/* See http://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html 2.5 */
int s2n_sslv2_client_hello_recv(struct s2n_connection *conn)
{
struct s2n_stuffer *in = &conn->handshake.io;
uint16_t session_id_length;
uint16_t cipher_suites_length;
uint16_t challenge_length;
uint8_t *cipher_suites;
if (conn->client_protocol_version < conn->config->cipher_preferences->minimum_protocol_version || conn->client_protocol_version > conn->server_protocol_version) {
GUARD(s2n_queue_reader_unsupported_protocol_version_alert(conn));
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
conn->actual_protocol_version = MIN(conn->client_protocol_version, conn->server_protocol_version);
conn->client_hello_version = S2N_SSLv2;
/* We start 5 bytes into the record */
GUARD(s2n_stuffer_read_uint16(in, &cipher_suites_length));
if (cipher_suites_length % S2N_SSLv2_CIPHER_SUITE_LEN) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
GUARD(s2n_stuffer_read_uint16(in, &session_id_length));
GUARD(s2n_stuffer_read_uint16(in, &challenge_length));
if (challenge_length > S2N_TLS_RANDOM_DATA_LEN) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
cipher_suites = s2n_stuffer_raw_read(in, cipher_suites_length);
notnull_check(cipher_suites);
GUARD(s2n_set_cipher_as_sslv2_server(conn, cipher_suites, cipher_suites_length / S2N_SSLv2_CIPHER_SUITE_LEN));
if (session_id_length > s2n_stuffer_data_available(in)) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
if (session_id_length > 0 && session_id_length <= S2N_TLS_SESSION_ID_MAX_LEN) {
GUARD(s2n_stuffer_read_bytes(in, conn->session_id, session_id_length));
conn->session_id_len = (uint8_t) session_id_length;
} else {
GUARD(s2n_stuffer_skip_read(in, session_id_length));
}
struct s2n_blob b;
b.data = conn->secure.client_random;
b.size = S2N_TLS_RANDOM_DATA_LEN;
b.data += S2N_TLS_RANDOM_DATA_LEN - challenge_length;
b.size -= S2N_TLS_RANDOM_DATA_LEN - challenge_length;
GUARD(s2n_stuffer_read(in, &b));
conn->server->chosen_cert_chain = conn->config->cert_and_key_pairs;
GUARD(s2n_conn_set_handshake_type(conn));
return 0;
}
int s2n_stuffer_read_uint16(struct s2n_stuffer *stuffer, uint16_t *u)
{
uint8_t data[2];
GUARD(s2n_stuffer_read_bytes(stuffer, data, sizeof(data)));
*u = data[0] << 8;
*u |= data[1];
return 0;
}
int s2n_client_hello_recv(struct s2n_connection *conn)
{
struct s2n_stuffer *in = &conn->handshake.io;
uint8_t compression_methods;
uint16_t extensions_size;
uint16_t cipher_suites_length;
uint8_t *cipher_suites;
uint8_t client_protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN];
GUARD(s2n_stuffer_read_bytes(in, client_protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN));
GUARD(s2n_stuffer_read_bytes(in, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_stuffer_read_uint8(in, &conn->session_id_len));
conn->client_protocol_version = (client_protocol_version[0] * 10) + client_protocol_version[1];
if (conn->client_protocol_version < conn->config->cipher_preferences->minimum_protocol_version || conn->client_protocol_version > conn->server_protocol_version) {
GUARD(s2n_queue_reader_unsupported_protocol_version_alert(conn));
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
conn->client_hello_version = conn->client_protocol_version;
conn->actual_protocol_version = MIN(conn->client_protocol_version, conn->server_protocol_version);
if (conn->session_id_len > S2N_TLS_SESSION_ID_MAX_LEN || conn->session_id_len > s2n_stuffer_data_available(in)) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
GUARD(s2n_stuffer_read_bytes(in, conn->session_id, conn->session_id_len));
GUARD(s2n_stuffer_read_uint16(in, &cipher_suites_length));
if (cipher_suites_length % S2N_TLS_CIPHER_SUITE_LEN) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
cipher_suites = s2n_stuffer_raw_read(in, cipher_suites_length);
notnull_check(cipher_suites);
/* Don't choose the cipher yet, read the extensions first */
GUARD(s2n_stuffer_read_uint8(in, &compression_methods));
GUARD(s2n_stuffer_skip_read(in, compression_methods));
/* This is going to be our default if the client has no preference. */
conn->secure.server_ecc_params.negotiated_curve = &s2n_ecc_supported_curves[0];
if (s2n_stuffer_data_available(in) >= 2) {
/* Read extensions if they are present */
GUARD(s2n_stuffer_read_uint16(in, &extensions_size));
if (extensions_size > s2n_stuffer_data_available(in)) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
struct s2n_blob extensions;
extensions.size = extensions_size;
extensions.data = s2n_stuffer_raw_read(in, extensions.size);
notnull_check(extensions.data);
GUARD(s2n_client_extensions_recv(conn, &extensions));
}
/* Now choose the ciphers and the cert chain. */
GUARD(s2n_set_cipher_as_tls_server(conn, cipher_suites, cipher_suites_length / 2));
conn->server->chosen_cert_chain = conn->config->cert_and_key_pairs;
/* Set the handshake type */
GUARD(s2n_conn_set_handshake_type(conn));
return 0;
}
static int s2n_recv_client_alpn(struct s2n_connection *conn, struct s2n_stuffer *extension)
{
uint16_t size_of_all;
struct s2n_stuffer client_protos;
struct s2n_stuffer server_protos;
if (!conn->config->application_protocols.size) {
/* No protocols configured, nothing to do */
return 0;
}
GUARD(s2n_stuffer_read_uint16(extension, &size_of_all));
if (size_of_all > s2n_stuffer_data_available(extension) || size_of_all < 3) {
/* Malformed length, ignore the extension */
return 0;
}
struct s2n_blob application_protocols = {
.data = s2n_stuffer_raw_read(extension, size_of_all),
.size = size_of_all
};
notnull_check(application_protocols.data);
/* Find a matching protocol */
GUARD(s2n_stuffer_init(&client_protos, &application_protocols));
GUARD(s2n_stuffer_write(&client_protos, &application_protocols));
GUARD(s2n_stuffer_init(&server_protos, &conn->config->application_protocols));
GUARD(s2n_stuffer_write(&server_protos, &conn->config->application_protocols));
while (s2n_stuffer_data_available(&server_protos)) {
uint8_t length;
uint8_t protocol[255];
GUARD(s2n_stuffer_read_uint8(&server_protos, &length));
GUARD(s2n_stuffer_read_bytes(&server_protos, protocol, length));
while (s2n_stuffer_data_available(&client_protos)) {
uint8_t client_length;
GUARD(s2n_stuffer_read_uint8(&client_protos, &client_length));
if (client_length > s2n_stuffer_data_available(&client_protos)) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
if (client_length != length) {
GUARD(s2n_stuffer_skip_read(&client_protos, client_length));
} else {
uint8_t client_protocol[255];
GUARD(s2n_stuffer_read_bytes(&client_protos, client_protocol, client_length));
if (memcmp(client_protocol, protocol, client_length) == 0) {
memcpy_check(conn->application_protocol, client_protocol, client_length);
conn->application_protocol[client_length] = '\0';
return 0;
}
}
}
GUARD(s2n_stuffer_reread(&client_protos));
}
S2N_ERROR(S2N_ERR_NO_APPLICATION_PROTOCOL);
}
static int s2n_recv_client_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension)
{
if (s2n_stuffer_data_available(extension) < 5) {
/* Malformed length, ignore the extension */
return 0;
}
uint8_t type;
GUARD(s2n_stuffer_read_uint8(extension, &type));
if (type != (uint8_t) S2N_STATUS_REQUEST_OCSP) {
/* We only support OCSP (type 1), ignore the extension */
return 0;
}
conn->status_type = (s2n_status_request_type) type;
return 0;
}
static int s2n_recv_client_elliptic_curves(struct s2n_connection *conn, struct s2n_stuffer *extension)
{
uint16_t size_of_all;
struct s2n_blob proposed_curves;
GUARD(s2n_stuffer_read_uint16(extension, &size_of_all));
if (size_of_all > s2n_stuffer_data_available(extension) || size_of_all % 2) {
/* Malformed length, ignore the extension */
return 0;
}
proposed_curves.size = size_of_all;
proposed_curves.data = s2n_stuffer_raw_read(extension, proposed_curves.size);
notnull_check(proposed_curves.data);
if (s2n_ecc_find_supported_curve(&proposed_curves, &conn->secure.server_ecc_params.negotiated_curve) != 0) {
/* Can't agree on a curve, ECC is not allowed. Return success to proceed with the handshake. */
conn->secure.server_ecc_params.negotiated_curve = NULL;
}
return 0;
}
int s2n_server_hello_recv(struct s2n_connection *conn)
{
struct s2n_stuffer *in = &conn->handshake.io;
uint8_t compression_method;
uint8_t session_id[S2N_TLS_SESSION_ID_LEN];
uint8_t session_id_len;
uint16_t extensions_size;
uint8_t protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN];
GUARD(s2n_stuffer_read_bytes(in, protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN));
conn->server_protocol_version = (protocol_version[0] * 10) + protocol_version[1];
if (conn->server_protocol_version > conn->actual_protocol_version) {
GUARD(s2n_queue_reader_unsupported_protocol_version_alert(conn));
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
conn->actual_protocol_version = conn->server_protocol_version;
conn->actual_protocol_version_established = 1;
/* Verify that the protocol version is sane */
if (conn->actual_protocol_version < S2N_SSLv3 || conn->actual_protocol_version > S2N_TLS12) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
conn->pending.signature_digest_alg = S2N_HASH_MD5_SHA1;
if (conn->actual_protocol_version == S2N_TLS12) {
conn->pending.signature_digest_alg = S2N_HASH_SHA1;
}
GUARD(s2n_stuffer_read_bytes(in, conn->pending.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_stuffer_read_uint8(in, &session_id_len));
if (session_id_len > S2N_TLS_SESSION_ID_LEN) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
GUARD(s2n_stuffer_read_bytes(in, session_id, session_id_len));
uint8_t *cipher_suite_wire = s2n_stuffer_raw_read(in, S2N_TLS_CIPHER_SUITE_LEN);
notnull_check(cipher_suite_wire);
GUARD(s2n_set_cipher_as_client(conn, cipher_suite_wire));
GUARD(s2n_stuffer_read_uint8(in, &compression_method));
if (compression_method != S2N_TLS_COMPRESSION_METHOD_NULL) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
if (s2n_stuffer_data_available(in) < 2) {
GUARD(s2n_conn_set_handshake_type(conn));
/* No extensions */
return 0;
}
GUARD(s2n_stuffer_read_uint16(in, &extensions_size));
if (extensions_size > s2n_stuffer_data_available(in)) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
struct s2n_blob extensions;
extensions.size = extensions_size;
extensions.data = s2n_stuffer_raw_read(in, extensions.size);
GUARD(s2n_server_extensions_recv(conn, &extensions));
GUARD(s2n_conn_set_handshake_type(conn));
return 0;
}
int main(int argc, char **argv)
{
uint8_t data[256] = { 0 };
struct s2n_drbg drbg = {{ 0 }};
struct s2n_blob blob = {.data = data, .size = 64 };
struct s2n_timer timer;
uint64_t drbg_nanoseconds;
uint64_t urandom_nanoseconds;
struct s2n_stuffer nist_reference_personalization_strings;
struct s2n_stuffer nist_reference_returned_bits;
struct s2n_stuffer nist_reference_values;
struct s2n_config *config;
BEGIN_TEST();
EXPECT_NOT_NULL(config = s2n_config_new())
/* Open /dev/urandom */
EXPECT_TRUE(entropy_fd = open("/dev/urandom", O_RDONLY));
/* Convert the hex entropy data into binary */
EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_entropy, nist_reference_entropy_hex));
EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_personalization_strings, nist_reference_personalization_strings_hex));
EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_returned_bits, nist_reference_returned_bits_hex));
EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_values, nist_reference_values_hex));
/* Check everything against the NIST vectors */
for (int i = 0; i < 14; i++) {
uint8_t ps[32];
struct s2n_drbg nist_drbg = { .entropy_generator = nist_fake_urandom_data };
struct s2n_blob personalization_string = {.data = ps, .size = 32};
/* Read the next personalization string */
EXPECT_SUCCESS(s2n_stuffer_read(&nist_reference_personalization_strings, &personalization_string));
/* Instantiate the DRBG */
EXPECT_SUCCESS(s2n_drbg_instantiate(&nist_drbg, &personalization_string));
uint8_t nist_v[16];
GUARD(s2n_stuffer_read_bytes(&nist_reference_values, nist_v, sizeof(nist_v)));
EXPECT_TRUE(memcmp(nist_v, nist_drbg.v, sizeof(nist_drbg.v)) == 0);
/* Generate 512 bits (FIRST CALL) */
uint8_t out[64];
struct s2n_blob generated = {.data = out, .size = 64 };
EXPECT_SUCCESS(s2n_drbg_generate(&nist_drbg, &generated));
GUARD(s2n_stuffer_read_bytes(&nist_reference_values, nist_v, sizeof(nist_v)));
EXPECT_TRUE(memcmp(nist_v, nist_drbg.v, sizeof(nist_drbg.v)) == 0);
/* Generate another 512 bits (SECOND CALL) */
EXPECT_SUCCESS(s2n_drbg_generate(&nist_drbg, &generated));
GUARD(s2n_stuffer_read_bytes(&nist_reference_values, nist_v, sizeof(nist_v)));
EXPECT_TRUE(memcmp(nist_v, nist_drbg.v, sizeof(nist_drbg.v)) == 0);
uint8_t nist_returned_bits[64];
GUARD(s2n_stuffer_read_bytes(&nist_reference_returned_bits, nist_returned_bits, sizeof(nist_returned_bits)));
EXPECT_TRUE(memcmp(nist_returned_bits, out, sizeof(nist_returned_bits)) == 0);
EXPECT_SUCCESS(s2n_drbg_wipe(&nist_drbg));
}
EXPECT_SUCCESS(s2n_drbg_instantiate(&drbg, &blob));
/* Use the DRBG for 32MB of data */
EXPECT_SUCCESS(s2n_timer_start(config, &timer));
for (int i = 0; i < 500000; i++) {
EXPECT_SUCCESS(s2n_drbg_generate(&drbg, &blob));
}
EXPECT_SUCCESS(s2n_timer_reset(config, &timer, &drbg_nanoseconds));
/* Use urandom for 32MB of data */
EXPECT_SUCCESS(s2n_timer_start(config, &timer));
for (int i = 0; i < 500000; i++) {
EXPECT_SUCCESS(s2n_get_urandom_data(&blob));
}
EXPECT_SUCCESS(s2n_timer_reset(config, &timer, &urandom_nanoseconds));
/* Confirm that the DRBG is faster than urandom */
EXPECT_TRUE(drbg_nanoseconds < urandom_nanoseconds);
/* NOTE: s2n_random_test also includes monobit tests for this DRBG */
/* the DRBG state is 128 bytes, test that we can get more than that */
blob.size = 129;
for (int i = 0; i < 10; i++) {
EXPECT_SUCCESS(s2n_drbg_generate(&drbg, &blob));
}
EXPECT_SUCCESS(s2n_drbg_wipe(&drbg));
EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_entropy));
EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_personalization_strings));
EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_returned_bits));
EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_values));
END_TEST();
}
int s2n_stuffer_read_uint8(struct s2n_stuffer *stuffer, uint8_t *u)
{
GUARD(s2n_stuffer_read_bytes(stuffer, u, 1));
return 0;
}
int s2n_stuffer_read(struct s2n_stuffer *stuffer, struct s2n_blob *out)
{
notnull_check(out);
return s2n_stuffer_read_bytes(stuffer, out->data, out->size);
}
