static int s2n_composite_cipher_aes_sha_initial_hmac(struct s2n_session_key *key, uint8_t *sequence_number, uint8_t content_type,
uint16_t protocol_version, uint16_t payload_and_eiv_len, int *extra)
{
uint8_t ctrl_buf[S2N_TLS12_AAD_LEN];
struct s2n_blob ctrl_blob = { .data = ctrl_buf, .size = S2N_TLS12_AAD_LEN };
struct s2n_stuffer ctrl_stuffer;
GUARD(s2n_stuffer_init(&ctrl_stuffer, &ctrl_blob));
GUARD(s2n_stuffer_write_bytes(&ctrl_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
GUARD(s2n_stuffer_write_uint8(&ctrl_stuffer, content_type));
GUARD(s2n_stuffer_write_uint8(&ctrl_stuffer, protocol_version / 10));
GUARD(s2n_stuffer_write_uint8(&ctrl_stuffer, protocol_version % 10));
GUARD(s2n_stuffer_write_uint16(&ctrl_stuffer, payload_and_eiv_len));
/* This will unnecessarily mangle the input buffer, which is fine since it's temporary
* Return value will be length of digest, padding, and padding length byte.
* See https://github.com/openssl/openssl/blob/master/crypto/evp/e_aes_cbc_hmac_sha1.c#L814
* and https://github.com/openssl/openssl/blob/4f0c475719defd7c051964ef9964cc6e5b3a63bf/ssl/record/ssl3_record.c#L743
*/
int ctrl_ret = EVP_CIPHER_CTX_ctrl(key->evp_cipher_ctx, EVP_CTRL_AEAD_TLS1_AAD, S2N_TLS12_AAD_LEN, ctrl_buf);
if (ctrl_ret < 0) {
S2N_ERROR(S2N_ERR_INITIAL_HMAC);
}
*extra = ctrl_ret;
return 0;
}
static int s2n_send_client_signature_algorithms_extension(struct s2n_connection *conn, struct s2n_stuffer *out)
{
/* The extension header */
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_SIGNATURE_ALGORITHMS));
/* Each hash-signature-alg pair is two bytes, and there's another two bytes for
* the extension length field.
*/
uint16_t preferred_hashes_len = sizeof(s2n_preferred_hashes) / sizeof(s2n_preferred_hashes[0]);
uint16_t preferred_hashes_size = preferred_hashes_len * 2;
uint16_t extension_len_field_size = 2;
GUARD(s2n_stuffer_write_uint16(out, extension_len_field_size + preferred_hashes_size));
GUARD(s2n_send_client_signature_algorithms(out));
return 0;
}
int main(int argc, char **argv)
{
uint8_t u8; uint16_t u16; uint32_t u32;
uint32_t stuffer_size = nondet_uint32();
__CPROVER_assume(stuffer_size > 0);
uint32_t entropy_size = nondet_uint32();
__CPROVER_assume(entropy_size > 0);
uint8_t entropy[entropy_size];
struct s2n_stuffer stuffer;
GUARD(s2n_stuffer_alloc(&stuffer, stuffer_size));
struct s2n_blob in = {.data = entropy,.size = entropy_size};
GUARD(s2n_stuffer_write(&stuffer, &in));
GUARD(s2n_stuffer_wipe(&stuffer));
while(nondet_bool()) {
GUARD(s2n_stuffer_write_uint8(&stuffer, nondet_uint64()));
}
while(nondet_bool()) {
GUARD(s2n_stuffer_read_uint8(&stuffer, &u8));
}
GUARD(s2n_stuffer_wipe(&stuffer));
while(nondet_bool()) {
GUARD(s2n_stuffer_write_uint16(&stuffer, nondet_uint64()));
}
while(nondet_bool()) {
GUARD(s2n_stuffer_read_uint16(&stuffer, &u16));
}
GUARD(s2n_stuffer_wipe(&stuffer));
while(nondet_bool()) {
GUARD(s2n_stuffer_write_uint24(&stuffer, nondet_uint64()));
}
while(nondet_bool()) {
GUARD(s2n_stuffer_read_uint24(&stuffer, &u32));
}
GUARD(s2n_stuffer_wipe(&stuffer));
while(nondet_bool()) {
GUARD(s2n_stuffer_write_uint32(&stuffer, nondet_uint64()));
}
while(nondet_bool()) {
GUARD(s2n_stuffer_read_uint32(&stuffer, &u32));
}
GUARD(s2n_stuffer_free(&stuffer));
}
int s2n_dh_params_to_p_g_Ys(struct s2n_dh_params *server_dh_params, struct s2n_stuffer *out, struct s2n_blob *output)
{
GUARD(s2n_check_all_dh_params(server_dh_params));
const BIGNUM *bn_p = s2n_get_p_dh_param(server_dh_params);
const BIGNUM *bn_g = s2n_get_g_dh_param(server_dh_params);
const BIGNUM *bn_Ys = s2n_get_Ys_dh_param(server_dh_params);
uint16_t p_size = BN_num_bytes(bn_p);
uint16_t g_size = BN_num_bytes(bn_g);
uint16_t Ys_size = BN_num_bytes(bn_Ys);
uint8_t *p;
uint8_t *g;
uint8_t *Ys;
output->data = s2n_stuffer_raw_write(out, 0);
notnull_check(output->data);
GUARD(s2n_stuffer_write_uint16(out, p_size));
p = s2n_stuffer_raw_write(out, p_size);
notnull_check(p);
if (BN_bn2bin(bn_p, p) != p_size) {
S2N_ERROR(S2N_ERR_DH_SERIALIZING);
}
GUARD(s2n_stuffer_write_uint16(out, g_size));
g = s2n_stuffer_raw_write(out, g_size);
notnull_check(g);
if (BN_bn2bin(bn_g, g) != g_size) {
S2N_ERROR(S2N_ERR_DH_SERIALIZING);
}
GUARD(s2n_stuffer_write_uint16(out, Ys_size));
Ys = s2n_stuffer_raw_write(out, Ys_size);
notnull_check(Ys);
if (BN_bn2bin(bn_Ys, Ys) != Ys_size) {
S2N_ERROR(S2N_ERR_DH_SERIALIZING);
}
output->size = p_size + 2 + g_size + 2 + Ys_size + 2;
return 0;
}
int s2n_send_client_signature_algorithms(struct s2n_stuffer *out)
{
/* The array of hashes and signature algorithms we support */
uint16_t preferred_hashes_len = sizeof(s2n_preferred_hashes) / sizeof(s2n_preferred_hashes[0]);
uint16_t preferred_hashes_size = preferred_hashes_len * 2;
GUARD(s2n_stuffer_write_uint16(out, preferred_hashes_size));
for (int i = 0; i < preferred_hashes_len; i++) {
GUARD(s2n_stuffer_write_uint8(out, s2n_preferred_hashes[i]));
GUARD(s2n_stuffer_write_uint8(out, TLS_SIGNATURE_ALGORITHM_RSA));
}
return 0;
}
static int s2n_write_signature_blob(struct s2n_stuffer *out, const struct s2n_pkey *priv_key, struct s2n_hash_state *digest)
{
struct s2n_blob signature = {0};
/* Leave signature length blank for now until we're done signing */
uint16_t sig_len = 0;
GUARD(s2n_stuffer_write_uint16(out, sig_len));
int max_signature_size = s2n_pkey_size(priv_key);
signature.size = max_signature_size;
signature.data = s2n_stuffer_raw_write(out, signature.size);
notnull_check(signature.data);
S2N_ERROR_IF(s2n_pkey_sign(priv_key, digest, &signature) < 0, S2N_ERR_DH_FAILED_SIGNING);
/* Now that the signature has been created, write the actual size that was stored in the signature blob */
out->write_cursor -= max_signature_size;
out->write_cursor -= 2;
GUARD(s2n_stuffer_write_uint16(out, signature.size));
GUARD(s2n_stuffer_skip_write(out, signature.size));
return 0;
}
int s2n_dh_compute_shared_secret_as_client(struct s2n_dh_params *server_dh_params, struct s2n_stuffer *Yc_out, struct s2n_blob *shared_key)
{
struct s2n_dh_params client_params;
uint8_t *client_pub_key;
uint16_t client_pub_key_size;
int shared_key_size;
GUARD(s2n_dh_params_check(server_dh_params));
GUARD(s2n_dh_params_copy(server_dh_params, &client_params));
GUARD(s2n_dh_generate_ephemeral_key(&client_params));
GUARD(s2n_alloc(shared_key, DH_size(server_dh_params->dh)));
const BIGNUM *client_pub_key_bn = s2n_get_Ys_dh_param(&client_params);
client_pub_key_size = BN_num_bytes(client_pub_key_bn);
GUARD(s2n_stuffer_write_uint16(Yc_out, client_pub_key_size));
client_pub_key = s2n_stuffer_raw_write(Yc_out, client_pub_key_size);
if (client_pub_key == NULL) {
GUARD(s2n_free(shared_key));
GUARD(s2n_dh_params_free(&client_params));
S2N_ERROR(S2N_ERR_DH_WRITING_PUBLIC_KEY);
}
if (BN_bn2bin(client_pub_key_bn, client_pub_key) != client_pub_key_size) {
GUARD(s2n_free(shared_key));
GUARD(s2n_dh_params_free(&client_params));
S2N_ERROR(S2N_ERR_DH_COPYING_PUBLIC_KEY);
}
/* server_dh_params already validated */
const BIGNUM *server_pub_key_bn = s2n_get_Ys_dh_param(server_dh_params);
shared_key_size = DH_compute_key(shared_key->data, server_pub_key_bn, client_params.dh);
if (shared_key_size < 0) {
GUARD(s2n_free(shared_key));
GUARD(s2n_dh_params_free(&client_params));
S2N_ERROR(S2N_ERR_DH_SHARED_SECRET);
}
shared_key->size = shared_key_size;
GUARD(s2n_dh_params_free(&client_params));
return 0;
}
int s2n_client_hello_send(struct s2n_connection *conn)
{
uint32_t gmt_unix_time = time(NULL);
struct s2n_stuffer *out = &conn->handshake.io;
struct s2n_stuffer client_random;
struct s2n_blob b, r;
uint8_t session_id_len = 0;
uint8_t client_protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN];
b.data = conn->secure.client_random;
b.size = S2N_TLS_RANDOM_DATA_LEN;
/* Create the client random data */
GUARD(s2n_stuffer_init(&client_random, &b));
GUARD(s2n_stuffer_write_uint32(&client_random, gmt_unix_time));
r.data = s2n_stuffer_raw_write(&client_random, S2N_TLS_RANDOM_DATA_LEN - 4);
r.size = S2N_TLS_RANDOM_DATA_LEN - 4;
notnull_check(r.data);
GUARD(s2n_get_public_random_data(&r));
client_protocol_version[0] = conn->client_protocol_version / 10;
client_protocol_version[1] = conn->client_protocol_version % 10;
conn->client_hello_version = conn->client_protocol_version;
GUARD(s2n_stuffer_write_bytes(out, client_protocol_version, S2N_TLS_PROTOCOL_VERSION_LEN));
GUARD(s2n_stuffer_copy(&client_random, out, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_stuffer_write_uint8(out, session_id_len));
GUARD(s2n_stuffer_write_uint16(out, conn->config->cipher_preferences->count * S2N_TLS_CIPHER_SUITE_LEN));
GUARD(s2n_stuffer_write_bytes(out, conn->config->cipher_preferences->wire_format, conn->config->cipher_preferences->count * S2N_TLS_CIPHER_SUITE_LEN));
/* Zero compression methods */
GUARD(s2n_stuffer_write_uint8(out, 1));
GUARD(s2n_stuffer_write_uint8(out, 0));
/* Write the extensions */
GUARD(s2n_client_extensions_send(conn, out));
return 0;
}
int s2n_kem_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
{
struct s2n_stuffer *out = &conn->handshake.io;
const struct s2n_kem *kem = conn->secure.s2n_kem_keys.negotiated_kem;
data_to_sign->data = s2n_stuffer_raw_write(out, 0);
notnull_check(data_to_sign->data);
GUARD(s2n_stuffer_write_uint8(out, kem->kem_extension_id));
GUARD(s2n_stuffer_write_uint16(out, kem->public_key_length));
/* The public key is not needed after this method, write it straight to the stuffer */
struct s2n_blob *public_key = &conn->secure.s2n_kem_keys.public_key;
public_key->data = s2n_stuffer_raw_write(out, kem->public_key_length);
notnull_check(public_key->data);
public_key->size = kem->public_key_length;
GUARD(s2n_kem_generate_keypair(&conn->secure.s2n_kem_keys));
data_to_sign->size = sizeof(kem_extension_size) + sizeof(kem_public_key_size) + public_key->size;
return 0;
}
static int s2n_dhe_server_key_send(struct s2n_connection *conn)
{
struct s2n_blob serverDHparams, signature;
struct s2n_stuffer *out = &conn->handshake.io;
struct s2n_hash_state signature_hash;
/* Duplicate the DH key from the config */
GUARD(s2n_dh_params_copy(conn->config->dhparams, &conn->secure.server_dh_params));
/* Generate an ephemeral key */
GUARD(s2n_dh_generate_ephemeral_key(&conn->secure.server_dh_params));
/* Write it out */
GUARD(s2n_dh_params_to_p_g_Ys(&conn->secure.server_dh_params, out, &serverDHparams));
if (conn->actual_protocol_version == S2N_TLS12) {
GUARD(s2n_stuffer_write_uint8(out, TLS_HASH_ALGORITHM_SHA1));
GUARD(s2n_stuffer_write_uint8(out, TLS_SIGNATURE_ALGORITHM_RSA));
}
GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg));
GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, serverDHparams.data, serverDHparams.size));
signature.size = s2n_rsa_private_encrypted_size(&conn->config->cert_and_key_pairs->private_key);
GUARD(s2n_stuffer_write_uint16(out, signature.size));
signature.data = s2n_stuffer_raw_write(out, signature.size);
notnull_check(signature.data);
if (s2n_rsa_sign(&conn->config->cert_and_key_pairs->private_key, &signature_hash, &signature) < 0) {
S2N_ERROR(S2N_ERR_DH_FAILED_SIGNING);
}
return 0;
}
int s2n_client_extensions_send(struct s2n_connection *conn, struct s2n_stuffer *out)
{
uint16_t total_size = 0;
/* Signature algorithms */
if (conn->actual_protocol_version == S2N_TLS12) {
total_size += (sizeof(s2n_preferred_hashes) * 2) + 6;
}
uint16_t application_protocols_len = conn->config->application_protocols.size;
uint16_t server_name_len = strlen(conn->server_name);
uint16_t mfl_code_len = sizeof(conn->config->mfl_code);
if (server_name_len) {
total_size += 9 + server_name_len;
}
if (application_protocols_len) {
total_size += 6 + application_protocols_len;
}
if (conn->config->status_request_type != S2N_STATUS_REQUEST_NONE) {
total_size += 9;
}
if (conn->config->ct_type != S2N_CT_SUPPORT_NONE) {
total_size += 4;
}
if (conn->config->mfl_code != S2N_TLS_MAX_FRAG_LEN_EXT_NONE) {
total_size += 5;
}
/* Write ECC extensions: Supported Curves and Supported Point Formats */
int ec_curves_count = sizeof(s2n_ecc_supported_curves) / sizeof(s2n_ecc_supported_curves[0]);
total_size += 12 + ec_curves_count * 2;
GUARD(s2n_stuffer_write_uint16(out, total_size));
if (conn->actual_protocol_version == S2N_TLS12) {
GUARD(s2n_send_client_signature_algorithms_extension(conn, out));
}
if (server_name_len) {
/* Write the server name */
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_SERVER_NAME));
GUARD(s2n_stuffer_write_uint16(out, server_name_len + 5));
/* Size of all of the server names */
GUARD(s2n_stuffer_write_uint16(out, server_name_len + 3));
/* Name type - host name, RFC3546 */
GUARD(s2n_stuffer_write_uint8(out, 0));
struct s2n_blob server_name;
server_name.data = (uint8_t *) conn->server_name;
server_name.size = server_name_len;
GUARD(s2n_stuffer_write_uint16(out, server_name_len));
GUARD(s2n_stuffer_write(out, &server_name));
}
/* Write ALPN extension */
if (application_protocols_len) {
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_ALPN));
GUARD(s2n_stuffer_write_uint16(out, application_protocols_len + 2));
GUARD(s2n_stuffer_write_uint16(out, application_protocols_len));
GUARD(s2n_stuffer_write(out, &conn->config->application_protocols));
}
if (conn->config->status_request_type != S2N_STATUS_REQUEST_NONE) {
/* We only support OCSP */
eq_check(conn->config->status_request_type, S2N_STATUS_REQUEST_OCSP);
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_STATUS_REQUEST));
GUARD(s2n_stuffer_write_uint16(out, 5));
GUARD(s2n_stuffer_write_uint8(out, (uint8_t) conn->config->status_request_type));
GUARD(s2n_stuffer_write_uint16(out, 0));
GUARD(s2n_stuffer_write_uint16(out, 0));
}
/* Write Certificate Transparency extension */
if (conn->config->ct_type != S2N_CT_SUPPORT_NONE) {
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_SCT_LIST));
GUARD(s2n_stuffer_write_uint16(out, 0));
}
/* Write Maximum Fragmentation Length extension */
if (conn->config->mfl_code != S2N_TLS_MAX_FRAG_LEN_EXT_NONE) {
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_MAX_FRAG_LEN));
GUARD(s2n_stuffer_write_uint16(out, mfl_code_len));
GUARD(s2n_stuffer_write_uint8(out, conn->config->mfl_code));
}
/*
* RFC 4492: Clients SHOULD send both the Supported Elliptic Curves Extension
* and the Supported Point Formats Extension.
*/
{
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_ELLIPTIC_CURVES));
GUARD(s2n_stuffer_write_uint16(out, 2 + ec_curves_count * 2));
/* Curve list len */
GUARD(s2n_stuffer_write_uint16(out, ec_curves_count * 2));
/* Curve list */
for (int i = 0; i < ec_curves_count; i++) {
GUARD(s2n_stuffer_write_uint16(out, s2n_ecc_supported_curves[i].iana_id));
}
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_EC_POINT_FORMATS));
GUARD(s2n_stuffer_write_uint16(out, 2));
/* Point format list len */
GUARD(s2n_stuffer_write_uint8(out, 1));
/* Only allow uncompressed format */
GUARD(s2n_stuffer_write_uint8(out, 0));
}
return 0;
}
int s2n_record_write(struct s2n_connection *conn, uint8_t content_type, struct s2n_blob *in)
{
struct s2n_blob out, iv, aad;
uint8_t padding = 0;
uint16_t block_size = 0;
uint8_t aad_gen[S2N_TLS_MAX_AAD_LEN] = { 0 };
uint8_t aad_iv[S2N_TLS_MAX_IV_LEN] = { 0 };
uint8_t *sequence_number = conn->server->server_sequence_number;
struct s2n_hmac_state *mac = &conn->server->server_record_mac;
struct s2n_session_key *session_key = &conn->server->server_key;
const struct s2n_cipher_suite *cipher_suite = conn->server->cipher_suite;
uint8_t *implicit_iv = conn->server->server_implicit_iv;
if (conn->mode == S2N_CLIENT) {
sequence_number = conn->client->client_sequence_number;
mac = &conn->client->client_record_mac;
session_key = &conn->client->client_key;
cipher_suite = conn->client->cipher_suite;
implicit_iv = conn->client->client_implicit_iv;
}
S2N_ERROR_IF(s2n_stuffer_data_available(&conn->out), S2N_ERR_BAD_MESSAGE);
uint8_t mac_digest_size;
GUARD(s2n_hmac_digest_size(mac->alg, &mac_digest_size));
/* Before we do anything, we need to figure out what the length of the
* fragment is going to be.
*/
uint16_t data_bytes_to_take = MIN(in->size, s2n_record_max_write_payload_size(conn));
uint16_t extra = overhead(conn);
/* If we have padding to worry about, figure that out too */
if (cipher_suite->record_alg->cipher->type == S2N_CBC) {
block_size = cipher_suite->record_alg->cipher->io.cbc.block_size;
if (((data_bytes_to_take + extra) % block_size)) {
padding = block_size - ((data_bytes_to_take + extra) % block_size);
}
} else if (cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
block_size = cipher_suite->record_alg->cipher->io.comp.block_size;
}
/* Start the MAC with the sequence number */
GUARD(s2n_hmac_update(mac, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
/* Now that we know the length, start writing the record */
GUARD(s2n_stuffer_write_uint8(&conn->out, content_type));
GUARD(s2n_record_write_protocol_version(conn));
/* First write a header that has the payload length, this is for the MAC */
GUARD(s2n_stuffer_write_uint16(&conn->out, data_bytes_to_take));
if (conn->actual_protocol_version > S2N_SSLv3) {
GUARD(s2n_hmac_update(mac, conn->out.blob.data, S2N_TLS_RECORD_HEADER_LENGTH));
} else {
/* SSLv3 doesn't include the protocol version in the MAC */
GUARD(s2n_hmac_update(mac, conn->out.blob.data, 1));
GUARD(s2n_hmac_update(mac, conn->out.blob.data + 3, 2));
}
/* Compute non-payload parts of the MAC(seq num, type, proto vers, fragment length) for composite ciphers.
* Composite "encrypt" will MAC the payload data and fill in padding.
*/
if (cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
/* Only fragment length is needed for MAC, but the EVP ctrl function needs fragment length + eiv len. */
uint16_t payload_and_eiv_len = data_bytes_to_take;
if (conn->actual_protocol_version > S2N_TLS10) {
payload_and_eiv_len += block_size;
}
/* Outputs number of extra bytes required for MAC and padding */
int pad_and_mac_len;
GUARD(cipher_suite->record_alg->cipher->io.comp.initial_hmac(session_key, sequence_number, content_type, conn->actual_protocol_version,
payload_and_eiv_len, &pad_and_mac_len));
extra += pad_and_mac_len;
}
/* Rewrite the length to be the actual fragment length */
uint16_t actual_fragment_length = data_bytes_to_take + padding + extra;
GUARD(s2n_stuffer_wipe_n(&conn->out, 2));
GUARD(s2n_stuffer_write_uint16(&conn->out, actual_fragment_length));
/* If we're AEAD, write the sequence number as an IV, and generate the AAD */
if (cipher_suite->record_alg->cipher->type == S2N_AEAD) {
struct s2n_stuffer iv_stuffer = {{0}};
iv.data = aad_iv;
iv.size = sizeof(aad_iv);
GUARD(s2n_stuffer_init(&iv_stuffer, &iv));
if (cipher_suite->record_alg->flags & S2N_TLS12_AES_GCM_AEAD_NONCE) {
/* Partially explicit nonce. See RFC 5288 Section 3 */
GUARD(s2n_stuffer_write_bytes(&conn->out, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
GUARD(s2n_stuffer_write_bytes(&iv_stuffer, implicit_iv, cipher_suite->record_alg->cipher->io.aead.fixed_iv_size));
GUARD(s2n_stuffer_write_bytes(&iv_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
} else if (cipher_suite->record_alg->flags & S2N_TLS12_CHACHA_POLY_AEAD_NONCE) {
/* Fully implicit nonce. See RFC7905 Section 2 */
uint8_t four_zeroes[4] = { 0 };
GUARD(s2n_stuffer_write_bytes(&iv_stuffer, four_zeroes, 4));
GUARD(s2n_stuffer_write_bytes(&iv_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
for(int i = 0; i < cipher_suite->record_alg->cipher->io.aead.fixed_iv_size; i++) {
aad_iv[i] = aad_iv[i] ^ implicit_iv[i];
}
} else {
S2N_ERROR(S2N_ERR_INVALID_NONCE_TYPE);
}
/* Set the IV size to the amount of data written */
iv.size = s2n_stuffer_data_available(&iv_stuffer);
aad.data = aad_gen;
aad.size = sizeof(aad_gen);
struct s2n_stuffer ad_stuffer = {{0}};
GUARD(s2n_stuffer_init(&ad_stuffer, &aad));
GUARD(s2n_aead_aad_init(conn, sequence_number, content_type, data_bytes_to_take, &ad_stuffer));
} else if (cipher_suite->record_alg->cipher->type == S2N_CBC || cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
iv.size = block_size;
iv.data = implicit_iv;
/* For TLS1.1/1.2; write the IV with random data */
if (conn->actual_protocol_version > S2N_TLS10) {
GUARD(s2n_get_public_random_data(&iv));
GUARD(s2n_stuffer_write(&conn->out, &iv));
}
}
/* We are done with this sequence number, so we can increment it */
struct s2n_blob seq = {.data = sequence_number,.size = S2N_TLS_SEQUENCE_NUM_LEN };
GUARD(s2n_increment_sequence_number(&seq));
/* Write the plaintext data */
out.data = in->data;
out.size = data_bytes_to_take;
GUARD(s2n_stuffer_write(&conn->out, &out));
GUARD(s2n_hmac_update(mac, out.data, out.size));
/* Write the digest */
uint8_t *digest = s2n_stuffer_raw_write(&conn->out, mac_digest_size);
notnull_check(digest);
GUARD(s2n_hmac_digest(mac, digest, mac_digest_size));
GUARD(s2n_hmac_reset(mac));
if (cipher_suite->record_alg->cipher->type == S2N_CBC) {
/* Include padding bytes, each with the value 'p', and
* include an extra padding length byte, also with the value 'p'.
*/
for (int i = 0; i <= padding; i++) {
GUARD(s2n_stuffer_write_uint8(&conn->out, padding));
}
}
/* Rewind to rewrite/encrypt the packet */
GUARD(s2n_stuffer_rewrite(&conn->out));
/* Skip the header */
GUARD(s2n_stuffer_skip_write(&conn->out, S2N_TLS_RECORD_HEADER_LENGTH));
uint16_t encrypted_length = data_bytes_to_take + mac_digest_size;
switch (cipher_suite->record_alg->cipher->type) {
case S2N_AEAD:
GUARD(s2n_stuffer_skip_write(&conn->out, cipher_suite->record_alg->cipher->io.aead.record_iv_size));
encrypted_length += cipher_suite->record_alg->cipher->io.aead.tag_size;
break;
case S2N_CBC:
if (conn->actual_protocol_version > S2N_TLS10) {
/* Leave the IV alone and unencrypted */
GUARD(s2n_stuffer_skip_write(&conn->out, iv.size));
}
/* Encrypt the padding and the padding length byte too */
encrypted_length += padding + 1;
break;
case S2N_COMPOSITE:
/* Composite CBC expects a pointer starting at explicit IV: [Explicit IV | fragment | MAC | padding | padding len ]
* extra will account for the explicit IV len(if applicable), MAC digest len, padding len + padding byte.
*/
encrypted_length += extra;
break;
default:
break;
}
/* Do the encryption */
struct s2n_blob en = {0};
en.size = encrypted_length;
en.data = s2n_stuffer_raw_write(&conn->out, en.size);
notnull_check(en.data);
switch (cipher_suite->record_alg->cipher->type) {
case S2N_STREAM:
GUARD(cipher_suite->record_alg->cipher->io.stream.encrypt(session_key, &en, &en));
break;
case S2N_CBC:
GUARD(cipher_suite->record_alg->cipher->io.cbc.encrypt(session_key, &iv, &en, &en));
/* Copy the last encrypted block to be the next IV */
if (conn->actual_protocol_version < S2N_TLS11) {
gte_check(en.size, block_size);
memcpy_check(implicit_iv, en.data + en.size - block_size, block_size);
}
break;
case S2N_AEAD:
GUARD(cipher_suite->record_alg->cipher->io.aead.encrypt(session_key, &iv, &aad, &en, &en));
break;
case S2N_COMPOSITE:
/* This will: compute mac, append padding, append padding length, and encrypt */
GUARD(cipher_suite->record_alg->cipher->io.comp.encrypt(session_key, &iv, &en, &en));
/* Copy the last encrypted block to be the next IV */
gte_check(en.size, block_size);
memcpy_check(implicit_iv, en.data + en.size - block_size, block_size);
break;
default:
S2N_ERROR(S2N_ERR_CIPHER_TYPE);
break;
}
conn->wire_bytes_out += actual_fragment_length + S2N_TLS_RECORD_HEADER_LENGTH;
return data_bytes_to_take;
}
int s2n_server_extensions_send(struct s2n_connection *conn, struct s2n_stuffer *out)
{
uint16_t total_size = 0;
uint8_t application_protocol_len = strlen(conn->application_protocol);
if (application_protocol_len) {
total_size += 7 + application_protocol_len;
}
if (s2n_server_can_send_ocsp(conn)) {
total_size += 4;
}
if (conn->secure_renegotiation) {
total_size += 5;
}
if (conn->secure.cipher_suite->key_exchange_alg->flags & S2N_KEY_EXCHANGE_ECC) {
total_size += 6;
}
if (total_size == 0) {
return 0;
}
GUARD(s2n_stuffer_write_uint16(out, total_size));
/* Write the Supported Points Format extention.
* RFC 4492 section 5.2 states that the absence of this extension in the Server Hello
* is equivalent to allowing only the uncompressed point format. Let's send the
* extension in case clients(Openssl 1.0.0) don't honor the implied behavior.
*/
if (conn->secure.cipher_suite->key_exchange_alg->flags & S2N_KEY_EXCHANGE_ECC) {
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_EC_POINT_FORMATS));
/* Total extension length */
GUARD(s2n_stuffer_write_uint16(out, 2));
/* Format list length */
GUARD(s2n_stuffer_write_uint8(out, 1));
/* Only uncompressed format is supported. Interoperability shouldn't be an issue:
* RFC 4492 Section 5.1.2: Implementations must support it for all of their curves.
*/
GUARD(s2n_stuffer_write_uint8(out, TLS_EC_FORMAT_UNCOMPRESSED));
}
/* Write the renegotiation_info extension */
if (conn->secure_renegotiation) {
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_RENEGOTIATION_INFO));
/* renegotiation_info length */
GUARD(s2n_stuffer_write_uint16(out, 1));
/* renegotiated_connection length. Zero since we don't support renegotiation. */
GUARD(s2n_stuffer_write_uint8(out, 0));
}
/* Write ALPN extension */
if (application_protocol_len) {
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_ALPN));
GUARD(s2n_stuffer_write_uint16(out, application_protocol_len + 3));
GUARD(s2n_stuffer_write_uint16(out, application_protocol_len + 1));
GUARD(s2n_stuffer_write_uint8(out, application_protocol_len));
GUARD(s2n_stuffer_write_bytes(out, (uint8_t *) conn->application_protocol, application_protocol_len));
}
/* Write OCSP extension */
if (s2n_server_can_send_ocsp(conn)) {
GUARD(s2n_stuffer_write_uint16(out, TLS_EXTENSION_STATUS_REQUEST));
GUARD(s2n_stuffer_write_uint16(out, 0));
}
return 0;
}
