int s2n_server_key_recv(struct s2n_connection *conn)
{
struct s2n_hash_state *signature_hash = &conn->secure.signature_hash;
const struct s2n_kex *key_exchange = conn->secure.cipher_suite->key_exchange_alg;
struct s2n_stuffer *in = &conn->handshake.io;
struct s2n_blob data_to_verify = {0};
/* Read the KEX data */
union s2n_kex_raw_server_data kex_data = {{{0}}};
GUARD(s2n_kex_server_key_recv_read_data(key_exchange, conn, &data_to_verify, &kex_data));
/* Add common signature data */
if (conn->actual_protocol_version == S2N_TLS12) {
s2n_hash_algorithm hash_algorithm;
s2n_signature_algorithm signature_algorithm;
GUARD(s2n_get_signature_hash_pair_if_supported(in, &hash_algorithm, &signature_algorithm));
GUARD(s2n_hash_init(signature_hash, hash_algorithm));
} else {
GUARD(s2n_hash_init(signature_hash, conn->secure.conn_hash_alg));
}
GUARD(s2n_hash_update(signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
/* Add KEX specific data */
GUARD(s2n_hash_update(signature_hash, data_to_verify.data, data_to_verify.size));
/* Verify the signature */
uint16_t signature_length;
GUARD(s2n_stuffer_read_uint16(in, &signature_length));
struct s2n_blob signature = {.size = signature_length, .data = s2n_stuffer_raw_read(in, signature_length)};
notnull_check(signature.data);
gt_check(signature_length, 0);
S2N_ERROR_IF(s2n_pkey_verify(&conn->secure.server_public_key, signature_hash, &signature) < 0, S2N_ERR_BAD_MESSAGE);
/* We don't need the key any more, so free it */
GUARD(s2n_pkey_free(&conn->secure.server_public_key));
/* Parse the KEX data into whatever form needed and save it to the connection object */
GUARD(s2n_kex_server_key_recv_parse_data(key_exchange, conn, &kex_data));
return 0;
}
int s2n_ecdhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify, union s2n_kex_raw_server_data *raw_server_data)
{
struct s2n_stuffer *in = &conn->handshake.io;
GUARD(s2n_ecc_read_ecc_params(in, data_to_verify, &raw_server_data->ecdhe_data));
return 0;
}
int s2n_ecdhe_server_key_recv_parse_data(struct s2n_connection *conn, union s2n_kex_raw_server_data *raw_server_data)
{
GUARD(s2n_ecc_parse_ecc_params(&conn->secure.server_ecc_params, &raw_server_data->ecdhe_data));
return 0;
}
/* A TLS CBC record looks like ..
*
* [ Payload data ] [ HMAC ] [ Padding ] [ Padding length byte ]
*
* Each byte in the padding is expected to be set to the same value
* as the padding length byte. So if the padding length byte is '2'
* then the padding will be [ '2', '2' ] (there'll be three bytes
* set to that value if you include the padding length byte).
*
* The goal of s2n_verify_cbc() is to verify that the padding and hmac
* are correct, without leaking (via timing) how much padding there
* actually is: as this is considered secret.
*
* In addition to our efforts here though, s2n also wraps any CBC
* verification error (or record parsing error in general) with
* a randomized delay of between 1ms and 10 seconds. See s2n_connection.c.
* This amount of delay randomization is sufficient to increase the
* complexity of attack for even a 1 microsecond timing leak (which
* is quite large) by a factor of around 83 trillion.
*/
int s2n_verify_cbc(struct s2n_connection *conn, struct s2n_hmac_state *hmac, struct s2n_blob *decrypted)
{
struct s2n_hmac_state copy;
int mac_digest_size = s2n_hmac_digest_size(hmac->alg);
/* The record has to be at least big enough to contain the MAC,
* plus the padding length byte */
gt_check(decrypted->size, mac_digest_size);
int payload_and_padding_size = decrypted->size - mac_digest_size;
/* Determine what the padding length is */
uint8_t padding_length = decrypted->data[decrypted->size - 1];
int payload_length = MAX(payload_and_padding_size - padding_length - 1, 0);
/* Update the MAC */
GUARD(s2n_hmac_update(hmac, decrypted->data, payload_length));
GUARD(s2n_hmac_copy(©, hmac));
/* Check the MAC */
uint8_t check_digest[S2N_MAX_DIGEST_LEN];
lte_check(mac_digest_size, sizeof(check_digest));
GUARD(s2n_hmac_digest_two_compression_rounds(hmac, check_digest, mac_digest_size));
int mismatches = s2n_constant_time_equals(decrypted->data + payload_length, check_digest, mac_digest_size) ^ 1;
/* Compute a MAC on the rest of the data so that we perform the same number of hash operations */
GUARD(s2n_hmac_update(©, decrypted->data + payload_length + mac_digest_size, decrypted->size - payload_length - mac_digest_size - 1));
/* SSLv3 doesn't specify what the padding should actually be */
if (conn->actual_protocol_version == S2N_SSLv3) {
return 0 - mismatches;
}
/* Check the maximum amount that could theoritically be padding */
int check = MIN(255, (payload_and_padding_size - 1));
int cutoff = check - padding_length;
for (int i = 0, j = decrypted->size - 1 - check; i < check && j < decrypted->size; i++, j++) {
uint8_t mask = ~(0xff << ((i >= cutoff) * 8));
mismatches |= (decrypted->data[j] ^ padding_length) & mask;
}
if (mismatches) {
S2N_ERROR(S2N_ERR_CBC_VERIFY);
}
return 0;
}
static int s2n_ecdhe_server_key_recv(struct s2n_connection *conn)
{
struct s2n_hash_state signature_hash;
struct s2n_stuffer *in = &conn->handshake.io;
struct s2n_blob ecdhparams;
struct s2n_blob signature;
uint16_t signature_length;
/* Read server ECDH params and calculate their hash */
GUARD(s2n_ecc_read_ecc_params(&conn->secure.server_ecc_params, in, &ecdhparams));
GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg));
if (conn->actual_protocol_version == S2N_TLS12) {
uint8_t hash_algorithm;
uint8_t signature_algorithm;
GUARD(s2n_stuffer_read_uint8(in, &hash_algorithm));
GUARD(s2n_stuffer_read_uint8(in, &signature_algorithm));
if (signature_algorithm != TLS_SIGNATURE_ALGORITHM_RSA) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
switch(hash_algorithm) {
case TLS_HASH_ALGORITHM_MD5:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_MD5));
break;
case TLS_HASH_ALGORITHM_SHA1:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA1));
break;
case TLS_HASH_ALGORITHM_SHA224:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA224));
break;
case TLS_HASH_ALGORITHM_SHA256:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA256));
break;
case TLS_HASH_ALGORITHM_SHA384:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA384));
break;
case TLS_HASH_ALGORITHM_SHA512:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA512));
break;
default:
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
}
GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, ecdhparams.data, ecdhparams.size));
/* Verify the signature */
GUARD(s2n_stuffer_read_uint16(in, &signature_length));
signature.size = signature_length;
signature.data = s2n_stuffer_raw_read(in, signature.size);
notnull_check(signature.data);
gt_check(signature_length, 0);
if (s2n_rsa_verify(&conn->secure.server_rsa_public_key, &signature_hash, &signature) < 0) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
/* We don't need the key any more, so free it */
GUARD(s2n_rsa_public_key_free(&conn->secure.server_rsa_public_key));
return 0;
}
static int s2n_dhe_server_key_recv(struct s2n_connection *conn)
{
struct s2n_hash_state signature_hash;
struct s2n_stuffer *in = &conn->handshake.io;
struct s2n_blob p, g, Ys, serverDHparams, signature;
uint16_t p_length;
uint16_t g_length;
uint16_t Ys_length;
uint16_t signature_length;
/* Keep a copy to the start of the whole structure for the signature check */
serverDHparams.data = s2n_stuffer_raw_read(in, 0);
notnull_check(serverDHparams.data);
/* Read each of the three elements in */
GUARD(s2n_stuffer_read_uint16(in, &p_length));
p.size = p_length;
p.data = s2n_stuffer_raw_read(in, p.size);
notnull_check(p.data);
GUARD(s2n_stuffer_read_uint16(in, &g_length));
g.size = g_length;
g.data = s2n_stuffer_raw_read(in, g.size);
notnull_check(g.data);
GUARD(s2n_stuffer_read_uint16(in, &Ys_length));
Ys.size = Ys_length;
Ys.data = s2n_stuffer_raw_read(in, Ys.size);
notnull_check(Ys.data);
/* Now we know the total size of the structure */
serverDHparams.size = 2 + p_length + 2 + g_length + 2 + Ys_length;
GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg));
if (conn->actual_protocol_version == S2N_TLS12) {
uint8_t hash_algorithm;
uint8_t signature_algorithm;
GUARD(s2n_stuffer_read_uint8(in, &hash_algorithm));
GUARD(s2n_stuffer_read_uint8(in, &signature_algorithm));
if (signature_algorithm != TLS_SIGNATURE_ALGORITHM_RSA) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
switch(hash_algorithm) {
case TLS_HASH_ALGORITHM_MD5:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_MD5));
break;
case TLS_HASH_ALGORITHM_SHA1:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA1));
break;
case TLS_HASH_ALGORITHM_SHA224:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA224));
break;
case TLS_HASH_ALGORITHM_SHA256:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA256));
break;
case TLS_HASH_ALGORITHM_SHA384:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA384));
break;
case TLS_HASH_ALGORITHM_SHA512:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA512));
break;
default:
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
}
GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, serverDHparams.data, serverDHparams.size));
GUARD(s2n_stuffer_read_uint16(in, &signature_length));
signature.size = signature_length;
signature.data = s2n_stuffer_raw_read(in, signature.size);
notnull_check(signature.data);
gt_check(signature_length, 0);
if (s2n_rsa_verify(&conn->secure.server_rsa_public_key, &signature_hash, &signature) < 0) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
/* We don't need the key any more, so free it */
GUARD(s2n_rsa_public_key_free(&conn->secure.server_rsa_public_key));
/* Copy the DH details */
GUARD(s2n_dh_p_g_Ys_to_dh_params(&conn->secure.server_dh_params, &p, &g, &Ys));
return 0;
}
int64_t s2n_public_random(int64_t max)
{
uint64_t r;
gt_check(max, 0);
while(1) {
struct s2n_blob blob = { .data = (void *) &r, sizeof(r) };
GUARD(s2n_get_public_random_data(&blob));
/* Imagine an int was one byte and UINT_MAX was 256. If the
* caller asked for s2n_random(129, ...) we'd end up in
* trouble. Each number in the range 0...127 would be twice
* as likely as 128. That's because r == 0 % 129 -> 0, and
* r == 129 % 129 -> 0, but only r == 128 returns 128,
* r == 257 is out of range.
*
* To de-bias the dice, we discard values of r that are higher
* that the highest multiple of 'max' an int can support. If
* max is a uint, then in the worst case we discard 50% - 1 r's.
* But since 'max' is an int and INT_MAX is <= UINT_MAX / 2,
* in the worst case we discard 25% - 1 r's.
*/
if (r < (UINT64_MAX - (UINT64_MAX % max))) {
return r % max;
}
}
return -1;
}
#ifndef OPENSSL_IS_BORINGSSL
int s2n_openssl_compat_rand(unsigned char *buf, int num)
{
struct s2n_blob out = {.data = buf, .size = num};
if(s2n_get_private_random_data(&out) < 0) {
return 0;
}
return 1;
}
int s2n_openssl_compat_status(void)
{
return 1;
}
int s2n_openssl_compat_init(ENGINE *unused)
{
return 1;
}
RAND_METHOD s2n_openssl_rand_method = {
.seed = NULL,
.bytes = s2n_openssl_compat_rand,
.cleanup = NULL,
.add = NULL,
.pseudorand = s2n_openssl_compat_rand,
.status = s2n_openssl_compat_status
};
#endif
int s2n_init(void)
{
GUARD(s2n_mem_init());
OPEN:
entropy_fd = open(ENTROPY_SOURCE, O_RDONLY);
if (entropy_fd == -1) {
if (errno == EINTR) {
goto OPEN;
}
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#if defined(MAP_INHERIT_ZERO)
if ((zero_if_forked_ptr = mmap(NULL, sizeof(int), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
if (minherit(zero_if_forked_ptr, sizeof(int), MAP_INHERIT_ZERO) == -1) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#else
if (pthread_atfork(NULL, NULL, s2n_on_fork) != 0) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#endif
GUARD(s2n_check_fork());
#ifndef OPENSSL_IS_BORINGSSL
/* Create an engine */
ENGINE *e = ENGINE_new();
if (e == NULL ||
ENGINE_set_id(e, "s2n") != 1 ||
ENGINE_set_name(e, "s2n entropy generator") != 1 ||
ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) != 1 ||
ENGINE_set_init_function(e, s2n_openssl_compat_init) != 1 ||
ENGINE_set_RAND(e, &s2n_openssl_rand_method) != 1 ||
ENGINE_add(e) != 1 ||
ENGINE_free(e) != 1) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
/* Use that engine for rand() */
e = ENGINE_by_id("s2n");
if (e == NULL ||
ENGINE_init(e) != 1 ||
ENGINE_set_default(e, ENGINE_METHOD_RAND) != 1) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#endif
return 0;
}
