struct s2n_connection *s2n_connection_new(s2n_mode mode) { struct s2n_blob blob; struct s2n_connection *conn; GUARD_PTR(s2n_alloc(&blob, sizeof(struct s2n_connection))); GUARD_PTR(s2n_blob_zero(&blob)); if (mode == S2N_CLIENT) { /* At present s2n is not suitable for use in client mode, as it * does not perform any certificate validation. However it is useful * to use S2N in client mode for testing purposes. An environment * variable is required to be set for the client mode to work. */ if (getenv("S2N_ENABLE_CLIENT_MODE") == NULL) { s2n_free(&blob); S2N_ERROR_PTR(S2N_ERR_CLIENT_MODE_DISABLED); } } /* Cast 'through' void to acknowledge that we are changing alignment, * which is ok, as blob.data is always aligned. */ conn = (struct s2n_connection *)(void *)blob.data; conn->mode = mode; conn->blinding = S2N_BUILT_IN_BLINDING; conn->config = &s2n_default_config; /* Allocate the fixed-size stuffers */ blob.data = conn->alert_in_data; blob.size = S2N_ALERT_LENGTH; GUARD_PTR(s2n_stuffer_init(&conn->alert_in, &blob)); blob.data = conn->reader_alert_out_data; blob.size = S2N_ALERT_LENGTH; GUARD_PTR(s2n_stuffer_init(&conn->reader_alert_out, &blob)); blob.data = conn->writer_alert_out_data; blob.size = S2N_ALERT_LENGTH; GUARD_PTR(s2n_stuffer_init(&conn->writer_alert_out, &blob)); GUARD_PTR(s2n_stuffer_alloc(&conn->out, S2N_DEFAULT_RECORD_LENGTH)); /* Initialize the growable stuffers. Zero length at first, but the resize * in _wipe will fix that */ blob.data = conn->header_in_data; blob.size = S2N_TLS_RECORD_HEADER_LENGTH; GUARD_PTR(s2n_stuffer_init(&conn->header_in, &blob)); GUARD_PTR(s2n_stuffer_growable_alloc(&conn->in, 0)); GUARD_PTR(s2n_stuffer_growable_alloc(&conn->handshake.io, 0)); GUARD_PTR(s2n_connection_wipe(conn)); GUARD_PTR(s2n_timer_start(conn->config, &conn->write_timer)); return conn; }
int s2n_server_extensions_recv(struct s2n_connection *conn, struct s2n_blob *extensions) { struct s2n_stuffer in; GUARD(s2n_stuffer_init(&in, extensions)); GUARD(s2n_stuffer_write(&in, extensions)); while (s2n_stuffer_data_available(&in)) { struct s2n_blob ext; uint16_t extension_type, extension_size; struct s2n_stuffer extension; GUARD(s2n_stuffer_read_uint16(&in, &extension_type)); GUARD(s2n_stuffer_read_uint16(&in, &extension_size)); ext.size = extension_size; ext.data = s2n_stuffer_raw_read(&in, ext.size); notnull_check(ext.data); GUARD(s2n_stuffer_init(&extension, &ext)); GUARD(s2n_stuffer_write(&extension, &ext)); switch (extension_type) { case TLS_EXTENSION_ALPN: GUARD(s2n_recv_server_alpn(conn, &extension)); break; case TLS_EXTENSION_STATUS_REQUEST: GUARD(s2n_recv_server_status_request(conn, &extension)); break; } } return 0; }
int s2n_client_extensions_recv(struct s2n_connection *conn, struct s2n_blob *extensions) { struct s2n_stuffer in; GUARD(s2n_stuffer_init(&in, extensions)); GUARD(s2n_stuffer_write(&in, extensions)); while (s2n_stuffer_data_available(&in)) { struct s2n_blob ext; uint16_t extension_type, extension_size; struct s2n_stuffer extension; GUARD(s2n_stuffer_read_uint16(&in, &extension_type)); GUARD(s2n_stuffer_read_uint16(&in, &extension_size)); ext.size = extension_size; lte_check(extension_size, s2n_stuffer_data_available(&in)); ext.data = s2n_stuffer_raw_read(&in, ext.size); notnull_check(ext.data); GUARD(s2n_stuffer_init(&extension, &ext)); GUARD(s2n_stuffer_write(&extension, &ext)); switch (extension_type) { case TLS_EXTENSION_SERVER_NAME: GUARD(s2n_recv_client_server_name(conn, &extension)); break; case TLS_EXTENSION_SIGNATURE_ALGORITHMS: GUARD(s2n_recv_client_signature_algorithms(conn, &extension, &conn->secure.conn_hash_alg, &conn->secure.conn_sig_alg)); break; case TLS_EXTENSION_ALPN: GUARD(s2n_recv_client_alpn(conn, &extension)); break; case TLS_EXTENSION_STATUS_REQUEST: GUARD(s2n_recv_client_status_request(conn, &extension)); break; case TLS_EXTENSION_ELLIPTIC_CURVES: GUARD(s2n_recv_client_elliptic_curves(conn, &extension)); break; case TLS_EXTENSION_EC_POINT_FORMATS: GUARD(s2n_recv_client_ec_point_formats(conn, &extension)); break; case TLS_EXTENSION_RENEGOTIATION_INFO: GUARD(s2n_recv_client_renegotiation_info(conn, &extension)); break; case TLS_EXTENSION_SCT_LIST: GUARD(s2n_recv_client_sct_list(conn, &extension)); break; case TLS_EXTENSION_MAX_FRAG_LEN: GUARD(s2n_recv_client_max_frag_len(conn, &extension)); break; } } return 0; }
int s2n_kem_find_supported_kem(struct s2n_blob *client_kem_ids, const struct s2n_kem *server_kem_pref_list, const int num_server_supported_kems, const struct s2n_kem **matching_kem) { struct s2n_stuffer client_kems_in = {{0}}; GUARD(s2n_stuffer_init(&client_kems_in, client_kem_ids)); GUARD(s2n_stuffer_write(&client_kems_in, client_kem_ids)); for (int i = 0; i < num_server_supported_kems; i++) { const struct s2n_kem candidate_server_kem_name = server_kem_pref_list[i]; for (int j = 0; j < client_kem_ids->size / 2; j++) { kem_extension_size candidate_client_kem_id; GUARD(s2n_stuffer_read_uint16(&client_kems_in, &candidate_client_kem_id)); if (candidate_server_kem_name.kem_extension_id == candidate_client_kem_id) { *matching_kem = &server_kem_pref_list[i]; return 0; } } GUARD(s2n_stuffer_reread(&client_kems_in)); } /* Nothing found */ S2N_ERROR(S2N_ERR_KEM_UNSUPPORTED_PARAMS); return 0; }
static int s2n_composite_cipher_aes_sha_initial_hmac(struct s2n_session_key *key, uint8_t *sequence_number, uint8_t content_type, uint16_t protocol_version, uint16_t payload_and_eiv_len, int *extra) { uint8_t ctrl_buf[S2N_TLS12_AAD_LEN]; struct s2n_blob ctrl_blob = { .data = ctrl_buf, .size = S2N_TLS12_AAD_LEN }; struct s2n_stuffer ctrl_stuffer; GUARD(s2n_stuffer_init(&ctrl_stuffer, &ctrl_blob)); GUARD(s2n_stuffer_write_bytes(&ctrl_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); GUARD(s2n_stuffer_write_uint8(&ctrl_stuffer, content_type)); GUARD(s2n_stuffer_write_uint8(&ctrl_stuffer, protocol_version / 10)); GUARD(s2n_stuffer_write_uint8(&ctrl_stuffer, protocol_version % 10)); GUARD(s2n_stuffer_write_uint16(&ctrl_stuffer, payload_and_eiv_len)); /* This will unnecessarily mangle the input buffer, which is fine since it's temporary * Return value will be length of digest, padding, and padding length byte. * See https://github.com/openssl/openssl/blob/master/crypto/evp/e_aes_cbc_hmac_sha1.c#L814 * and https://github.com/openssl/openssl/blob/4f0c475719defd7c051964ef9964cc6e5b3a63bf/ssl/record/ssl3_record.c#L743 */ int ctrl_ret = EVP_CIPHER_CTX_ctrl(key->evp_cipher_ctx, EVP_CTRL_AEAD_TLS1_AAD, S2N_TLS12_AAD_LEN, ctrl_buf); if (ctrl_ret < 0) { S2N_ERROR(S2N_ERR_INITIAL_HMAC); } *extra = ctrl_ret; return 0; }
int s2n_stuffer_alloc(struct s2n_stuffer *stuffer, const uint32_t size) { GUARD(s2n_alloc(&stuffer->blob, size)); GUARD(s2n_stuffer_init(stuffer, &stuffer->blob)); stuffer->alloced = 1; return 0; }
static int s2n_stuffer_pem_read_contents(struct s2n_stuffer *pem, struct s2n_stuffer *asn1) { uint8_t base64_buf[64] = { 0 }; struct s2n_blob base64__blob = { .data = base64_buf, .size = sizeof(base64_buf) }; struct s2n_stuffer base64_stuffer = {{0}}; GUARD(s2n_stuffer_init(&base64_stuffer, &base64__blob)); while (1) { char c; /* Peek to see if the next char is a dash, meaning end of pem_contents */ GUARD(s2n_stuffer_peek_char(pem, &c)); if (c == '-') { break; } else { /* Else, move read pointer forward by 1 byte since we will be consuming it. */ GUARD(s2n_stuffer_skip_read(pem, 1)); } /* Skip non-base64 characters */ if (!s2n_is_base64_char(c)) { continue; } /* Flush base64_stuffer to asn1 stuffer if we're out of space, and reset base64_stuffer read/write pointers */ if (s2n_stuffer_space_remaining(&base64_stuffer) == 0) { GUARD(s2n_stuffer_read_base64(&base64_stuffer, asn1)); GUARD(s2n_stuffer_rewrite(&base64_stuffer)); } /* Copy next char to base64_stuffer */ GUARD(s2n_stuffer_write_bytes(&base64_stuffer, (uint8_t *) &c, 1)); }; /* Flush any remaining bytes to asn1 */ GUARD(s2n_stuffer_read_base64(&base64_stuffer, asn1)); return 0; } static int s2n_stuffer_data_from_pem(struct s2n_stuffer *pem, struct s2n_stuffer *asn1, const char *keyword) { GUARD(s2n_stuffer_pem_read_begin(pem, keyword)); GUARD(s2n_stuffer_pem_read_contents(pem, asn1)); GUARD(s2n_stuffer_pem_read_end(pem, keyword)); return 0; }
/* Due to the need to support some older assemblers, * we cannot use either the compiler intrinsics or * the RDRAND assembly mnemonic. For this reason, * we're using the opcode directly (0F C7/6). This * stores the result in eax. * * volatile is important to prevent the compiler from * re-ordering or optimizing the use of RDRAND. */ int s2n_get_rdrand_data(struct s2n_blob *out) { #if defined(__x86_64__)||defined(__i386__) int space_remaining = 0; struct s2n_stuffer stuffer; union { uint64_t u64; uint8_t u8[8]; } output; GUARD(s2n_stuffer_init(&stuffer, out)); while((space_remaining = s2n_stuffer_space_remaining(&stuffer))) { int success = 0; for (int tries = 0; tries < 10; tries++) { __asm__ __volatile__( ".byte 0x48;\n" ".byte 0x0f;\n" ".byte 0xc7;\n" ".byte 0xf0;\n" "adcl $0x00, %%ebx;\n" :"=b"(success), "=a"(output.u64) :"b"(0) :"cc" ); if (success) { break; } } if (!success) { return -1; } int data_to_fill = MIN(sizeof(output), space_remaining); GUARD(s2n_stuffer_write_bytes(&stuffer, output.u8, data_to_fill)); } return 0; #else return -1; #endif }
int s2n_server_hello_send(struct s2n_connection *conn) { uint32_t gmt_unix_time = time(NULL); struct s2n_stuffer *out = &conn->handshake.io; struct s2n_stuffer server_random; struct s2n_blob b, r; uint8_t session_id_len = 0; uint8_t protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN]; b.data = conn->pending.server_random; b.size = S2N_TLS_RANDOM_DATA_LEN; /* Create the server random data */ GUARD(s2n_stuffer_init(&server_random, &b)); GUARD(s2n_stuffer_write_uint32(&server_random, gmt_unix_time)); r.data = s2n_stuffer_raw_write(&server_random, S2N_TLS_RANDOM_DATA_LEN - 4); r.size = S2N_TLS_RANDOM_DATA_LEN - 4; notnull_check(r.data); GUARD(s2n_get_public_random_data(&r)); conn->actual_protocol_version = MIN(conn->client_protocol_version, conn->server_protocol_version); protocol_version[0] = conn->actual_protocol_version / 10; protocol_version[1] = conn->actual_protocol_version % 10; conn->pending.signature_digest_alg = S2N_HASH_MD5_SHA1; if (conn->actual_protocol_version == S2N_TLS12) { conn->pending.signature_digest_alg = S2N_HASH_SHA1; } GUARD(s2n_stuffer_write_bytes(out, protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN)); GUARD(s2n_stuffer_write_bytes(out, conn->pending.server_random, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_stuffer_write_uint8(out, session_id_len)); GUARD(s2n_stuffer_write_bytes(out, conn->pending.cipher_suite->value, S2N_TLS_CIPHER_SUITE_LEN)); GUARD(s2n_stuffer_write_uint8(out, S2N_TLS_COMPRESSION_METHOD_NULL)); GUARD(s2n_server_extensions_send(conn, out)); conn->actual_protocol_version_established = 1; return 0; }
int s2n_client_hello_send(struct s2n_connection *conn) { uint32_t gmt_unix_time = time(NULL); struct s2n_stuffer *out = &conn->handshake.io; struct s2n_stuffer client_random; struct s2n_blob b, r; uint8_t session_id_len = 0; uint8_t client_protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN]; b.data = conn->secure.client_random; b.size = S2N_TLS_RANDOM_DATA_LEN; /* Create the client random data */ GUARD(s2n_stuffer_init(&client_random, &b)); GUARD(s2n_stuffer_write_uint32(&client_random, gmt_unix_time)); r.data = s2n_stuffer_raw_write(&client_random, S2N_TLS_RANDOM_DATA_LEN - 4); r.size = S2N_TLS_RANDOM_DATA_LEN - 4; notnull_check(r.data); GUARD(s2n_get_public_random_data(&r)); client_protocol_version[0] = conn->client_protocol_version / 10; client_protocol_version[1] = conn->client_protocol_version % 10; conn->client_hello_version = conn->client_protocol_version; GUARD(s2n_stuffer_write_bytes(out, client_protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN)); GUARD(s2n_stuffer_copy(&client_random, out, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_stuffer_write_uint8(out, session_id_len)); GUARD(s2n_stuffer_write_uint16(out, conn->config->cipher_preferences->count * S2N_TLS_CIPHER_SUITE_LEN)); GUARD(s2n_stuffer_write_bytes(out, conn->config->cipher_preferences->wire_format, conn->config->cipher_preferences->count * S2N_TLS_CIPHER_SUITE_LEN)); /* Zero compression methods */ GUARD(s2n_stuffer_write_uint8(out, 1)); GUARD(s2n_stuffer_write_uint8(out, 0)); /* Write the extensions */ GUARD(s2n_client_extensions_send(conn, out)); return 0; }
int main(int argc, char **argv) { uint8_t digest_pad[64]; uint8_t output_pad[96]; uint8_t hello[] = "Hello world!\n"; struct s2n_stuffer output; struct s2n_hash_state hash, copy; struct s2n_blob out = {.data = output_pad,.size = sizeof(output_pad) }; BEGIN_TEST(); /* Initialise our output stuffers */ EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); uint8_t md5_digest_size; GUARD(s2n_hash_digest_size(S2N_HASH_MD5, &md5_digest_size)); EXPECT_EQUAL(md5_digest_size, 16); EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_MD5)); EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hash_copy(©, &hash)); EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, MD5_DIGEST_LENGTH)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line md5sum */ EXPECT_EQUAL(memcmp(output_pad, "59ca0efa9f5633cb0371bbc0355478d8", 16 * 2), 0); /* Check the copy */ EXPECT_SUCCESS(s2n_hash_digest(©, digest_pad, MD5_DIGEST_LENGTH)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line md5sum */ EXPECT_EQUAL(memcmp(output_pad, "59ca0efa9f5633cb0371bbc0355478d8", 16 * 2), 0); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); uint8_t sha1_digest_size; GUARD(s2n_hash_digest_size(S2N_HASH_SHA1, &sha1_digest_size)); EXPECT_EQUAL(sha1_digest_size, 20); EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA1)); EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA_DIGEST_LENGTH)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line sha1sum */ EXPECT_EQUAL(memcmp(output_pad, "47a013e660d408619d894b20806b1d5086aab03b", 20 * 2), 0); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); uint8_t sha256_digest_size; GUARD(s2n_hash_digest_size(S2N_HASH_SHA256, &sha256_digest_size)); EXPECT_EQUAL(sha256_digest_size, 32); EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA256)); EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA256_DIGEST_LENGTH)); for (int i = 0; i < 32; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line sha256sum */ EXPECT_EQUAL(memcmp(output_pad, "0ba904eae8773b70c75333db4de2f3ac45a8ad4ddba1b242f0b3cfc199391dd8", 32 * 2), 0); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); uint8_t sha384_digest_size; GUARD(s2n_hash_digest_size(S2N_HASH_SHA384, &sha384_digest_size)); EXPECT_EQUAL(sha384_digest_size, 48); EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA384)); EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA384_DIGEST_LENGTH)); for (int i = 0; i < 48; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line sha512sum */ EXPECT_EQUAL(memcmp(output_pad, "f7f8f1b9d5a9a61742eeda26c20990282ac08dabda14e70376fcb4c8b46198a9959ea9d7d194b38520eed5397ffe6d8e", 48 * 2), 0); END_TEST(); }
static int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out) { /* seed_a is always required, seed_b is optional, if seed_c is provided seed_b must also be provided */ S2N_ERROR_IF(seed_a == NULL, S2N_ERR_PRF_INVALID_SEED); S2N_ERROR_IF(seed_b == NULL && seed_c != NULL, S2N_ERR_PRF_INVALID_SEED); if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_prf(&conn->prf_space, secret, seed_a, seed_b, seed_c, out); } /* We zero the out blob because p_hash works by XOR'ing with the existing * buffer. This is a little convoluted but means we can avoid dynamic memory * allocation. When we call p_hash once (in the TLS1.2 case) it will produce * the right values. When we call it twice in the regular case, the two * outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require. */ GUARD(s2n_blob_zero(out)); /* Ensure that p_hash_hmac_impl is set, as it may have been reset for prf_space on s2n_connection_wipe. * When in FIPS mode, the EVP API's must be used for the p_hash HMAC. */ conn->prf_space.tls.p_hash_hmac_impl = s2n_is_in_fips_mode() ? &s2n_evp_hmac : &s2n_hmac; if (conn->actual_protocol_version == S2N_TLS12) { return s2n_p_hash(&conn->prf_space, conn->secure.cipher_suite->tls12_prf_alg, secret, label, seed_a, seed_b, seed_c, out); } struct s2n_blob half_secret = {.data = secret->data,.size = (secret->size + 1) / 2 }; GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out)); half_secret.data += secret->size - half_secret.size; GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, seed_c, out)); return 0; } int s2n_tls_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret) { struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random}; struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random}; struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret}; uint8_t master_secret_label[] = "master secret"; struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label}; return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret); } int s2n_hybrid_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret) { struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random}; struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random}; struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret}; uint8_t master_secret_label[] = "hybrid master secret"; struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label}; return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->secure.client_key_exchange_message, &master_secret); } static int s2n_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *md5, struct s2n_hash_state *sha1, uint8_t * out) { uint8_t xorpad1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 }; uint8_t xorpad2[48] = { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c }; uint8_t *md5_digest = out; uint8_t *sha_digest = out + MD5_DIGEST_LENGTH; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished)); GUARD(s2n_hash_update(md5, prefix, 4)); GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(md5, xorpad1, 48)); GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_reset(md5)); GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(md5, xorpad2, 48)); GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_reset(md5)); GUARD(s2n_hash_update(sha1, prefix, 4)); GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(sha1, xorpad1, 40)); GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_reset(sha1)); GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(sha1, xorpad2, 40)); GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_reset(sha1)); return 0; } static int s2n_sslv3_client_finished(struct s2n_connection *conn) { uint8_t prefix[4] = { 0x43, 0x4c, 0x4e, 0x54 }; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished)); GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.client_finished); } static int s2n_sslv3_server_finished(struct s2n_connection *conn) { uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 }; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.server_finished)); GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.server_finished); } int s2n_prf_client_finished(struct s2n_connection *conn) { struct s2n_blob master_secret, md5, sha; uint8_t md5_digest[MD5_DIGEST_LENGTH]; uint8_t sha_digest[SHA384_DIGEST_LENGTH]; uint8_t client_finished_label[] = "client finished"; struct s2n_blob client_finished = {0}; struct s2n_blob label = {0}; if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_client_finished(conn); } client_finished.data = conn->handshake.client_finished; client_finished.size = S2N_TLS_FINISHED_LEN; label.data = client_finished_label; label.size = sizeof(client_finished_label) - 1; master_secret.data = conn->secure.master_secret; master_secret.size = sizeof(conn->secure.master_secret); if (conn->actual_protocol_version == S2N_TLS12) { switch (conn->secure.cipher_suite->tls12_prf_alg) { case S2N_HMAC_SHA256: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH)); sha.size = SHA256_DIGEST_LENGTH; break; case S2N_HMAC_SHA384: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH)); sha.size = SHA384_DIGEST_LENGTH; break; default: S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM); } sha.data = sha_digest; return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &client_finished); } GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH)); md5.data = md5_digest; md5.size = MD5_DIGEST_LENGTH; sha.data = sha_digest; sha.size = SHA_DIGEST_LENGTH; return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &client_finished); } int s2n_prf_server_finished(struct s2n_connection *conn) { struct s2n_blob master_secret, md5, sha; uint8_t md5_digest[MD5_DIGEST_LENGTH]; uint8_t sha_digest[SHA384_DIGEST_LENGTH]; uint8_t server_finished_label[] = "server finished"; struct s2n_blob server_finished = {0}; struct s2n_blob label = {0}; if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_server_finished(conn); } server_finished.data = conn->handshake.server_finished; server_finished.size = S2N_TLS_FINISHED_LEN; label.data = server_finished_label; label.size = sizeof(server_finished_label) - 1; master_secret.data = conn->secure.master_secret; master_secret.size = sizeof(conn->secure.master_secret); if (conn->actual_protocol_version == S2N_TLS12) { switch (conn->secure.cipher_suite->tls12_prf_alg) { case S2N_HMAC_SHA256: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH)); sha.size = SHA256_DIGEST_LENGTH; break; case S2N_HMAC_SHA384: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH)); sha.size = SHA384_DIGEST_LENGTH; break; default: S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM); } sha.data = sha_digest; return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &server_finished); } GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH)); md5.data = md5_digest; md5.size = MD5_DIGEST_LENGTH; sha.data = sha_digest; sha.size = SHA_DIGEST_LENGTH; return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &server_finished); } static int s2n_prf_make_client_key(struct s2n_connection *conn, struct s2n_stuffer *key_material) { struct s2n_blob client_key = {0}; client_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size; client_key.data = s2n_stuffer_raw_read(key_material, client_key.size); notnull_check(client_key.data); if (conn->mode == S2N_CLIENT) { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.client_key, &client_key)); } else { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.client_key, &client_key)); } return 0; } static int s2n_prf_make_server_key(struct s2n_connection *conn, struct s2n_stuffer *key_material) { struct s2n_blob server_key = {0}; server_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size; server_key.data = s2n_stuffer_raw_read(key_material, server_key.size); notnull_check(server_key.data); if (conn->mode == S2N_SERVER) { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.server_key, &server_key)); } else { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.server_key, &server_key)); } return 0; } int s2n_prf_key_expansion(struct s2n_connection *conn) { struct s2n_blob client_random = {.data = conn->secure.client_random,.size = sizeof(conn->secure.client_random) }; struct s2n_blob server_random = {.data = conn->secure.server_random,.size = sizeof(conn->secure.server_random) }; struct s2n_blob master_secret = {.data = conn->secure.master_secret,.size = sizeof(conn->secure.master_secret) }; struct s2n_blob label, out; uint8_t key_expansion_label[] = "key expansion"; uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN]; label.data = key_expansion_label; label.size = sizeof(key_expansion_label) - 1; out.data = key_block; out.size = sizeof(key_block); struct s2n_stuffer key_material = {{0}}; GUARD(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, NULL, &out)); GUARD(s2n_stuffer_init(&key_material, &out)); GUARD(s2n_stuffer_write(&key_material, &out)); GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.client_key)); GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.server_key)); /* Check that we have a valid MAC and key size */ uint8_t mac_size; if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { mac_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.mac_key_size; } else { GUARD(s2n_hmac_digest_size(conn->secure.cipher_suite->record_alg->hmac_alg, &mac_size)); } /* Seed the client MAC */ uint8_t *client_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(client_mac_write_key); GUARD(s2n_hmac_reset(&conn->secure.client_record_mac)); GUARD(s2n_hmac_init(&conn->secure.client_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, client_mac_write_key, mac_size)); /* Seed the server MAC */ uint8_t *server_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(server_mac_write_key); GUARD(s2n_hmac_reset(&conn->secure.server_record_mac)); GUARD(s2n_hmac_init(&conn->secure.server_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, server_mac_write_key, mac_size)); /* Make the client key */ GUARD(s2n_prf_make_client_key(conn, &key_material)); /* Make the server key */ GUARD(s2n_prf_make_server_key(conn, &key_material)); /* Composite CBC does MAC inside the cipher, pass it the MAC key. * Must happen after setting encryption/decryption keys. */ if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.server_key, server_mac_write_key, mac_size)); GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.client_key, client_mac_write_key, mac_size)); } /* TLS >= 1.1 has no implicit IVs for non AEAD ciphers */ if (conn->actual_protocol_version > S2N_TLS10 && conn->secure.cipher_suite->record_alg->cipher->type != S2N_AEAD) { return 0; } uint32_t implicit_iv_size = 0; switch (conn->secure.cipher_suite->record_alg->cipher->type) { case S2N_AEAD: implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.aead.fixed_iv_size; break; case S2N_CBC: implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.cbc.block_size; break; case S2N_COMPOSITE: implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.block_size; break; /* No-op for stream ciphers */ default: break; } struct s2n_blob client_implicit_iv = {.data = conn->secure.client_implicit_iv,.size = implicit_iv_size }; struct s2n_blob server_implicit_iv = {.data = conn->secure.server_implicit_iv,.size = implicit_iv_size }; GUARD(s2n_stuffer_read(&key_material, &client_implicit_iv)); GUARD(s2n_stuffer_read(&key_material, &server_implicit_iv)); return 0; }
s2n_cert_validation_code s2n_x509_validator_validate_cert_chain(struct s2n_x509_validator *validator, struct s2n_connection *conn, uint8_t *cert_chain_in, uint32_t cert_chain_len, s2n_cert_type *cert_type, struct s2n_pkey *public_key_out) { if (!validator->skip_cert_validation && !s2n_x509_trust_store_has_certs(validator->trust_store)) { return S2N_CERT_ERR_UNTRUSTED; } DEFER_CLEANUP(X509_STORE_CTX *ctx = NULL, X509_STORE_CTX_free_pointer); struct s2n_blob cert_chain_blob = {.data = cert_chain_in, .size = cert_chain_len}; DEFER_CLEANUP(struct s2n_stuffer cert_chain_in_stuffer = {{0}}, s2n_stuffer_free); if (s2n_stuffer_init(&cert_chain_in_stuffer, &cert_chain_blob) < 0) { return S2N_CERT_ERR_INVALID; } if (s2n_stuffer_write(&cert_chain_in_stuffer, &cert_chain_blob) < 0) { return S2N_CERT_ERR_INVALID; } uint32_t certificate_count = 0; X509 *server_cert = NULL; DEFER_CLEANUP(struct s2n_pkey public_key = {{{0}}}, s2n_pkey_free); s2n_pkey_zero_init(&public_key); while (s2n_stuffer_data_available(&cert_chain_in_stuffer) && certificate_count < validator->max_chain_depth) { uint32_t certificate_size = 0; if (s2n_stuffer_read_uint24(&cert_chain_in_stuffer, &certificate_size) < 0) { return S2N_CERT_ERR_INVALID; } if (certificate_size == 0 || certificate_size > s2n_stuffer_data_available(&cert_chain_in_stuffer)) { return S2N_CERT_ERR_INVALID; } struct s2n_blob asn1cert = {0}; asn1cert.data = s2n_stuffer_raw_read(&cert_chain_in_stuffer, certificate_size); asn1cert.size = certificate_size; if (asn1cert.data == NULL) { return S2N_CERT_ERR_INVALID; } const uint8_t *data = asn1cert.data; if (!validator->skip_cert_validation) { /* the cert is der encoded, just convert it. */ server_cert = d2i_X509(NULL, &data, asn1cert.size); if (!server_cert) { return S2N_CERT_ERR_INVALID; } /* add the cert to the chain. */ if (!sk_X509_push(validator->cert_chain, server_cert)) { X509_free(server_cert); return S2N_CERT_ERR_INVALID; } } /* Pull the public key from the first certificate */ if (certificate_count == 0) { if (s2n_asn1der_to_public_key_and_type(&public_key, cert_type, &asn1cert) < 0) { return S2N_CERT_ERR_INVALID; } } certificate_count++; } /* if this occurred we exceeded validator->max_chain_depth */ if (!validator->skip_cert_validation && s2n_stuffer_data_available(&cert_chain_in_stuffer)) { return S2N_CERT_ERR_MAX_CHAIN_DEPTH_EXCEEDED; } if (certificate_count < 1) { return S2N_CERT_ERR_INVALID; } if (!validator->skip_cert_validation) { X509 *leaf = sk_X509_value(validator->cert_chain, 0); if (!leaf) { return S2N_CERT_ERR_INVALID; } if (conn->verify_host_fn && !s2n_verify_host_information(validator, conn, leaf)) { return S2N_CERT_ERR_UNTRUSTED; } /* now that we have a chain, get the store and check against it. */ ctx = X509_STORE_CTX_new(); int op_code = X509_STORE_CTX_init(ctx, validator->trust_store->trust_store, leaf, validator->cert_chain); if (op_code <= 0) { return S2N_CERT_ERR_INVALID; } X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx); X509_VERIFY_PARAM_set_depth(param, validator->max_chain_depth); uint64_t current_sys_time = 0; conn->config->wall_clock(conn->config->sys_clock_ctx, ¤t_sys_time); /* this wants seconds not nanoseconds */ time_t current_time = (time_t)(current_sys_time / 1000000000); X509_STORE_CTX_set_time(ctx, 0, current_time); op_code = X509_verify_cert(ctx); if (op_code <= 0) { return S2N_CERT_ERR_UNTRUSTED; } } *public_key_out = public_key; /* Reset the old struct, so we don't clean up public_key_out */ s2n_pkey_zero_init(&public_key); return S2N_CERT_OK; }
int main(int argc, char **argv) { uint8_t digest_pad[256]; uint8_t check_pad[256]; uint8_t output_pad[256]; struct s2n_stuffer output; uint8_t sekrit[] = "sekrit"; uint8_t longsekrit[] = "This is a really really really long key on purpose to make sure that it's longer than the block size"; uint8_t hello[] = "Hello world!"; struct s2n_hmac_state hmac, copy; struct s2n_hmac_state cmac; struct s2n_blob out = {.data = output_pad,.size = sizeof(output_pad) }; BEGIN_TEST(); /* Initialise our output stuffers */ EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_MD5), 16); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_MD5, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_copy(©, &hmac)); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0); /* Check the copy */ EXPECT_SUCCESS(s2n_hmac_digest(©, digest_pad, 16)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_MD5, longsekrit, strlen((char *)longsekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "2ce569d61f4ee6ad9ceebe02a112ace7", 16 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "2ce569d61f4ee6ad9ceebe02a112ace7", 16 * 2), 0); /* Verify that _verify works */ EXPECT_SUCCESS(s2n_hmac_init(&cmac, S2N_HMAC_MD5, longsekrit, strlen((char *)longsekrit))); EXPECT_SUCCESS(s2n_hmac_update(&cmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&cmac, check_pad, 16)); EXPECT_SUCCESS(s2n_hmac_digest_verify(digest_pad, 16, check_pad, 16)); /* Try SHA1 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA1), 20); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA1, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "6d301861b599938eca94f6de917362886d97882f", 20 * 2), 0); /* Try SHA256 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA256), 32); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA256, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 32)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 32; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "adc20b12d236e6d1824d690622e33ead4f67ba5a2be9606fe762b2dd859a78a9", 32 * 2), 0); /* Try SHA384 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA384), 48); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA384, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 48)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 48; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "8552563cadd583b79dcc7225bb79bc6483c63f259187162e1c9d4283eb6299ef1bc3ca81c0c40fc7b22f7a1f3b93adb4", 48 * 2), 0); /* Try SHA512 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA512), 64); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA512, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 64)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 64; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "0a834a1ed265042e2897405edb4fdd9818950cd5bea10b828f2fed45a1cb6dbd2107e4b04eb20f211998cd4e8c7e11ebdcb0103ac63882481e1bb8083d07f4be", 64 * 2), 0); /* Try SSLv3 MD5 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SSLv3_MD5), 16); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from Go */ EXPECT_EQUAL(memcmp(output_pad, "d4f0d06b9765de23e6c3e33a24c5ded0", 16 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } EXPECT_EQUAL(memcmp(output_pad, "d4f0d06b9765de23e6c3e33a24c5ded0", 16 * 2), 0); /* Try SSLv3 SHA1 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SSLv3_SHA1), 20); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_SHA1, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from Go */ EXPECT_EQUAL(memcmp(output_pad, "b0c66179f6eb5a46b4b7c4fca84b3ea5161b7326", 20 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } EXPECT_EQUAL(memcmp(output_pad, "b0c66179f6eb5a46b4b7c4fca84b3ea5161b7326", 20 * 2), 0); END_TEST(); }
static int s2n_recv_client_alpn(struct s2n_connection *conn, struct s2n_stuffer *extension) { uint16_t size_of_all; struct s2n_stuffer client_protos; struct s2n_stuffer server_protos; if (!conn->config->application_protocols.size) { /* No protocols configured, nothing to do */ return 0; } GUARD(s2n_stuffer_read_uint16(extension, &size_of_all)); if (size_of_all > s2n_stuffer_data_available(extension) || size_of_all < 3) { /* Malformed length, ignore the extension */ return 0; } struct s2n_blob application_protocols = { .data = s2n_stuffer_raw_read(extension, size_of_all), .size = size_of_all }; notnull_check(application_protocols.data); /* Find a matching protocol */ GUARD(s2n_stuffer_init(&client_protos, &application_protocols)); GUARD(s2n_stuffer_write(&client_protos, &application_protocols)); GUARD(s2n_stuffer_init(&server_protos, &conn->config->application_protocols)); GUARD(s2n_stuffer_write(&server_protos, &conn->config->application_protocols)); while (s2n_stuffer_data_available(&server_protos)) { uint8_t length; uint8_t protocol[255]; GUARD(s2n_stuffer_read_uint8(&server_protos, &length)); GUARD(s2n_stuffer_read_bytes(&server_protos, protocol, length)); while (s2n_stuffer_data_available(&client_protos)) { uint8_t client_length; GUARD(s2n_stuffer_read_uint8(&client_protos, &client_length)); if (client_length > s2n_stuffer_data_available(&client_protos)) { S2N_ERROR(S2N_ERR_BAD_MESSAGE); } if (client_length != length) { GUARD(s2n_stuffer_skip_read(&client_protos, client_length)); } else { uint8_t client_protocol[255]; GUARD(s2n_stuffer_read_bytes(&client_protos, client_protocol, client_length)); if (memcmp(client_protocol, protocol, client_length) == 0) { memcpy_check(conn->application_protocol, client_protocol, client_length); conn->application_protocol[client_length] = '\0'; return 0; } } } GUARD(s2n_stuffer_reread(&client_protos)); } S2N_ERROR(S2N_ERR_NO_APPLICATION_PROTOCOL); } static int s2n_recv_client_status_request(struct s2n_connection *conn, struct s2n_stuffer *extension) { if (s2n_stuffer_data_available(extension) < 5) { /* Malformed length, ignore the extension */ return 0; } uint8_t type; GUARD(s2n_stuffer_read_uint8(extension, &type)); if (type != (uint8_t) S2N_STATUS_REQUEST_OCSP) { /* We only support OCSP (type 1), ignore the extension */ return 0; } conn->status_type = (s2n_status_request_type) type; return 0; } static int s2n_recv_client_elliptic_curves(struct s2n_connection *conn, struct s2n_stuffer *extension) { uint16_t size_of_all; struct s2n_blob proposed_curves; GUARD(s2n_stuffer_read_uint16(extension, &size_of_all)); if (size_of_all > s2n_stuffer_data_available(extension) || size_of_all % 2) { /* Malformed length, ignore the extension */ return 0; } proposed_curves.size = size_of_all; proposed_curves.data = s2n_stuffer_raw_read(extension, proposed_curves.size); notnull_check(proposed_curves.data); if (s2n_ecc_find_supported_curve(&proposed_curves, &conn->secure.server_ecc_params.negotiated_curve) != 0) { /* Can't agree on a curve, ECC is not allowed. Return success to proceed with the handshake. */ conn->secure.server_ecc_params.negotiated_curve = NULL; } return 0; }
int s2n_record_write(struct s2n_connection *conn, uint8_t content_type, struct s2n_blob *in) { struct s2n_blob out, iv, aad; uint8_t padding = 0; uint16_t block_size = 0; uint8_t aad_gen[S2N_TLS_MAX_AAD_LEN] = { 0 }; uint8_t aad_iv[S2N_TLS_MAX_IV_LEN] = { 0 }; uint8_t *sequence_number = conn->server->server_sequence_number; struct s2n_hmac_state *mac = &conn->server->server_record_mac; struct s2n_session_key *session_key = &conn->server->server_key; const struct s2n_cipher_suite *cipher_suite = conn->server->cipher_suite; uint8_t *implicit_iv = conn->server->server_implicit_iv; if (conn->mode == S2N_CLIENT) { sequence_number = conn->client->client_sequence_number; mac = &conn->client->client_record_mac; session_key = &conn->client->client_key; cipher_suite = conn->client->cipher_suite; implicit_iv = conn->client->client_implicit_iv; } S2N_ERROR_IF(s2n_stuffer_data_available(&conn->out), S2N_ERR_BAD_MESSAGE); uint8_t mac_digest_size; GUARD(s2n_hmac_digest_size(mac->alg, &mac_digest_size)); /* Before we do anything, we need to figure out what the length of the * fragment is going to be. */ uint16_t data_bytes_to_take = MIN(in->size, s2n_record_max_write_payload_size(conn)); uint16_t extra = overhead(conn); /* If we have padding to worry about, figure that out too */ if (cipher_suite->record_alg->cipher->type == S2N_CBC) { block_size = cipher_suite->record_alg->cipher->io.cbc.block_size; if (((data_bytes_to_take + extra) % block_size)) { padding = block_size - ((data_bytes_to_take + extra) % block_size); } } else if (cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { block_size = cipher_suite->record_alg->cipher->io.comp.block_size; } /* Start the MAC with the sequence number */ GUARD(s2n_hmac_update(mac, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); /* Now that we know the length, start writing the record */ GUARD(s2n_stuffer_write_uint8(&conn->out, content_type)); GUARD(s2n_record_write_protocol_version(conn)); /* First write a header that has the payload length, this is for the MAC */ GUARD(s2n_stuffer_write_uint16(&conn->out, data_bytes_to_take)); if (conn->actual_protocol_version > S2N_SSLv3) { GUARD(s2n_hmac_update(mac, conn->out.blob.data, S2N_TLS_RECORD_HEADER_LENGTH)); } else { /* SSLv3 doesn't include the protocol version in the MAC */ GUARD(s2n_hmac_update(mac, conn->out.blob.data, 1)); GUARD(s2n_hmac_update(mac, conn->out.blob.data + 3, 2)); } /* Compute non-payload parts of the MAC(seq num, type, proto vers, fragment length) for composite ciphers. * Composite "encrypt" will MAC the payload data and fill in padding. */ if (cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { /* Only fragment length is needed for MAC, but the EVP ctrl function needs fragment length + eiv len. */ uint16_t payload_and_eiv_len = data_bytes_to_take; if (conn->actual_protocol_version > S2N_TLS10) { payload_and_eiv_len += block_size; } /* Outputs number of extra bytes required for MAC and padding */ int pad_and_mac_len; GUARD(cipher_suite->record_alg->cipher->io.comp.initial_hmac(session_key, sequence_number, content_type, conn->actual_protocol_version, payload_and_eiv_len, &pad_and_mac_len)); extra += pad_and_mac_len; } /* Rewrite the length to be the actual fragment length */ uint16_t actual_fragment_length = data_bytes_to_take + padding + extra; GUARD(s2n_stuffer_wipe_n(&conn->out, 2)); GUARD(s2n_stuffer_write_uint16(&conn->out, actual_fragment_length)); /* If we're AEAD, write the sequence number as an IV, and generate the AAD */ if (cipher_suite->record_alg->cipher->type == S2N_AEAD) { struct s2n_stuffer iv_stuffer = {{0}}; iv.data = aad_iv; iv.size = sizeof(aad_iv); GUARD(s2n_stuffer_init(&iv_stuffer, &iv)); if (cipher_suite->record_alg->flags & S2N_TLS12_AES_GCM_AEAD_NONCE) { /* Partially explicit nonce. See RFC 5288 Section 3 */ GUARD(s2n_stuffer_write_bytes(&conn->out, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); GUARD(s2n_stuffer_write_bytes(&iv_stuffer, implicit_iv, cipher_suite->record_alg->cipher->io.aead.fixed_iv_size)); GUARD(s2n_stuffer_write_bytes(&iv_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); } else if (cipher_suite->record_alg->flags & S2N_TLS12_CHACHA_POLY_AEAD_NONCE) { /* Fully implicit nonce. See RFC7905 Section 2 */ uint8_t four_zeroes[4] = { 0 }; GUARD(s2n_stuffer_write_bytes(&iv_stuffer, four_zeroes, 4)); GUARD(s2n_stuffer_write_bytes(&iv_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); for(int i = 0; i < cipher_suite->record_alg->cipher->io.aead.fixed_iv_size; i++) { aad_iv[i] = aad_iv[i] ^ implicit_iv[i]; } } else { S2N_ERROR(S2N_ERR_INVALID_NONCE_TYPE); } /* Set the IV size to the amount of data written */ iv.size = s2n_stuffer_data_available(&iv_stuffer); aad.data = aad_gen; aad.size = sizeof(aad_gen); struct s2n_stuffer ad_stuffer = {{0}}; GUARD(s2n_stuffer_init(&ad_stuffer, &aad)); GUARD(s2n_aead_aad_init(conn, sequence_number, content_type, data_bytes_to_take, &ad_stuffer)); } else if (cipher_suite->record_alg->cipher->type == S2N_CBC || cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { iv.size = block_size; iv.data = implicit_iv; /* For TLS1.1/1.2; write the IV with random data */ if (conn->actual_protocol_version > S2N_TLS10) { GUARD(s2n_get_public_random_data(&iv)); GUARD(s2n_stuffer_write(&conn->out, &iv)); } } /* We are done with this sequence number, so we can increment it */ struct s2n_blob seq = {.data = sequence_number,.size = S2N_TLS_SEQUENCE_NUM_LEN }; GUARD(s2n_increment_sequence_number(&seq)); /* Write the plaintext data */ out.data = in->data; out.size = data_bytes_to_take; GUARD(s2n_stuffer_write(&conn->out, &out)); GUARD(s2n_hmac_update(mac, out.data, out.size)); /* Write the digest */ uint8_t *digest = s2n_stuffer_raw_write(&conn->out, mac_digest_size); notnull_check(digest); GUARD(s2n_hmac_digest(mac, digest, mac_digest_size)); GUARD(s2n_hmac_reset(mac)); if (cipher_suite->record_alg->cipher->type == S2N_CBC) { /* Include padding bytes, each with the value 'p', and * include an extra padding length byte, also with the value 'p'. */ for (int i = 0; i <= padding; i++) { GUARD(s2n_stuffer_write_uint8(&conn->out, padding)); } } /* Rewind to rewrite/encrypt the packet */ GUARD(s2n_stuffer_rewrite(&conn->out)); /* Skip the header */ GUARD(s2n_stuffer_skip_write(&conn->out, S2N_TLS_RECORD_HEADER_LENGTH)); uint16_t encrypted_length = data_bytes_to_take + mac_digest_size; switch (cipher_suite->record_alg->cipher->type) { case S2N_AEAD: GUARD(s2n_stuffer_skip_write(&conn->out, cipher_suite->record_alg->cipher->io.aead.record_iv_size)); encrypted_length += cipher_suite->record_alg->cipher->io.aead.tag_size; break; case S2N_CBC: if (conn->actual_protocol_version > S2N_TLS10) { /* Leave the IV alone and unencrypted */ GUARD(s2n_stuffer_skip_write(&conn->out, iv.size)); } /* Encrypt the padding and the padding length byte too */ encrypted_length += padding + 1; break; case S2N_COMPOSITE: /* Composite CBC expects a pointer starting at explicit IV: [Explicit IV | fragment | MAC | padding | padding len ] * extra will account for the explicit IV len(if applicable), MAC digest len, padding len + padding byte. */ encrypted_length += extra; break; default: break; } /* Do the encryption */ struct s2n_blob en = {0}; en.size = encrypted_length; en.data = s2n_stuffer_raw_write(&conn->out, en.size); notnull_check(en.data); switch (cipher_suite->record_alg->cipher->type) { case S2N_STREAM: GUARD(cipher_suite->record_alg->cipher->io.stream.encrypt(session_key, &en, &en)); break; case S2N_CBC: GUARD(cipher_suite->record_alg->cipher->io.cbc.encrypt(session_key, &iv, &en, &en)); /* Copy the last encrypted block to be the next IV */ if (conn->actual_protocol_version < S2N_TLS11) { gte_check(en.size, block_size); memcpy_check(implicit_iv, en.data + en.size - block_size, block_size); } break; case S2N_AEAD: GUARD(cipher_suite->record_alg->cipher->io.aead.encrypt(session_key, &iv, &aad, &en, &en)); break; case S2N_COMPOSITE: /* This will: compute mac, append padding, append padding length, and encrypt */ GUARD(cipher_suite->record_alg->cipher->io.comp.encrypt(session_key, &iv, &en, &en)); /* Copy the last encrypted block to be the next IV */ gte_check(en.size, block_size); memcpy_check(implicit_iv, en.data + en.size - block_size, block_size); break; default: S2N_ERROR(S2N_ERR_CIPHER_TYPE); break; } conn->wire_bytes_out += actual_fragment_length + S2N_TLS_RECORD_HEADER_LENGTH; return data_bytes_to_take; }
int s2n_prf_key_expansion(struct s2n_connection *conn) { struct s2n_blob client_random = {.data = conn->secure.client_random,.size = sizeof(conn->secure.client_random) }; struct s2n_blob server_random = {.data = conn->secure.server_random,.size = sizeof(conn->secure.server_random) }; struct s2n_blob master_secret = {.data = conn->secure.master_secret,.size = sizeof(conn->secure.master_secret) }; struct s2n_blob label, out; uint8_t key_expansion_label[] = "key expansion"; uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN]; label.data = key_expansion_label; label.size = sizeof(key_expansion_label) - 1; out.data = key_block; out.size = sizeof(key_block); struct s2n_stuffer key_material; GUARD(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, &out)); GUARD(s2n_stuffer_init(&key_material, &out)); GUARD(s2n_stuffer_write(&key_material, &out)); GUARD(conn->secure.cipher_suite->cipher->init(&conn->secure.client_key)); GUARD(conn->secure.cipher_suite->cipher->init(&conn->secure.server_key)); /* What's our hmac algorithm? */ s2n_hmac_algorithm hmac_alg = conn->secure.cipher_suite->hmac_alg; if (conn->actual_protocol_version == S2N_SSLv3) { if (hmac_alg == S2N_HMAC_SHA1) { hmac_alg = S2N_HMAC_SSLv3_SHA1; } else if (hmac_alg == S2N_HMAC_MD5) { hmac_alg = S2N_HMAC_SSLv3_MD5; } else { S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM); } } /* Check that we have a valid MAC and key size */ int mac_size; GUARD((mac_size = s2n_hmac_digest_size(hmac_alg))); /* Seed the client MAC */ uint8_t *client_write_mac_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(client_write_mac_key); GUARD(s2n_hmac_init(&conn->secure.client_record_mac, hmac_alg, client_write_mac_key, mac_size)); /* Seed the server MAC */ uint8_t *server_write_mac_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(server_write_mac_key); GUARD(s2n_hmac_init(&conn->secure.server_record_mac, hmac_alg, server_write_mac_key, mac_size)); /* Make the client key */ struct s2n_blob client_key; client_key.size = conn->secure.cipher_suite->cipher->key_material_size; client_key.data = s2n_stuffer_raw_read(&key_material, client_key.size); notnull_check(client_key.data); if (conn->mode == S2N_CLIENT) { GUARD(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.client_key, &client_key)); } else { GUARD(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.client_key, &client_key)); } /* Make the server key */ struct s2n_blob server_key; server_key.size = conn->secure.cipher_suite->cipher->key_material_size; server_key.data = s2n_stuffer_raw_read(&key_material, server_key.size); notnull_check(server_key.data); if (conn->mode == S2N_SERVER) { GUARD(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.server_key, &server_key)); } else { GUARD(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.server_key, &server_key)); } /* TLS >= 1.1 has no implicit IVs for non AEAD ciphers */ if (conn->actual_protocol_version > S2N_TLS10 && conn->secure.cipher_suite->cipher->type != S2N_AEAD) { return 0; } uint32_t implicit_iv_size = 0; switch(conn->secure.cipher_suite->cipher->type) { case S2N_AEAD: implicit_iv_size = conn->secure.cipher_suite->cipher->io.aead.fixed_iv_size; break; case S2N_CBC: implicit_iv_size = conn->secure.cipher_suite->cipher->io.cbc.block_size; break; /* No-op for stream ciphers */ default: break; } struct s2n_blob client_implicit_iv = { .data = conn->secure.client_implicit_iv, .size = implicit_iv_size }; struct s2n_blob server_implicit_iv = { .data = conn->secure.server_implicit_iv, .size = implicit_iv_size }; GUARD(s2n_stuffer_read(&key_material, &client_implicit_iv)); GUARD(s2n_stuffer_read(&key_material, &server_implicit_iv)); return 0; }