int s2n_server_hello_send(struct s2n_connection *conn)
{
uint32_t gmt_unix_time = time(NULL);
struct s2n_stuffer *out = &conn->handshake.io;
struct s2n_stuffer server_random;
struct s2n_blob b, r;
uint8_t session_id_len = 0;
uint8_t protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN];
b.data = conn->pending.server_random;
b.size = S2N_TLS_RANDOM_DATA_LEN;
/* Create the server random data */
GUARD(s2n_stuffer_init(&server_random, &b));
GUARD(s2n_stuffer_write_uint32(&server_random, gmt_unix_time));
r.data = s2n_stuffer_raw_write(&server_random, S2N_TLS_RANDOM_DATA_LEN - 4);
r.size = S2N_TLS_RANDOM_DATA_LEN - 4;
notnull_check(r.data);
GUARD(s2n_get_public_random_data(&r));
conn->actual_protocol_version = MIN(conn->client_protocol_version, conn->server_protocol_version);
protocol_version[0] = conn->actual_protocol_version / 10;
protocol_version[1] = conn->actual_protocol_version % 10;
conn->pending.signature_digest_alg = S2N_HASH_MD5_SHA1;
if (conn->actual_protocol_version == S2N_TLS12) {
conn->pending.signature_digest_alg = S2N_HASH_SHA1;
}
GUARD(s2n_stuffer_write_bytes(out, protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN));
GUARD(s2n_stuffer_write_bytes(out, conn->pending.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_stuffer_write_uint8(out, session_id_len));
GUARD(s2n_stuffer_write_bytes(out, conn->pending.cipher_suite->value, S2N_TLS_CIPHER_SUITE_LEN));
GUARD(s2n_stuffer_write_uint8(out, S2N_TLS_COMPRESSION_METHOD_NULL));
GUARD(s2n_server_extensions_send(conn, out));
conn->actual_protocol_version_established = 1;
return 0;
}
int s2n_client_hello_send(struct s2n_connection *conn)
{
uint32_t gmt_unix_time = time(NULL);
struct s2n_stuffer *out = &conn->handshake.io;
struct s2n_stuffer client_random;
struct s2n_blob b, r;
uint8_t session_id_len = 0;
uint8_t client_protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN];
b.data = conn->secure.client_random;
b.size = S2N_TLS_RANDOM_DATA_LEN;
/* Create the client random data */
GUARD(s2n_stuffer_init(&client_random, &b));
GUARD(s2n_stuffer_write_uint32(&client_random, gmt_unix_time));
r.data = s2n_stuffer_raw_write(&client_random, S2N_TLS_RANDOM_DATA_LEN - 4);
r.size = S2N_TLS_RANDOM_DATA_LEN - 4;
notnull_check(r.data);
GUARD(s2n_get_public_random_data(&r));
client_protocol_version[0] = conn->client_protocol_version / 10;
client_protocol_version[1] = conn->client_protocol_version % 10;
conn->client_hello_version = conn->client_protocol_version;
GUARD(s2n_stuffer_write_bytes(out, client_protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN));
GUARD(s2n_stuffer_copy(&client_random, out, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_stuffer_write_uint8(out, session_id_len));
GUARD(s2n_stuffer_write_uint16(out, conn->config->cipher_preferences->count * S2N_TLS_CIPHER_SUITE_LEN));
GUARD(s2n_stuffer_write_bytes(out, conn->config->cipher_preferences->wire_format, conn->config->cipher_preferences->count * S2N_TLS_CIPHER_SUITE_LEN));
/* Zero compression methods */
GUARD(s2n_stuffer_write_uint8(out, 1));
GUARD(s2n_stuffer_write_uint8(out, 0));
/* Write the extensions */
GUARD(s2n_client_extensions_send(conn, out));
return 0;
}
int s2n_record_write(struct s2n_connection *conn, uint8_t content_type, struct s2n_blob *in)
{
struct s2n_blob out, iv, aad;
uint8_t padding = 0;
uint16_t block_size = 0;
uint8_t aad_gen[S2N_TLS_MAX_AAD_LEN] = { 0 };
uint8_t aad_iv[S2N_TLS_MAX_IV_LEN] = { 0 };
uint8_t *sequence_number = conn->server->server_sequence_number;
struct s2n_hmac_state *mac = &conn->server->server_record_mac;
struct s2n_session_key *session_key = &conn->server->server_key;
const struct s2n_cipher_suite *cipher_suite = conn->server->cipher_suite;
uint8_t *implicit_iv = conn->server->server_implicit_iv;
if (conn->mode == S2N_CLIENT) {
sequence_number = conn->client->client_sequence_number;
mac = &conn->client->client_record_mac;
session_key = &conn->client->client_key;
cipher_suite = conn->client->cipher_suite;
implicit_iv = conn->client->client_implicit_iv;
}
S2N_ERROR_IF(s2n_stuffer_data_available(&conn->out), S2N_ERR_BAD_MESSAGE);
uint8_t mac_digest_size;
GUARD(s2n_hmac_digest_size(mac->alg, &mac_digest_size));
/* Before we do anything, we need to figure out what the length of the
* fragment is going to be.
*/
uint16_t data_bytes_to_take = MIN(in->size, s2n_record_max_write_payload_size(conn));
uint16_t extra = overhead(conn);
/* If we have padding to worry about, figure that out too */
if (cipher_suite->record_alg->cipher->type == S2N_CBC) {
block_size = cipher_suite->record_alg->cipher->io.cbc.block_size;
if (((data_bytes_to_take + extra) % block_size)) {
padding = block_size - ((data_bytes_to_take + extra) % block_size);
}
} else if (cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
block_size = cipher_suite->record_alg->cipher->io.comp.block_size;
}
/* Start the MAC with the sequence number */
GUARD(s2n_hmac_update(mac, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
/* Now that we know the length, start writing the record */
GUARD(s2n_stuffer_write_uint8(&conn->out, content_type));
GUARD(s2n_record_write_protocol_version(conn));
/* First write a header that has the payload length, this is for the MAC */
GUARD(s2n_stuffer_write_uint16(&conn->out, data_bytes_to_take));
if (conn->actual_protocol_version > S2N_SSLv3) {
GUARD(s2n_hmac_update(mac, conn->out.blob.data, S2N_TLS_RECORD_HEADER_LENGTH));
} else {
/* SSLv3 doesn't include the protocol version in the MAC */
GUARD(s2n_hmac_update(mac, conn->out.blob.data, 1));
GUARD(s2n_hmac_update(mac, conn->out.blob.data + 3, 2));
}
/* Compute non-payload parts of the MAC(seq num, type, proto vers, fragment length) for composite ciphers.
* Composite "encrypt" will MAC the payload data and fill in padding.
*/
if (cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
/* Only fragment length is needed for MAC, but the EVP ctrl function needs fragment length + eiv len. */
uint16_t payload_and_eiv_len = data_bytes_to_take;
if (conn->actual_protocol_version > S2N_TLS10) {
payload_and_eiv_len += block_size;
}
/* Outputs number of extra bytes required for MAC and padding */
int pad_and_mac_len;
GUARD(cipher_suite->record_alg->cipher->io.comp.initial_hmac(session_key, sequence_number, content_type, conn->actual_protocol_version,
payload_and_eiv_len, &pad_and_mac_len));
extra += pad_and_mac_len;
}
/* Rewrite the length to be the actual fragment length */
uint16_t actual_fragment_length = data_bytes_to_take + padding + extra;
GUARD(s2n_stuffer_wipe_n(&conn->out, 2));
GUARD(s2n_stuffer_write_uint16(&conn->out, actual_fragment_length));
/* If we're AEAD, write the sequence number as an IV, and generate the AAD */
if (cipher_suite->record_alg->cipher->type == S2N_AEAD) {
struct s2n_stuffer iv_stuffer = {{0}};
iv.data = aad_iv;
iv.size = sizeof(aad_iv);
GUARD(s2n_stuffer_init(&iv_stuffer, &iv));
if (cipher_suite->record_alg->flags & S2N_TLS12_AES_GCM_AEAD_NONCE) {
/* Partially explicit nonce. See RFC 5288 Section 3 */
GUARD(s2n_stuffer_write_bytes(&conn->out, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
GUARD(s2n_stuffer_write_bytes(&iv_stuffer, implicit_iv, cipher_suite->record_alg->cipher->io.aead.fixed_iv_size));
GUARD(s2n_stuffer_write_bytes(&iv_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
} else if (cipher_suite->record_alg->flags & S2N_TLS12_CHACHA_POLY_AEAD_NONCE) {
/* Fully implicit nonce. See RFC7905 Section 2 */
uint8_t four_zeroes[4] = { 0 };
GUARD(s2n_stuffer_write_bytes(&iv_stuffer, four_zeroes, 4));
GUARD(s2n_stuffer_write_bytes(&iv_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
for(int i = 0; i < cipher_suite->record_alg->cipher->io.aead.fixed_iv_size; i++) {
aad_iv[i] = aad_iv[i] ^ implicit_iv[i];
}
} else {
S2N_ERROR(S2N_ERR_INVALID_NONCE_TYPE);
}
/* Set the IV size to the amount of data written */
iv.size = s2n_stuffer_data_available(&iv_stuffer);
aad.data = aad_gen;
aad.size = sizeof(aad_gen);
struct s2n_stuffer ad_stuffer = {{0}};
GUARD(s2n_stuffer_init(&ad_stuffer, &aad));
GUARD(s2n_aead_aad_init(conn, sequence_number, content_type, data_bytes_to_take, &ad_stuffer));
} else if (cipher_suite->record_alg->cipher->type == S2N_CBC || cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
iv.size = block_size;
iv.data = implicit_iv;
/* For TLS1.1/1.2; write the IV with random data */
if (conn->actual_protocol_version > S2N_TLS10) {
GUARD(s2n_get_public_random_data(&iv));
GUARD(s2n_stuffer_write(&conn->out, &iv));
}
}
/* We are done with this sequence number, so we can increment it */
struct s2n_blob seq = {.data = sequence_number,.size = S2N_TLS_SEQUENCE_NUM_LEN };
GUARD(s2n_increment_sequence_number(&seq));
/* Write the plaintext data */
out.data = in->data;
out.size = data_bytes_to_take;
GUARD(s2n_stuffer_write(&conn->out, &out));
GUARD(s2n_hmac_update(mac, out.data, out.size));
/* Write the digest */
uint8_t *digest = s2n_stuffer_raw_write(&conn->out, mac_digest_size);
notnull_check(digest);
GUARD(s2n_hmac_digest(mac, digest, mac_digest_size));
GUARD(s2n_hmac_reset(mac));
if (cipher_suite->record_alg->cipher->type == S2N_CBC) {
/* Include padding bytes, each with the value 'p', and
* include an extra padding length byte, also with the value 'p'.
*/
for (int i = 0; i <= padding; i++) {
GUARD(s2n_stuffer_write_uint8(&conn->out, padding));
}
}
/* Rewind to rewrite/encrypt the packet */
GUARD(s2n_stuffer_rewrite(&conn->out));
/* Skip the header */
GUARD(s2n_stuffer_skip_write(&conn->out, S2N_TLS_RECORD_HEADER_LENGTH));
uint16_t encrypted_length = data_bytes_to_take + mac_digest_size;
switch (cipher_suite->record_alg->cipher->type) {
case S2N_AEAD:
GUARD(s2n_stuffer_skip_write(&conn->out, cipher_suite->record_alg->cipher->io.aead.record_iv_size));
encrypted_length += cipher_suite->record_alg->cipher->io.aead.tag_size;
break;
case S2N_CBC:
if (conn->actual_protocol_version > S2N_TLS10) {
/* Leave the IV alone and unencrypted */
GUARD(s2n_stuffer_skip_write(&conn->out, iv.size));
}
/* Encrypt the padding and the padding length byte too */
encrypted_length += padding + 1;
break;
case S2N_COMPOSITE:
/* Composite CBC expects a pointer starting at explicit IV: [Explicit IV | fragment | MAC | padding | padding len ]
* extra will account for the explicit IV len(if applicable), MAC digest len, padding len + padding byte.
*/
encrypted_length += extra;
break;
default:
break;
}
/* Do the encryption */
struct s2n_blob en = {0};
en.size = encrypted_length;
en.data = s2n_stuffer_raw_write(&conn->out, en.size);
notnull_check(en.data);
switch (cipher_suite->record_alg->cipher->type) {
case S2N_STREAM:
GUARD(cipher_suite->record_alg->cipher->io.stream.encrypt(session_key, &en, &en));
break;
case S2N_CBC:
GUARD(cipher_suite->record_alg->cipher->io.cbc.encrypt(session_key, &iv, &en, &en));
/* Copy the last encrypted block to be the next IV */
if (conn->actual_protocol_version < S2N_TLS11) {
gte_check(en.size, block_size);
memcpy_check(implicit_iv, en.data + en.size - block_size, block_size);
}
break;
case S2N_AEAD:
GUARD(cipher_suite->record_alg->cipher->io.aead.encrypt(session_key, &iv, &aad, &en, &en));
break;
case S2N_COMPOSITE:
/* This will: compute mac, append padding, append padding length, and encrypt */
GUARD(cipher_suite->record_alg->cipher->io.comp.encrypt(session_key, &iv, &en, &en));
/* Copy the last encrypted block to be the next IV */
gte_check(en.size, block_size);
memcpy_check(implicit_iv, en.data + en.size - block_size, block_size);
break;
default:
S2N_ERROR(S2N_ERR_CIPHER_TYPE);
break;
}
conn->wire_bytes_out += actual_fragment_length + S2N_TLS_RECORD_HEADER_LENGTH;
return data_bytes_to_take;
}
int64_t s2n_public_random(int64_t max)
{
uint64_t r;
gt_check(max, 0);
while(1) {
struct s2n_blob blob = { .data = (void *) &r, sizeof(r) };
GUARD(s2n_get_public_random_data(&blob));
/* Imagine an int was one byte and UINT_MAX was 256. If the
* caller asked for s2n_random(129, ...) we'd end up in
* trouble. Each number in the range 0...127 would be twice
* as likely as 128. That's because r == 0 % 129 -> 0, and
* r == 129 % 129 -> 0, but only r == 128 returns 128,
* r == 257 is out of range.
*
* To de-bias the dice, we discard values of r that are higher
* that the highest multiple of 'max' an int can support. If
* max is a uint, then in the worst case we discard 50% - 1 r's.
* But since 'max' is an int and INT_MAX is <= UINT_MAX / 2,
* in the worst case we discard 25% - 1 r's.
*/
if (r < (UINT64_MAX - (UINT64_MAX % max))) {
return r % max;
}
}
return -1;
}
#ifndef OPENSSL_IS_BORINGSSL
int s2n_openssl_compat_rand(unsigned char *buf, int num)
{
struct s2n_blob out = {.data = buf, .size = num};
if(s2n_get_private_random_data(&out) < 0) {
return 0;
}
return 1;
}
int s2n_openssl_compat_status(void)
{
return 1;
}
int s2n_openssl_compat_init(ENGINE *unused)
{
return 1;
}
RAND_METHOD s2n_openssl_rand_method = {
.seed = NULL,
.bytes = s2n_openssl_compat_rand,
.cleanup = NULL,
.add = NULL,
.pseudorand = s2n_openssl_compat_rand,
.status = s2n_openssl_compat_status
};
#endif
int s2n_init(void)
{
GUARD(s2n_mem_init());
OPEN:
entropy_fd = open(ENTROPY_SOURCE, O_RDONLY);
if (entropy_fd == -1) {
if (errno == EINTR) {
goto OPEN;
}
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#if defined(MAP_INHERIT_ZERO)
if ((zero_if_forked_ptr = mmap(NULL, sizeof(int), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
if (minherit(zero_if_forked_ptr, sizeof(int), MAP_INHERIT_ZERO) == -1) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#else
if (pthread_atfork(NULL, NULL, s2n_on_fork) != 0) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#endif
GUARD(s2n_check_fork());
#ifndef OPENSSL_IS_BORINGSSL
/* Create an engine */
ENGINE *e = ENGINE_new();
if (e == NULL ||
ENGINE_set_id(e, "s2n") != 1 ||
ENGINE_set_name(e, "s2n entropy generator") != 1 ||
ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) != 1 ||
ENGINE_set_init_function(e, s2n_openssl_compat_init) != 1 ||
ENGINE_set_RAND(e, &s2n_openssl_rand_method) != 1 ||
ENGINE_add(e) != 1 ||
ENGINE_free(e) != 1) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
/* Use that engine for rand() */
e = ENGINE_by_id("s2n");
if (e == NULL ||
ENGINE_init(e) != 1 ||
ENGINE_set_default(e, ENGINE_METHOD_RAND) != 1) {
S2N_ERROR(S2N_ERR_OPEN_RANDOM);
}
#endif
return 0;
}
