVICE_DEFENDER_PUBLISH_FAILURE,
     AWS_ERROR_IOTDEVICE_DEFENDER_UNKNOWN_TASK_STATUS,
 
-    AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_INVALID_STREAM,
+    AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_INVALID_STREAM_ID,
+    AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_INVALID_CONNECTION_ID,
+    AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_INVALID_SERVICE_ID,
     AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_INCORRECT_MODE,
     AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_BAD_SERVICE_ID,
     AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_DATA_OPTIONS_VALIDATION,
@@ -34,6 +36,7 @@ enum aws_iotdevice_error {
     AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_OPERATION_FAILED_DUE_TO_OFFLINE_QUEUE_POLICY,
     AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_UNEXPECTED_HANGUP,
     AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_USER_REQUESTED_STOP,
+    AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_PROTOCOL_VERSION_MISSMATCH,
     AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_TERMINATED,
     AWS_ERROR_IOTDEVICE_SECURE_TUNNELING_DECODE_FAILURE,
 

include/aws/iotdevice/private/secure_tunneling_impl.h

@@ -13,6 +13,7 @@
 #include <aws/common/task_scheduler.h>
 #include <aws/http/proxy.h>
 #include <aws/http/websocket.h>
+#include <aws/io/host_resolver.h>
 #include <aws/io/socket.h>
 #include <aws/io/tls_channel_handler.h>
 
@@ -99,10 +100,21 @@ struct data_tunnel_pair {
     struct aws_allocator *allocator;
     struct aws_byte_buf buf;
     struct aws_byte_cursor cur;
+    enum aws_secure_tunnel_message_type type;
     const struct aws_secure_tunnel *secure_tunnel;
     bool length_prefix_written;
 };
 
+struct aws_secure_tunnel_message_storage {
+    struct aws_allocator *allocator;
+    struct aws_secure_tunnel_message_view storage_view;
+
+    struct aws_byte_cursor service_id;
+    struct aws_byte_cursor payload;
+
+    struct aws_byte_buf storage;
+};
+
 /*
  * Secure tunnel configuration
  */
@@ -120,28 +132,42 @@ struct aws_secure_tunnel_options_storage {
 
     struct aws_string *endpoint_host;
 
-    /* Stream related info */
-    int32_t stream_id;
-
-    struct aws_hash_table service_ids;
-
     /* Callbacks */
     aws_secure_tunnel_message_received_fn *on_message_received;
     aws_secure_tunneling_on_connection_complete_fn *on_connection_complete;
     aws_secure_tunneling_on_connection_shutdown_fn *on_connection_shutdown;
     aws_secure_tunneling_on_stream_start_fn *on_stream_start;
     aws_secure_tunneling_on_stream_reset_fn *on_stream_reset;
+    aws_secure_tunneling_on_connection_start_fn *on_connection_start;
+    aws_secure_tunneling_on_connection_reset_fn *on_connection_reset;
     aws_secure_tunneling_on_session_reset_fn *on_session_reset;
     aws_secure_tunneling_on_stopped_fn *on_stopped;
+    aws_secure_tunneling_on_send_message_complete_fn *on_send_message_complete;
 
-    aws_secure_tunneling_on_send_data_complete_fn *on_send_data_complete;
     aws_secure_tunneling_on_termination_complete_fn *on_termination_complete;
     void *secure_tunnel_on_termination_user_data;
 
     void *user_data;
     enum aws_secure_tunneling_local_proxy_mode local_proxy_mode;
 };
 
+struct aws_secure_tunnel_connections {
+    struct aws_allocator *allocator;
+
+    uint8_t protocol_version;
+
+    /* Used for streams not using multiplexing (service ids) */
+    int32_t stream_id;
+    struct aws_hash_table connection_ids;
+
+    /* Table containing streams using multiplexing (service ids) */
+    struct aws_hash_table service_ids;
+
+    /* Message used for initializing a stream upon a reconnect due to a protocol version missmatch */
+    struct aws_secure_tunnel_message_storage *restore_stream_message_view;
+    struct aws_secure_tunnel_message_storage restore_stream_message;
+};
+
 struct aws_secure_tunnel_vtable {
     /* aws_high_res_clock_get_ticks */
     uint64_t (*get_current_time_fn)(void);
@@ -175,9 +201,16 @@ struct aws_secure_tunnel {
      */
     struct aws_secure_tunnel_options_storage *config;
 
+    /*
+     * Stores connection related information
+     */
+    struct aws_secure_tunnel_connections *connections;
+
     struct aws_tls_ctx *tls_ctx;
     struct aws_tls_connection_options tls_con_opt;
 
+    struct aws_host_resolution_config host_resolution_config;
+
     /*
      * The recurrent task that runs all secure tunnel logic outside of external event callbacks.  Bound to the secure
      * tunnel's event loop.
@@ -267,6 +300,14 @@ AWS_IOTDEVICE_API void aws_secure_tunnel_set_vtable(
  */
 AWS_IOTDEVICE_API const struct aws_secure_tunnel_vtable *aws_secure_tunnel_get_default_vtable(void);
 
+/*
+ * For testing purposes. This message type should only be sent due to internal logic.
+ */
+AWS_IOTDEVICE_API
+int aws_secure_tunnel_connection_reset(
+    struct aws_secure_tunnel *secure_tunnel,
+    const struct aws_secure_tunnel_message_view *message_options);
+
 AWS_EXTERN_C_END
 
 #endif /* AWS_IOTDEVICE_SECURE_TUNNELING_IMPL_H */

include/aws/iotdevice/private/secure_tunneling_operations.h

@@ -23,26 +23,22 @@ enum aws_secure_tunnel_operation_type {
     AWS_STOT_PING,
     AWS_STOT_MESSAGE,
     AWS_STOT_STREAM_RESET,
-    AWS_STOT_STREAM_START
+    AWS_STOT_STREAM_START,
+    AWS_STOT_CONNECTION_START,
+    AWS_STOT_CONNECTION_RESET,
 };
 
 struct aws_service_id_element {
     struct aws_allocator *allocator;
     struct aws_byte_cursor service_id_cur;
     struct aws_string *service_id_string;
     int32_t stream_id;
+    struct aws_hash_table connection_ids;
 };
 
-struct aws_secure_tunnel_message_storage {
+struct aws_connection_id_element {
     struct aws_allocator *allocator;
-    struct aws_secure_tunnel_message_view storage_view;
-
-    bool ignorable;
-    int32_t stream_id;
-    struct aws_byte_cursor service_id;
-    struct aws_byte_cursor payload;
-
-    struct aws_byte_buf storage;
+    uint32_t connection_id;
 };
 
 /* Basic vtable for all secure tunnel operations.  Implementations are per-message type */
@@ -57,10 +53,15 @@ struct aws_secure_tunnel_operation_vtable {
         struct aws_secure_tunnel_operation *operation,
         struct aws_secure_tunnel *secure_tunnel);
 
-    /* Set the stream id of outgoing st_msg to +1 of the currently set stream id */
+    /* Set the stream id of outgoing STREAM START message to +1 of the currently set stream id */
     int (*aws_secure_tunnel_operation_set_next_stream_id_fn)(
         struct aws_secure_tunnel_operation *operation,
         struct aws_secure_tunnel *secure_tunnel);
+
+    /* Set the connection id of outbound CONNECTION START as active for the Source device */
+    int (*aws_secure_tunnel_operation_set_connection_start_id)(
+        struct aws_secure_tunnel_operation *operation,
+        struct aws_secure_tunnel *secure_tunnel);
 };
 
 /**
@@ -172,6 +173,12 @@ struct aws_secure_tunnel_options_storage *aws_secure_tunnel_options_storage_new(
     struct aws_allocator *allocator,
     const struct aws_secure_tunnel_options *options);
 
+AWS_IOTDEVICE_API
+void aws_secure_tunnel_connections_destroy(struct aws_secure_tunnel_connections *storage);
+
+AWS_IOTDEVICE_API
+struct aws_secure_tunnel_connections *aws_secure_tunnel_connections_new(struct aws_allocator *allocator);
+
 AWS_IOTDEVICE_API
 void aws_secure_tunnel_options_storage_log(
     const struct aws_secure_tunnel_options_storage *options_storage,
@@ -197,6 +204,14 @@ struct aws_service_id_element *aws_service_id_element_new(
     const struct aws_byte_cursor *service_id,
     int32_t stream_id);
 
+AWS_IOTDEVICE_API
+void aws_connection_id_destroy(void *data);
+
+AWS_IOTDEVICE_API
+struct aws_connection_id_element *aws_connection_id_element_new(
+    struct aws_allocator *allocator,
+    uint32_t connection_id);
+
 AWS_EXTERN_C_END
 
 #endif /* AWS_IOTDEVICE_SECURE_TUNNELING_OPERATION_H */

include/aws/iotdevice/private/serializer.h

@@ -17,7 +17,7 @@
 #define AWS_IOT_ST_MAXIMUM_1_BYTE_VARINT_VALUE 128
 #define AWS_IOT_ST_MAXIMUM_2_BYTE_VARINT_VALUE 16384
 #define AWS_IOT_ST_MAXIMUM_3_BYTE_VARINT_VALUE 2097152
-#define AWS_IOT_ST_MAX_MESSAGE_SIZE (64 * 1024)
+#define AWS_IOT_ST_MAX_PAYLOAD_SIZE (63 * 1024)
 
 enum aws_secure_tunnel_field_number {
     AWS_SECURE_TUNNEL_FN_TYPE = 1,
@@ -56,9 +56,6 @@ int aws_secure_tunnel_deserialize_message_from_cursor(
     struct aws_byte_cursor *cursor,
     aws_secure_tunnel_on_message_received_fn *on_message_received);
 
-AWS_IOTDEVICE_API
-const char *aws_secure_tunnel_message_type_to_c_string(enum aws_secure_tunnel_message_type message_type);
-
 AWS_EXTERN_C_END
 
 #endif