/* * For each name in the cert. Iterate them. Call the callback. If one returns true, then consider it validated, * if none of them return true, the cert is considered invalid. */ static uint8_t s2n_verify_host_information(struct s2n_x509_validator *validator, struct s2n_connection *conn, X509 *public_cert) { uint8_t verified = 0; uint8_t san_found = 0; /* Check SubjectAltNames before CommonName as per RFC 6125 6.4.4 */ STACK_OF(GENERAL_NAME) *names_list = X509_get_ext_d2i(public_cert, NID_subject_alt_name, NULL, NULL); int n = sk_GENERAL_NAME_num(names_list); for (int i = 0; i < n && !verified; i++) { GENERAL_NAME *current_name = sk_GENERAL_NAME_value(names_list, i); if (current_name->type == GEN_DNS) { san_found = 1; const char *name = (const char *) ASN1_STRING_data(current_name->d.ia5); size_t name_len = (size_t) ASN1_STRING_length(current_name->d.ia5); verified = conn->verify_host_fn(name, name_len, conn->data_for_verify_host); } } GENERAL_NAMES_free(names_list); /* if no SubjectAltNames of type DNS found, go to the common name. */ if (!san_found) { X509_NAME *subject_name = X509_get_subject_name(public_cert); if (subject_name) { int next_idx = 0, curr_idx = -1; while ((next_idx = X509_NAME_get_index_by_NID(subject_name, NID_commonName, curr_idx)) >= 0) { curr_idx = next_idx; } if (curr_idx >= 0) { ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, curr_idx)); if (common_name) { char peer_cn[255]; static size_t peer_cn_size = sizeof(peer_cn); memset_check(&peer_cn, 0, peer_cn_size); // X520CommonName allows the following ANSI string types per RFC 5280 Appendix A.1 if (ASN1_STRING_type(common_name) == V_ASN1_TELETEXSTRING || ASN1_STRING_type(common_name) == V_ASN1_PRINTABLESTRING || ASN1_STRING_type(common_name) == V_ASN1_UNIVERSALSTRING || ASN1_STRING_type(common_name) == V_ASN1_UTF8STRING || ASN1_STRING_type(common_name) == V_ASN1_BMPSTRING ) { size_t len = (size_t) ASN1_STRING_length(common_name); lte_check(len, sizeof(peer_cn) - 1); memcpy_check(peer_cn, ASN1_STRING_data(common_name), len); verified = conn->verify_host_fn(peer_cn, len, conn->data_for_verify_host); } } } } } return verified; }
int s2n_client_extensions_recv(struct s2n_connection *conn, struct s2n_blob *extensions) { struct s2n_stuffer in; GUARD(s2n_stuffer_init(&in, extensions)); GUARD(s2n_stuffer_write(&in, extensions)); while (s2n_stuffer_data_available(&in)) { struct s2n_blob ext; uint16_t extension_type, extension_size; struct s2n_stuffer extension; GUARD(s2n_stuffer_read_uint16(&in, &extension_type)); GUARD(s2n_stuffer_read_uint16(&in, &extension_size)); ext.size = extension_size; lte_check(extension_size, s2n_stuffer_data_available(&in)); ext.data = s2n_stuffer_raw_read(&in, ext.size); notnull_check(ext.data); GUARD(s2n_stuffer_init(&extension, &ext)); GUARD(s2n_stuffer_write(&extension, &ext)); switch (extension_type) { case TLS_EXTENSION_SERVER_NAME: GUARD(s2n_recv_client_server_name(conn, &extension)); break; case TLS_EXTENSION_SIGNATURE_ALGORITHMS: GUARD(s2n_recv_client_signature_algorithms(conn, &extension, &conn->secure.conn_hash_alg, &conn->secure.conn_sig_alg)); break; case TLS_EXTENSION_ALPN: GUARD(s2n_recv_client_alpn(conn, &extension)); break; case TLS_EXTENSION_STATUS_REQUEST: GUARD(s2n_recv_client_status_request(conn, &extension)); break; case TLS_EXTENSION_ELLIPTIC_CURVES: GUARD(s2n_recv_client_elliptic_curves(conn, &extension)); break; case TLS_EXTENSION_EC_POINT_FORMATS: GUARD(s2n_recv_client_ec_point_formats(conn, &extension)); break; case TLS_EXTENSION_RENEGOTIATION_INFO: GUARD(s2n_recv_client_renegotiation_info(conn, &extension)); break; case TLS_EXTENSION_SCT_LIST: GUARD(s2n_recv_client_sct_list(conn, &extension)); break; case TLS_EXTENSION_MAX_FRAG_LEN: GUARD(s2n_recv_client_max_frag_len(conn, &extension)); break; } } return 0; }
static int s2n_sslv3_server_finished(struct s2n_connection *conn) { uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 }; struct s2n_hash_state md5, sha1; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.server_finished)); GUARD(s2n_hash_copy(&md5, &conn->handshake.md5)); GUARD(s2n_hash_copy(&sha1, &conn->handshake.sha1)); return s2n_sslv3_finished(conn, prefix, &md5, &sha1, conn->handshake.server_finished); }
/* A TLS CBC record looks like .. * * [ Payload data ] [ HMAC ] [ Padding ] [ Padding length byte ] * * Each byte in the padding is expected to be set to the same value * as the padding length byte. So if the padding length byte is '2' * then the padding will be [ '2', '2' ] (there'll be three bytes * set to that value if you include the padding length byte). * * The goal of s2n_verify_cbc() is to verify that the padding and hmac * are correct, without leaking (via timing) how much padding there * actually is: as this is considered secret. * * In addition to our efforts here though, s2n also wraps any CBC * verification error (or record parsing error in general) with * a randomized delay of between 1ms and 10 seconds. See s2n_connection.c. * This amount of delay randomization is sufficient to increase the * complexity of attack for even a 1 microsecond timing leak (which * is quite large) by a factor of around 83 trillion. */ int s2n_verify_cbc(struct s2n_connection *conn, struct s2n_hmac_state *hmac, struct s2n_blob *decrypted) { struct s2n_hmac_state copy; int mac_digest_size = s2n_hmac_digest_size(hmac->alg); /* The record has to be at least big enough to contain the MAC, * plus the padding length byte */ gt_check(decrypted->size, mac_digest_size); int payload_and_padding_size = decrypted->size - mac_digest_size; /* Determine what the padding length is */ uint8_t padding_length = decrypted->data[decrypted->size - 1]; int payload_length = MAX(payload_and_padding_size - padding_length - 1, 0); /* Update the MAC */ GUARD(s2n_hmac_update(hmac, decrypted->data, payload_length)); GUARD(s2n_hmac_copy(©, hmac)); /* Check the MAC */ uint8_t check_digest[S2N_MAX_DIGEST_LEN]; lte_check(mac_digest_size, sizeof(check_digest)); GUARD(s2n_hmac_digest_two_compression_rounds(hmac, check_digest, mac_digest_size)); int mismatches = s2n_constant_time_equals(decrypted->data + payload_length, check_digest, mac_digest_size) ^ 1; /* Compute a MAC on the rest of the data so that we perform the same number of hash operations */ GUARD(s2n_hmac_update(©, decrypted->data + payload_length + mac_digest_size, decrypted->size - payload_length - mac_digest_size - 1)); /* SSLv3 doesn't specify what the padding should actually be */ if (conn->actual_protocol_version == S2N_SSLv3) { return 0 - mismatches; } /* Check the maximum amount that could theoritically be padding */ int check = MIN(255, (payload_and_padding_size - 1)); int cutoff = check - padding_length; for (int i = 0, j = decrypted->size - 1 - check; i < check && j < decrypted->size; i++, j++) { uint8_t mask = ~(0xff << ((i >= cutoff) * 8)); mismatches |= (decrypted->data[j] ^ padding_length) & mask; } if (mismatches) { S2N_ERROR(S2N_ERR_CBC_VERIFY); } return 0; }
static int s2n_ecdsa_verify(const struct s2n_pkey *pub, struct s2n_hash_state *digest, struct s2n_blob *signature) { const s2n_ecdsa_public_key *key = &pub->key.ecdsa_key; notnull_check(key->ec_key); uint8_t digest_length; GUARD(s2n_hash_digest_size(digest->alg, &digest_length)); lte_check(digest_length, S2N_MAX_DIGEST_LEN); uint8_t digest_out[S2N_MAX_DIGEST_LEN]; GUARD(s2n_hash_digest(digest, digest_out, digest_length)); /* ECDSA_verify ignores the first parameter */ GUARD_OSSL(ECDSA_verify(0, digest_out, digest_length, signature->data, signature->size, key->ec_key), S2N_ERR_VERIFY_SIGNATURE); GUARD(s2n_hash_reset(digest)); return 0; }
static int s2n_ecdsa_sign(const struct s2n_pkey *priv, struct s2n_hash_state *digest, struct s2n_blob *signature) { const s2n_ecdsa_private_key *key = &priv->key.ecdsa_key; notnull_check(key->ec_key); uint8_t digest_length; GUARD(s2n_hash_digest_size(digest->alg, &digest_length)); lte_check(digest_length, S2N_MAX_DIGEST_LEN); uint8_t digest_out[S2N_MAX_DIGEST_LEN]; GUARD(s2n_hash_digest(digest, digest_out, digest_length)); unsigned int signature_size = signature->size; GUARD_OSSL(ECDSA_sign(0, digest_out, digest_length, signature->data, &signature_size, key->ec_key), S2N_ERR_SIGN); S2N_ERROR_IF(signature_size > signature->size, S2N_ERR_SIZE_MISMATCH); signature->size = signature_size; GUARD(s2n_hash_reset(digest)); return 0; }
int s2n_rsa_keys_match(struct s2n_rsa_public_key *pub, struct s2n_rsa_private_key *priv) { uint8_t plain_inpad[36], plain_outpad[36], encpad[8192]; struct s2n_blob plain_in, plain_out, enc; plain_in.data = plain_inpad; plain_in.size = sizeof(plain_inpad); GUARD(s2n_get_private_random_data(&plain_in)); enc.data = encpad; enc.size = s2n_rsa_public_encrypted_size(pub); lte_check(enc.size, sizeof(encpad)); GUARD(s2n_rsa_encrypt(pub, &plain_in, &enc)); plain_out.data = plain_outpad; plain_out.size = sizeof(plain_outpad); GUARD(s2n_rsa_decrypt(priv, &enc, &plain_out)); if (memcmp(plain_in.data, plain_out.data, plain_in.size)) { S2N_ERROR(S2N_ERR_KEY_MISMATCH); } return 0; }
/** * Private helper: write n (up to 64) bits of hex data */ static int s2n_stuffer_write_n_bits_hex(struct s2n_stuffer *stuffer, uint8_t n, uint64_t u) { uint8_t hex_data[16] = { 0 }; struct s2n_blob b = { .data = hex_data, .size = n / 4 }; lte_check(n, 64); for (int i = b.size; i > 0; i--) { b.data[i - 1] = hex[u & 0x0f]; u >>= 4; } GUARD(s2n_stuffer_write(stuffer, &b)); return 0; } int s2n_stuffer_write_uint64_hex(struct s2n_stuffer *stuffer, uint64_t u) { return s2n_stuffer_write_n_bits_hex(stuffer, 64, u); } int s2n_stuffer_write_uint32_hex(struct s2n_stuffer *stuffer, uint32_t u) { return s2n_stuffer_write_n_bits_hex(stuffer, 32, u); } int s2n_stuffer_write_uint16_hex(struct s2n_stuffer *stuffer, uint16_t u) { return s2n_stuffer_write_n_bits_hex(stuffer, 16, u); } int s2n_stuffer_write_uint8_hex(struct s2n_stuffer *stuffer, uint8_t u) { return s2n_stuffer_write_n_bits_hex(stuffer, 8, u); } int s2n_stuffer_alloc_ro_from_hex_string(struct s2n_stuffer *stuffer, const char *str) { if (strlen(str) % 2) { S2N_ERROR(S2N_ERR_SIZE_MISMATCH); } GUARD(s2n_stuffer_alloc(stuffer, strlen(str) / 2)); for (int i = 0; i < strlen(str); i += 2) { uint8_t u = 0; if (str[i] >= '0' && str[i] <= '9') { u = str[i] - '0'; } else if (str[i] >= 'a' && str[i] <= 'f') { u = str[i] - 'a' + 10; } else if (str[i] >= 'A' && str[i] <= 'F') { u = str[i] - 'A' + 10; } else { S2N_ERROR(S2N_ERR_BAD_MESSAGE); } u <<= 4; if (str[i + 1] >= '0' && str[i + 1] <= '9') { u |= str[i + 1] - '0'; } else if (str[i + 1] >= 'a' && str[i + 1] <= 'f') { u |= str[i + 1] - 'a' + 10; } else if (str[i + 1] >= 'A' && str[i + 1] <= 'F') { u |= str[i + 1] - 'A' + 10; } else { S2N_ERROR(S2N_ERR_BAD_MESSAGE); } GUARD(s2n_stuffer_write_uint8(stuffer, u)); } return 0; }
static int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out) { /* seed_a is always required, seed_b is optional, if seed_c is provided seed_b must also be provided */ S2N_ERROR_IF(seed_a == NULL, S2N_ERR_PRF_INVALID_SEED); S2N_ERROR_IF(seed_b == NULL && seed_c != NULL, S2N_ERR_PRF_INVALID_SEED); if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_prf(&conn->prf_space, secret, seed_a, seed_b, seed_c, out); } /* We zero the out blob because p_hash works by XOR'ing with the existing * buffer. This is a little convoluted but means we can avoid dynamic memory * allocation. When we call p_hash once (in the TLS1.2 case) it will produce * the right values. When we call it twice in the regular case, the two * outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require. */ GUARD(s2n_blob_zero(out)); /* Ensure that p_hash_hmac_impl is set, as it may have been reset for prf_space on s2n_connection_wipe. * When in FIPS mode, the EVP API's must be used for the p_hash HMAC. */ conn->prf_space.tls.p_hash_hmac_impl = s2n_is_in_fips_mode() ? &s2n_evp_hmac : &s2n_hmac; if (conn->actual_protocol_version == S2N_TLS12) { return s2n_p_hash(&conn->prf_space, conn->secure.cipher_suite->tls12_prf_alg, secret, label, seed_a, seed_b, seed_c, out); } struct s2n_blob half_secret = {.data = secret->data,.size = (secret->size + 1) / 2 }; GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out)); half_secret.data += secret->size - half_secret.size; GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, seed_c, out)); return 0; } int s2n_tls_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret) { struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random}; struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random}; struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret}; uint8_t master_secret_label[] = "master secret"; struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label}; return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret); } int s2n_hybrid_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret) { struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random}; struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random}; struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret}; uint8_t master_secret_label[] = "hybrid master secret"; struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label}; return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->secure.client_key_exchange_message, &master_secret); } static int s2n_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *md5, struct s2n_hash_state *sha1, uint8_t * out) { uint8_t xorpad1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 }; uint8_t xorpad2[48] = { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c }; uint8_t *md5_digest = out; uint8_t *sha_digest = out + MD5_DIGEST_LENGTH; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished)); GUARD(s2n_hash_update(md5, prefix, 4)); GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(md5, xorpad1, 48)); GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_reset(md5)); GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(md5, xorpad2, 48)); GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_reset(md5)); GUARD(s2n_hash_update(sha1, prefix, 4)); GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(sha1, xorpad1, 40)); GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_reset(sha1)); GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(sha1, xorpad2, 40)); GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_reset(sha1)); return 0; } static int s2n_sslv3_client_finished(struct s2n_connection *conn) { uint8_t prefix[4] = { 0x43, 0x4c, 0x4e, 0x54 }; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished)); GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.client_finished); } static int s2n_sslv3_server_finished(struct s2n_connection *conn) { uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 }; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.server_finished)); GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.server_finished); } int s2n_prf_client_finished(struct s2n_connection *conn) { struct s2n_blob master_secret, md5, sha; uint8_t md5_digest[MD5_DIGEST_LENGTH]; uint8_t sha_digest[SHA384_DIGEST_LENGTH]; uint8_t client_finished_label[] = "client finished"; struct s2n_blob client_finished = {0}; struct s2n_blob label = {0}; if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_client_finished(conn); } client_finished.data = conn->handshake.client_finished; client_finished.size = S2N_TLS_FINISHED_LEN; label.data = client_finished_label; label.size = sizeof(client_finished_label) - 1; master_secret.data = conn->secure.master_secret; master_secret.size = sizeof(conn->secure.master_secret); if (conn->actual_protocol_version == S2N_TLS12) { switch (conn->secure.cipher_suite->tls12_prf_alg) { case S2N_HMAC_SHA256: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH)); sha.size = SHA256_DIGEST_LENGTH; break; case S2N_HMAC_SHA384: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH)); sha.size = SHA384_DIGEST_LENGTH; break; default: S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM); } sha.data = sha_digest; return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &client_finished); } GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH)); md5.data = md5_digest; md5.size = MD5_DIGEST_LENGTH; sha.data = sha_digest; sha.size = SHA_DIGEST_LENGTH; return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &client_finished); } int s2n_prf_server_finished(struct s2n_connection *conn) { struct s2n_blob master_secret, md5, sha; uint8_t md5_digest[MD5_DIGEST_LENGTH]; uint8_t sha_digest[SHA384_DIGEST_LENGTH]; uint8_t server_finished_label[] = "server finished"; struct s2n_blob server_finished = {0}; struct s2n_blob label = {0}; if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_server_finished(conn); } server_finished.data = conn->handshake.server_finished; server_finished.size = S2N_TLS_FINISHED_LEN; label.data = server_finished_label; label.size = sizeof(server_finished_label) - 1; master_secret.data = conn->secure.master_secret; master_secret.size = sizeof(conn->secure.master_secret); if (conn->actual_protocol_version == S2N_TLS12) { switch (conn->secure.cipher_suite->tls12_prf_alg) { case S2N_HMAC_SHA256: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH)); sha.size = SHA256_DIGEST_LENGTH; break; case S2N_HMAC_SHA384: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH)); sha.size = SHA384_DIGEST_LENGTH; break; default: S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM); } sha.data = sha_digest; return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &server_finished); } GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH)); md5.data = md5_digest; md5.size = MD5_DIGEST_LENGTH; sha.data = sha_digest; sha.size = SHA_DIGEST_LENGTH; return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &server_finished); } static int s2n_prf_make_client_key(struct s2n_connection *conn, struct s2n_stuffer *key_material) { struct s2n_blob client_key = {0}; client_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size; client_key.data = s2n_stuffer_raw_read(key_material, client_key.size); notnull_check(client_key.data); if (conn->mode == S2N_CLIENT) { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.client_key, &client_key)); } else { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.client_key, &client_key)); } return 0; } static int s2n_prf_make_server_key(struct s2n_connection *conn, struct s2n_stuffer *key_material) { struct s2n_blob server_key = {0}; server_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size; server_key.data = s2n_stuffer_raw_read(key_material, server_key.size); notnull_check(server_key.data); if (conn->mode == S2N_SERVER) { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.server_key, &server_key)); } else { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.server_key, &server_key)); } return 0; } int s2n_prf_key_expansion(struct s2n_connection *conn) { struct s2n_blob client_random = {.data = conn->secure.client_random,.size = sizeof(conn->secure.client_random) }; struct s2n_blob server_random = {.data = conn->secure.server_random,.size = sizeof(conn->secure.server_random) }; struct s2n_blob master_secret = {.data = conn->secure.master_secret,.size = sizeof(conn->secure.master_secret) }; struct s2n_blob label, out; uint8_t key_expansion_label[] = "key expansion"; uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN]; label.data = key_expansion_label; label.size = sizeof(key_expansion_label) - 1; out.data = key_block; out.size = sizeof(key_block); struct s2n_stuffer key_material = {{0}}; GUARD(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, NULL, &out)); GUARD(s2n_stuffer_init(&key_material, &out)); GUARD(s2n_stuffer_write(&key_material, &out)); GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.client_key)); GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.server_key)); /* Check that we have a valid MAC and key size */ uint8_t mac_size; if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { mac_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.mac_key_size; } else { GUARD(s2n_hmac_digest_size(conn->secure.cipher_suite->record_alg->hmac_alg, &mac_size)); } /* Seed the client MAC */ uint8_t *client_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(client_mac_write_key); GUARD(s2n_hmac_reset(&conn->secure.client_record_mac)); GUARD(s2n_hmac_init(&conn->secure.client_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, client_mac_write_key, mac_size)); /* Seed the server MAC */ uint8_t *server_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(server_mac_write_key); GUARD(s2n_hmac_reset(&conn->secure.server_record_mac)); GUARD(s2n_hmac_init(&conn->secure.server_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, server_mac_write_key, mac_size)); /* Make the client key */ GUARD(s2n_prf_make_client_key(conn, &key_material)); /* Make the server key */ GUARD(s2n_prf_make_server_key(conn, &key_material)); /* Composite CBC does MAC inside the cipher, pass it the MAC key. * Must happen after setting encryption/decryption keys. */ if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.server_key, server_mac_write_key, mac_size)); GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.client_key, client_mac_write_key, mac_size)); } /* TLS >= 1.1 has no implicit IVs for non AEAD ciphers */ if (conn->actual_protocol_version > S2N_TLS10 && conn->secure.cipher_suite->record_alg->cipher->type != S2N_AEAD) { return 0; } uint32_t implicit_iv_size = 0; switch (conn->secure.cipher_suite->record_alg->cipher->type) { case S2N_AEAD: implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.aead.fixed_iv_size; break; case S2N_CBC: implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.cbc.block_size; break; case S2N_COMPOSITE: implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.block_size; break; /* No-op for stream ciphers */ default: break; } struct s2n_blob client_implicit_iv = {.data = conn->secure.client_implicit_iv,.size = implicit_iv_size }; struct s2n_blob server_implicit_iv = {.data = conn->secure.server_implicit_iv,.size = implicit_iv_size }; GUARD(s2n_stuffer_read(&key_material, &client_implicit_iv)); GUARD(s2n_stuffer_read(&key_material, &server_implicit_iv)); return 0; }
static int s2n_drbg_bits(struct s2n_drbg *drbg, struct s2n_blob *out) { struct s2n_blob value = {.data = drbg->v,.size = sizeof(drbg->v) }; int block_aligned_size = out->size - (out->size % S2N_DRBG_BLOCK_SIZE); /* Per NIST SP800-90A 10.2.1.2: */ for (int i = 0; i < block_aligned_size; i += S2N_DRBG_BLOCK_SIZE) { GUARD(s2n_increment_sequence_number(&value)); GUARD(s2n_drbg_block_encrypt(drbg->ctx, drbg->v, out->data + i)); drbg->bytes_used += S2N_DRBG_BLOCK_SIZE; } if (out->size <= block_aligned_size) { return 0; } uint8_t spare_block[S2N_DRBG_BLOCK_SIZE]; GUARD(s2n_increment_sequence_number(&value)); GUARD(s2n_drbg_block_encrypt(drbg->ctx, drbg->v, spare_block)); drbg->bytes_used += S2N_DRBG_BLOCK_SIZE; memcpy_check(out->data + block_aligned_size, spare_block, out->size - block_aligned_size); return 0; } static int s2n_drbg_update(struct s2n_drbg *drbg, struct s2n_blob *provided_data) { uint8_t temp[32]; struct s2n_blob temp_blob = {.data = temp,.size = sizeof(temp) }; eq_check(provided_data->size, sizeof(temp)); GUARD(s2n_drbg_bits(drbg, &temp_blob)); /* XOR in the provided data */ for (int i = 0; i < provided_data->size; i++) { temp[i] ^= provided_data->data[i]; } /* Update the key and value */ GUARD_OSSL(EVP_EncryptInit_ex(drbg->ctx, EVP_aes_128_ecb(), NULL, temp, NULL), S2N_ERR_DRBG); memcpy_check(drbg->v, temp + S2N_DRBG_BLOCK_SIZE, S2N_DRBG_BLOCK_SIZE); return 0; } int s2n_drbg_seed(struct s2n_drbg *drbg, struct s2n_blob *ps) { uint8_t seed[32]; struct s2n_blob blob = {.data = seed,.size = sizeof(seed) }; lte_check(ps->size, sizeof(seed)); if (drbg->entropy_generator) { GUARD(drbg->entropy_generator(&blob)); } else { GUARD(s2n_get_urandom_data(&blob)); } for (int i = 0; i < ps->size; i++) { blob.data[i] ^= ps->data[i]; } GUARD(s2n_drbg_update(drbg, &blob)); drbg->bytes_used = 0; drbg->generation += 1; return 0; } int s2n_drbg_instantiate(struct s2n_drbg *drbg, struct s2n_blob *personalization_string) { struct s2n_blob value = {.data = drbg->v,.size = sizeof(drbg->v) }; uint8_t ps_prefix[32]; struct s2n_blob ps = {.data = ps_prefix,.size = sizeof(ps_prefix) }; /* Start off with zeroed data, per 10.2.1.3.1 item 4 */ GUARD(s2n_blob_zero(&value)); drbg->ctx = EVP_CIPHER_CTX_new(); S2N_ERROR_IF(!drbg->ctx, S2N_ERR_DRBG); (void)EVP_CIPHER_CTX_init(drbg->ctx); /* Start off with zeroed key, per 10.2.1.3.1 item 5 */ GUARD_OSSL(EVP_EncryptInit_ex(drbg->ctx, EVP_aes_128_ecb(), NULL, drbg->v, NULL), S2N_ERR_DRBG); /* Copy the personalization string */ GUARD(s2n_blob_zero(&ps)); memcpy_check(ps.data, personalization_string->data, MIN(ps.size, personalization_string->size)); /* Seed / update the DRBG */ GUARD(s2n_drbg_seed(drbg, &ps)); /* After initial seeding, pivot to RDRAND if available and not overridden */ if (drbg->entropy_generator == NULL && s2n_cpu_supports_rdrand()) { drbg->entropy_generator = s2n_get_rdrand_data; } return 0; } int s2n_drbg_generate(struct s2n_drbg *drbg, struct s2n_blob *blob) { uint8_t all_zeros[32] = { 0 }; struct s2n_blob zeros = {.data = all_zeros,.size = sizeof(all_zeros) }; S2N_ERROR_IF(blob->size > S2N_DRBG_GENERATE_LIMIT, S2N_ERR_DRBG_REQUEST_SIZE); /* If either the entropy generator is set, for prediction resistance, * or if we reach the definitely-need-to-reseed limit, then reseed. */ if (drbg->entropy_generator || drbg->bytes_used + blob->size + S2N_DRBG_BLOCK_SIZE >= S2N_DRBG_RESEED_LIMIT) { GUARD(s2n_drbg_seed(drbg, &zeros)); } GUARD(s2n_drbg_bits(drbg, blob)); GUARD(s2n_drbg_update(drbg, &zeros)); return 0; } int s2n_drbg_wipe(struct s2n_drbg *drbg) { struct s2n_blob state = {.data = (void *)drbg,.size = sizeof(struct s2n_drbg) }; if (drbg->ctx) { GUARD_OSSL(EVP_CIPHER_CTX_cleanup(drbg->ctx), S2N_ERR_DRBG); EVP_CIPHER_CTX_free(drbg->ctx); drbg->ctx = NULL; } GUARD(s2n_blob_zero(&state)); return 0; } int s2n_drbg_bytes_used(struct s2n_drbg *drbg) { return drbg->bytes_used; }
static int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *out) { if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_prf(&conn->prf_space, secret, seed_a, seed_b, out); } /* We zero the out blob because p_hash works by XOR'ing with the existing * buffer. This is a little convuloted but means we can avoid dynamic memory * allocation. When we call p_hash once (in the TLS1.2 case) it will produce * the right values. When we call it twice in the regular case, the two * outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require. */ GUARD(s2n_blob_zero(out)); if (conn->actual_protocol_version == S2N_TLS12) { return s2n_p_hash(&conn->prf_space, conn->secure.cipher_suite->tls12_prf_alg, secret, label, seed_a, seed_b, out); } struct s2n_blob half_secret = {.data = secret->data,.size = (secret->size + 1) / 2 }; GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, out)); half_secret.data += secret->size - half_secret.size; GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, out)); return 0; } int s2n_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret) { struct s2n_blob client_random, server_random, master_secret; struct s2n_blob label; uint8_t master_secret_label[] = "master secret"; client_random.data = conn->secure.client_random; client_random.size = sizeof(conn->secure.client_random); server_random.data = conn->secure.server_random; server_random.size = sizeof(conn->secure.server_random); master_secret.data = conn->secure.master_secret; master_secret.size = sizeof(conn->secure.master_secret); label.data = master_secret_label; label.size = sizeof(master_secret_label) - 1; return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &master_secret); } static int s2n_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *md5, struct s2n_hash_state *sha1, uint8_t *out) { uint8_t xorpad1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 }; uint8_t xorpad2[48] = { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c }; uint8_t *md5_digest = out; uint8_t *sha_digest = out + MD5_DIGEST_LENGTH; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished)); GUARD(s2n_hash_update(md5, prefix, 4)); GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(md5, xorpad1, 48)); GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_reset(md5)); GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(md5, xorpad2, 48)); GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_reset(md5)); GUARD(s2n_hash_update(sha1, prefix, 4)); GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(sha1, xorpad1, 40)); GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_reset(sha1)); GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(sha1, xorpad2, 40)); GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_reset(sha1)); return 0; }