int main(int argc, char **argv) { struct s2n_connection *conn; uint8_t mac_key[] = "sample mac key"; uint8_t aes128_key[] = "123456789012345"; struct s2n_blob aes128 = {.data = aes128_key,.size = sizeof(aes128_key) }; uint8_t random_data[S2N_LARGE_RECORD_LENGTH + 1]; struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)}; BEGIN_TEST(); EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_get_urandom_data(&r)); /* Peer and we are in sync */ conn->server = &conn->secure; conn->client = &conn->secure; /* test the AES128 cipher with a SHA1 hash */ conn->secure.cipher_suite->cipher = &s2n_aes128; conn->secure.cipher_suite->hmac_alg = S2N_HMAC_SHA1; EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.server_key, &aes128)); EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.client_key, &aes128)); EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); conn->actual_protocol_version = S2N_TLS11; /* Align the record size, then subtract 20 bytes for the HMAC, 16 bytes for the explicit IV, and one byte * for the padding length byte. */ int small_aligned_payload = S2N_SMALL_FRAGMENT_LENGTH - (S2N_SMALL_FRAGMENT_LENGTH % 16) - 20 - 16 - 1; int large_aligned_payload = S2N_LARGE_FRAGMENT_LENGTH - (S2N_LARGE_FRAGMENT_LENGTH % 16) - 20 - 16 - 1; int bytes_written; /* Check the default: small record */ EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r)); EXPECT_EQUAL(bytes_written, small_aligned_payload); /* Check explicitly small records */ EXPECT_SUCCESS(s2n_connection_prefer_low_latency(conn)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r)); EXPECT_EQUAL(bytes_written, small_aligned_payload); /* Check explicitly large records */ EXPECT_SUCCESS(s2n_connection_prefer_throughput(conn)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r)); EXPECT_EQUAL(bytes_written, large_aligned_payload); /* Clean up */ EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->destroy_key(&conn->secure.server_key)); EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->destroy_key(&conn->secure.client_key)); EXPECT_SUCCESS(s2n_connection_free(conn)); EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); END_TEST(); }
int main(int argc, char **argv) { struct s2n_connection *conn; uint8_t mac_key[] = "sample mac key"; uint8_t rc4_key[] = "123456789012345"; struct s2n_blob key_iv = {.data = rc4_key,.size = sizeof(rc4_key) }; uint8_t random_data[S2N_SMALL_FRAGMENT_LENGTH + 1]; struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)}; BEGIN_TEST(); EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_get_urandom_data(&r)); /* Peer and we are in sync */ conn->server = &conn->active; /* test the RC4 cipher with a SHA1 hash */ conn->active.cipher_suite->cipher = &s2n_rc4; conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1; EXPECT_SUCCESS(conn->active.cipher_suite->cipher->init(&conn->active.server_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->init(&conn->active.client_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &key_iv)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &key_iv)); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); conn->actual_protocol_version = S2N_TLS11; for (int i = 0; i <= S2N_SMALL_FRAGMENT_LENGTH + 1; i++) { struct s2n_blob in = {.data = random_data,.size = i }; int bytes_written; EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in)); if (i <= S2N_SMALL_FRAGMENT_LENGTH - 20) { EXPECT_EQUAL(bytes_written, i); } else { EXPECT_EQUAL(bytes_written, S2N_SMALL_FRAGMENT_LENGTH - 20); } uint16_t predicted_length = bytes_written + 20; EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA); EXPECT_EQUAL(conn->out.blob.data[1], 3); EXPECT_EQUAL(conn->out.blob.data[2], 2); EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff); EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff); /* The data should be encrypted */ if (bytes_written > 10) { EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0); } /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)) EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))) /* Check that the data looks right */ EXPECT_EQUAL(bytes_written + 20, s2n_stuffer_data_available(&conn->in)); /* Let's decrypt it */ uint8_t content_type; uint16_t fragment_length; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_SUCCESS(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_EQUAL(fragment_length, predicted_length); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key)); EXPECT_SUCCESS(s2n_connection_free(conn)); END_TEST(); }
int main(int argc, char **argv) { struct s2n_connection *conn; uint8_t random_data[S2N_DEFAULT_FRAGMENT_LENGTH + 1]; uint8_t mac_key[] = "sample mac key"; uint8_t aes128_key[] = "123456789012345"; uint8_t aes256_key[] = "1234567890123456789012345678901"; struct s2n_blob aes128 = {.data = aes128_key,.size = sizeof(aes128_key) }; struct s2n_blob aes256 = {.data = aes256_key,.size = sizeof(aes256_key) }; struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)}; BEGIN_TEST(); EXPECT_SUCCESS(s2n_init()); EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_get_urandom_data(&r)); /* Peer and we are in sync */ conn->server = &conn->active; conn->client = &conn->active; /* test the AES128 cipher with a SHA1 hash */ conn->active.cipher_suite->cipher = &s2n_aes128_gcm; conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1; EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &aes128)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &aes128)); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); conn->actual_protocol_version = S2N_TLS12; int max_fragment = S2N_DEFAULT_FRAGMENT_LENGTH; for (int i = 0; i <= max_fragment + 1; i++) { struct s2n_blob in = {.data = random_data,.size = i }; int bytes_written; EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in)); static const int overhead = 20 /* TLS header */ + 8 /* IV */ + 16; /* TAG */ if (i < max_fragment - overhead) { EXPECT_EQUAL(bytes_written, i); } else { EXPECT_EQUAL(bytes_written, max_fragment - overhead); } uint16_t predicted_length = bytes_written + 20; predicted_length += conn->active.cipher_suite->cipher->io.aead.record_iv_size; predicted_length += conn->active.cipher_suite->cipher->io.aead.tag_size; EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA); EXPECT_EQUAL(conn->out.blob.data[1], 3); EXPECT_EQUAL(conn->out.blob.data[2], 3); EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff); EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff); /* The data should be encrypted */ if (bytes_written > 10) { EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0); } /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); /* Let's decrypt it */ uint8_t content_type; uint16_t fragment_length; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_SUCCESS(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_EQUAL(fragment_length, predicted_length); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); /* Now lets corrupt some data and ensure the tests pass */ /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); /* Tamper the protocol version in the header, and ensure decryption fails, as we use this in the AAD */ conn->in.blob.data[2] = 2; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); /* Tamper with the IV and ensure decryption fails */ for (int j = 0; j < S2N_TLS_GCM_IV_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[5 + j] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } /* Tamper with the TAG and ensure decryption fails */ for (int j = 0; j < S2N_TLS_GCM_TAG_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[conn->in.blob.size - j - 1] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } /* Tamper w ith the cipher text and ensure decryption fails */ for (int j = S2N_TLS_GCM_IV_LEN; j < conn->in.blob.size - S2N_TLS_GCM_TAG_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[5 + j] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } } EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key)); EXPECT_SUCCESS(s2n_connection_free(conn)); /* test the AES256 cipher with a SHA1 hash */ EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); conn->active.cipher_suite->cipher = &s2n_aes256_gcm; conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1; EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &aes256)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &aes256)); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); conn->actual_protocol_version = S2N_TLS12; for (int i = 0; i <= max_fragment + 1; i++) { struct s2n_blob in = {.data = random_data,.size = i }; int bytes_written; EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in)); static const int overhead = 20 /* TLS header */ + 8 /* IV */ + 16; /* TAG */ if (i < max_fragment - overhead) { EXPECT_EQUAL(bytes_written, i); } else { EXPECT_EQUAL(bytes_written, max_fragment - overhead); } uint16_t predicted_length = bytes_written + 20; predicted_length += conn->active.cipher_suite->cipher->io.aead.record_iv_size; predicted_length += conn->active.cipher_suite->cipher->io.aead.tag_size; EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA); EXPECT_EQUAL(conn->out.blob.data[1], 3); EXPECT_EQUAL(conn->out.blob.data[2], 3); EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff); EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff); /* The data should be encrypted */ if (bytes_written > 10) { EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0); } /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); /* Let's decrypt it */ uint8_t content_type; uint16_t fragment_length; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_SUCCESS(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_EQUAL(fragment_length, predicted_length); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); /* Now lets corrupt some data and ensure the tests pass */ /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); /* Tamper the protocol version in the header, and ensure decryption fails, as we use this in the AAD */ conn->in.blob.data[2] = 2; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); /* Tamper with the IV and ensure decryption fails */ for (int j = 0; j < S2N_TLS_GCM_IV_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[5 + j] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } /* Tamper with the TAG and ensure decryption fails */ for (int j = 0; j < S2N_TLS_GCM_TAG_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[conn->in.blob.size - j - 1] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } /* Tamper w ith the cipher text and ensure decryption fails */ for (int j = S2N_TLS_GCM_IV_LEN; j < conn->in.blob.size - S2N_TLS_GCM_TAG_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[5 + j] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } } EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key)); EXPECT_SUCCESS(s2n_connection_free(conn)); END_TEST(); }
int main(int argc, char **argv) { uint8_t data[256] = { 0 }; struct s2n_drbg drbg = {{ 0 }}; struct s2n_blob blob = {.data = data, .size = 64 }; struct s2n_timer timer; uint64_t drbg_nanoseconds; uint64_t urandom_nanoseconds; struct s2n_stuffer nist_reference_personalization_strings; struct s2n_stuffer nist_reference_returned_bits; struct s2n_stuffer nist_reference_values; struct s2n_config *config; BEGIN_TEST(); EXPECT_NOT_NULL(config = s2n_config_new()) /* Open /dev/urandom */ EXPECT_TRUE(entropy_fd = open("/dev/urandom", O_RDONLY)); /* Convert the hex entropy data into binary */ EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_entropy, nist_reference_entropy_hex)); EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_personalization_strings, nist_reference_personalization_strings_hex)); EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_returned_bits, nist_reference_returned_bits_hex)); EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_values, nist_reference_values_hex)); /* Check everything against the NIST vectors */ for (int i = 0; i < 14; i++) { uint8_t ps[32]; struct s2n_drbg nist_drbg = { .entropy_generator = nist_fake_urandom_data }; struct s2n_blob personalization_string = {.data = ps, .size = 32}; /* Read the next personalization string */ EXPECT_SUCCESS(s2n_stuffer_read(&nist_reference_personalization_strings, &personalization_string)); /* Instantiate the DRBG */ EXPECT_SUCCESS(s2n_drbg_instantiate(&nist_drbg, &personalization_string)); uint8_t nist_v[16]; GUARD(s2n_stuffer_read_bytes(&nist_reference_values, nist_v, sizeof(nist_v))); EXPECT_TRUE(memcmp(nist_v, nist_drbg.v, sizeof(nist_drbg.v)) == 0); /* Generate 512 bits (FIRST CALL) */ uint8_t out[64]; struct s2n_blob generated = {.data = out, .size = 64 }; EXPECT_SUCCESS(s2n_drbg_generate(&nist_drbg, &generated)); GUARD(s2n_stuffer_read_bytes(&nist_reference_values, nist_v, sizeof(nist_v))); EXPECT_TRUE(memcmp(nist_v, nist_drbg.v, sizeof(nist_drbg.v)) == 0); /* Generate another 512 bits (SECOND CALL) */ EXPECT_SUCCESS(s2n_drbg_generate(&nist_drbg, &generated)); GUARD(s2n_stuffer_read_bytes(&nist_reference_values, nist_v, sizeof(nist_v))); EXPECT_TRUE(memcmp(nist_v, nist_drbg.v, sizeof(nist_drbg.v)) == 0); uint8_t nist_returned_bits[64]; GUARD(s2n_stuffer_read_bytes(&nist_reference_returned_bits, nist_returned_bits, sizeof(nist_returned_bits))); EXPECT_TRUE(memcmp(nist_returned_bits, out, sizeof(nist_returned_bits)) == 0); EXPECT_SUCCESS(s2n_drbg_wipe(&nist_drbg)); } EXPECT_SUCCESS(s2n_drbg_instantiate(&drbg, &blob)); /* Use the DRBG for 32MB of data */ EXPECT_SUCCESS(s2n_timer_start(config, &timer)); for (int i = 0; i < 500000; i++) { EXPECT_SUCCESS(s2n_drbg_generate(&drbg, &blob)); } EXPECT_SUCCESS(s2n_timer_reset(config, &timer, &drbg_nanoseconds)); /* Use urandom for 32MB of data */ EXPECT_SUCCESS(s2n_timer_start(config, &timer)); for (int i = 0; i < 500000; i++) { EXPECT_SUCCESS(s2n_get_urandom_data(&blob)); } EXPECT_SUCCESS(s2n_timer_reset(config, &timer, &urandom_nanoseconds)); /* Confirm that the DRBG is faster than urandom */ EXPECT_TRUE(drbg_nanoseconds < urandom_nanoseconds); /* NOTE: s2n_random_test also includes monobit tests for this DRBG */ /* the DRBG state is 128 bytes, test that we can get more than that */ blob.size = 129; for (int i = 0; i < 10; i++) { EXPECT_SUCCESS(s2n_drbg_generate(&drbg, &blob)); } EXPECT_SUCCESS(s2n_drbg_wipe(&drbg)); EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_entropy)); EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_personalization_strings)); EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_returned_bits)); EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_values)); END_TEST(); }
static int s2n_drbg_bits(struct s2n_drbg *drbg, struct s2n_blob *out) { struct s2n_blob value = {.data = drbg->v, .size = sizeof(drbg->v) }; int block_aligned_size = out->size - (out->size % S2N_DRBG_BLOCK_SIZE); /* Per NIST SP800-90A 10.2.1.2: */ for (int i = 0; i < block_aligned_size; i += S2N_DRBG_BLOCK_SIZE) { GUARD(s2n_increment_sequence_number(&value)); GUARD(s2n_drbg_block_encrypt(&drbg->ctx, drbg->v, out->data + i)); drbg->bytes_used += S2N_DRBG_BLOCK_SIZE; } if (out->size <= block_aligned_size) { return 0; } uint8_t spare_block[S2N_DRBG_BLOCK_SIZE]; GUARD(s2n_increment_sequence_number(&value)); GUARD(s2n_drbg_block_encrypt(&drbg->ctx, drbg->v, spare_block)); drbg->bytes_used += S2N_DRBG_BLOCK_SIZE; memcpy_check(out->data + block_aligned_size, spare_block, out->size - block_aligned_size); return 0; } static int s2n_drbg_update(struct s2n_drbg *drbg, struct s2n_blob *provided_data) { uint8_t temp[32]; struct s2n_blob temp_blob = {.data = temp, .size = sizeof(temp) }; eq_check(provided_data->size, sizeof(temp)); GUARD(s2n_drbg_bits(drbg, &temp_blob)); /* XOR in the provided data */ for (int i = 0; i < provided_data->size; i++) { temp[i] ^= provided_data->data[i]; } /* Update the key and value */ if (EVP_EncryptInit_ex(&drbg->ctx, EVP_aes_128_ecb(), NULL, temp, NULL) != 1) { S2N_ERROR(S2N_ERR_DRBG); } memcpy_check(drbg->v, temp + S2N_DRBG_BLOCK_SIZE, S2N_DRBG_BLOCK_SIZE); return 0; } int s2n_drbg_seed(struct s2n_drbg *drbg) { uint8_t seed[32]; struct s2n_blob blob = {.data = seed, .size = sizeof(seed) }; if (drbg->entropy_generator) { GUARD(drbg->entropy_generator(&blob)); } else { GUARD(s2n_get_urandom_data(&blob)); } for (int i = 0; i < sizeof(drbg->ps); i++) { blob.data[i] ^= drbg->ps[i]; } GUARD(s2n_drbg_update(drbg, &blob)); drbg->bytes_used = 0; drbg->generation += 1; return 0; } int s2n_drbg_instantiate(struct s2n_drbg *drbg, struct s2n_blob *personalization_string) { struct s2n_blob value = {.data = drbg->v, .size = sizeof(drbg->v) }; struct s2n_blob ps = {.data = drbg->ps, .size = sizeof(drbg->ps) }; /* Start off with zerod data, per 10.2.1.3.1 item 4 */ GUARD(s2n_blob_zero(&value)); /* Start off with zerod key, per 10.2.1.3.1 item 5 */ (void) EVP_CIPHER_CTX_init(&drbg->ctx); if (EVP_EncryptInit_ex(&drbg->ctx, EVP_aes_128_ecb(), NULL, drbg->v, NULL) != 1) { S2N_ERROR(S2N_ERR_DRBG); } /* Copy the personalization string */ GUARD(s2n_blob_zero(&ps)); memcpy_check(ps.data, personalization_string->data, MIN(ps.size, personalization_string->size)); /* Seed / update the DRBG */ GUARD(s2n_drbg_seed(drbg)); return 0; } int s2n_drbg_generate(struct s2n_drbg *drbg, struct s2n_blob *blob) { uint8_t all_zeros[32] = { 0 }; struct s2n_blob zeros = {.data = all_zeros, .size = sizeof(all_zeros) }; if (blob->size > S2N_DRBG_GENERATE_LIMIT) { S2N_ERROR(S2N_ERR_DRBG_REQUEST_SIZE); } if (drbg->bytes_used + blob->size + S2N_DRBG_BLOCK_SIZE >= S2N_DRBG_RESEED_LIMIT) { GUARD(s2n_drbg_seed(drbg)); } GUARD(s2n_drbg_bits(drbg, blob)); GUARD(s2n_drbg_update(drbg, &zeros)); return 0; } int s2n_drbg_wipe(struct s2n_drbg *drbg) { struct s2n_blob state = {.data = (void *) drbg, .size = sizeof(struct s2n_drbg) }; if (EVP_CIPHER_CTX_cleanup(&drbg->ctx) != 1) { S2N_ERROR(S2N_ERR_DRBG); } GUARD(s2n_blob_zero(&state)); return 0; } int s2n_drbg_bytes_used(struct s2n_drbg *drbg) { return drbg->bytes_used; }
static int s2n_drbg_bits(struct s2n_drbg *drbg, struct s2n_blob *out) { struct s2n_blob value = {.data = drbg->v,.size = sizeof(drbg->v) }; int block_aligned_size = out->size - (out->size % S2N_DRBG_BLOCK_SIZE); /* Per NIST SP800-90A 10.2.1.2: */ for (int i = 0; i < block_aligned_size; i += S2N_DRBG_BLOCK_SIZE) { GUARD(s2n_increment_sequence_number(&value)); GUARD(s2n_drbg_block_encrypt(drbg->ctx, drbg->v, out->data + i)); drbg->bytes_used += S2N_DRBG_BLOCK_SIZE; } if (out->size <= block_aligned_size) { return 0; } uint8_t spare_block[S2N_DRBG_BLOCK_SIZE]; GUARD(s2n_increment_sequence_number(&value)); GUARD(s2n_drbg_block_encrypt(drbg->ctx, drbg->v, spare_block)); drbg->bytes_used += S2N_DRBG_BLOCK_SIZE; memcpy_check(out->data + block_aligned_size, spare_block, out->size - block_aligned_size); return 0; } static int s2n_drbg_update(struct s2n_drbg *drbg, struct s2n_blob *provided_data) { uint8_t temp[32]; struct s2n_blob temp_blob = {.data = temp,.size = sizeof(temp) }; eq_check(provided_data->size, sizeof(temp)); GUARD(s2n_drbg_bits(drbg, &temp_blob)); /* XOR in the provided data */ for (int i = 0; i < provided_data->size; i++) { temp[i] ^= provided_data->data[i]; } /* Update the key and value */ GUARD_OSSL(EVP_EncryptInit_ex(drbg->ctx, EVP_aes_128_ecb(), NULL, temp, NULL), S2N_ERR_DRBG); memcpy_check(drbg->v, temp + S2N_DRBG_BLOCK_SIZE, S2N_DRBG_BLOCK_SIZE); return 0; } int s2n_drbg_seed(struct s2n_drbg *drbg, struct s2n_blob *ps) { uint8_t seed[32]; struct s2n_blob blob = {.data = seed,.size = sizeof(seed) }; lte_check(ps->size, sizeof(seed)); if (drbg->entropy_generator) { GUARD(drbg->entropy_generator(&blob)); } else { GUARD(s2n_get_urandom_data(&blob)); } for (int i = 0; i < ps->size; i++) { blob.data[i] ^= ps->data[i]; } GUARD(s2n_drbg_update(drbg, &blob)); drbg->bytes_used = 0; drbg->generation += 1; return 0; } int s2n_drbg_instantiate(struct s2n_drbg *drbg, struct s2n_blob *personalization_string) { struct s2n_blob value = {.data = drbg->v,.size = sizeof(drbg->v) }; uint8_t ps_prefix[32]; struct s2n_blob ps = {.data = ps_prefix,.size = sizeof(ps_prefix) }; /* Start off with zeroed data, per 10.2.1.3.1 item 4 */ GUARD(s2n_blob_zero(&value)); drbg->ctx = EVP_CIPHER_CTX_new(); S2N_ERROR_IF(!drbg->ctx, S2N_ERR_DRBG); (void)EVP_CIPHER_CTX_init(drbg->ctx); /* Start off with zeroed key, per 10.2.1.3.1 item 5 */ GUARD_OSSL(EVP_EncryptInit_ex(drbg->ctx, EVP_aes_128_ecb(), NULL, drbg->v, NULL), S2N_ERR_DRBG); /* Copy the personalization string */ GUARD(s2n_blob_zero(&ps)); memcpy_check(ps.data, personalization_string->data, MIN(ps.size, personalization_string->size)); /* Seed / update the DRBG */ GUARD(s2n_drbg_seed(drbg, &ps)); /* After initial seeding, pivot to RDRAND if available and not overridden */ if (drbg->entropy_generator == NULL && s2n_cpu_supports_rdrand()) { drbg->entropy_generator = s2n_get_rdrand_data; } return 0; } int s2n_drbg_generate(struct s2n_drbg *drbg, struct s2n_blob *blob) { uint8_t all_zeros[32] = { 0 }; struct s2n_blob zeros = {.data = all_zeros,.size = sizeof(all_zeros) }; S2N_ERROR_IF(blob->size > S2N_DRBG_GENERATE_LIMIT, S2N_ERR_DRBG_REQUEST_SIZE); /* If either the entropy generator is set, for prediction resistance, * or if we reach the definitely-need-to-reseed limit, then reseed. */ if (drbg->entropy_generator || drbg->bytes_used + blob->size + S2N_DRBG_BLOCK_SIZE >= S2N_DRBG_RESEED_LIMIT) { GUARD(s2n_drbg_seed(drbg, &zeros)); } GUARD(s2n_drbg_bits(drbg, blob)); GUARD(s2n_drbg_update(drbg, &zeros)); return 0; } int s2n_drbg_wipe(struct s2n_drbg *drbg) { struct s2n_blob state = {.data = (void *)drbg,.size = sizeof(struct s2n_drbg) }; if (drbg->ctx) { GUARD_OSSL(EVP_CIPHER_CTX_cleanup(drbg->ctx), S2N_ERR_DRBG); EVP_CIPHER_CTX_free(drbg->ctx); drbg->ctx = NULL; } GUARD(s2n_blob_zero(&state)); return 0; } int s2n_drbg_bytes_used(struct s2n_drbg *drbg) { return drbg->bytes_used; }
int main(int argc, char **argv) { uint8_t data[10000000]; uint8_t *ptr = data; struct s2n_connection *conn; struct s2n_config *config; s2n_blocked_status blocked; int status; pid_t pid; int server_to_client[2]; int client_to_server[2]; struct s2n_blob blob = {.data = data, .size = sizeof(data)}; BEGIN_TEST(); EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0)); EXPECT_NOT_NULL(config = s2n_config_new()); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(config, certificate, private_key)); EXPECT_SUCCESS(s2n_config_add_dhparams(config, dhparams)); /* Get some random data to send/receive */ EXPECT_SUCCESS(s2n_get_urandom_data(&blob)); /* Create a pipe */ EXPECT_SUCCESS(pipe(server_to_client)); EXPECT_SUCCESS(pipe(client_to_server)); /* Create a child process */ pid = fork(); if (pid == 0) { /* This is the child process, close the read end of the pipe */ EXPECT_SUCCESS(close(client_to_server[0])); EXPECT_SUCCESS(close(server_to_client[1])); /* Run the client */ mock_client(client_to_server[1], server_to_client[0], data, sizeof(data)); } /* This is the parent */ EXPECT_SUCCESS(close(client_to_server[1])); EXPECT_SUCCESS(close(server_to_client[0])); EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_connection_set_config(conn, config)); /* Set up the connection to read from the fd */ EXPECT_SUCCESS(s2n_connection_set_read_fd(conn, client_to_server[0])); EXPECT_SUCCESS(s2n_connection_set_write_fd(conn, server_to_client[1])); /* Negotiate the handshake. */ EXPECT_SUCCESS(s2n_negotiate(conn, &blocked)); /* Pause the child process by sending it SIGSTP */ EXPECT_SUCCESS(kill(pid, SIGSTOP)); /* Make our pipes non-blocking */ EXPECT_NOT_EQUAL(fcntl(client_to_server[0], F_SETFL, fcntl(client_to_server[0], F_GETFL) | O_NONBLOCK), -1); EXPECT_NOT_EQUAL(fcntl(server_to_client[1], F_SETFL, fcntl(server_to_client[1], F_GETFL) | O_NONBLOCK), -1); /* Try to all 10MB of data, should be enough to fill PIPEBUF, so we'll get blocked at some point */ uint32_t remaining = sizeof(data); while (remaining) { int r = s2n_send(conn, ptr, remaining, &blocked); if (r < 0) { if (blocked) { /* We reached a blocked state */ break; } continue; } remaining -= r; ptr += r; } /* Remaining shouldn't have progressed at all */ EXPECT_EQUAL(remaining, sizeof(data)); /* Wake the child process by sending it SIGCONT */ EXPECT_SUCCESS(kill(pid, SIGCONT)); /* Make our sockets blocking again */ EXPECT_NOT_EQUAL(fcntl(client_to_server[0], F_SETFL, fcntl(client_to_server[0], F_GETFL) ^ O_NONBLOCK), -1); EXPECT_NOT_EQUAL(fcntl(server_to_client[1], F_SETFL, fcntl(server_to_client[1], F_GETFL) ^ O_NONBLOCK), -1); /* Actually send the remaining data */ while (remaining) { int r = s2n_send(conn, ptr, remaining, &blocked); if (r < 0) { continue; } remaining -= r; ptr += r; } EXPECT_SUCCESS(s2n_shutdown(conn, &blocked)); EXPECT_SUCCESS(s2n_connection_free(conn)); /* Clean up */ EXPECT_EQUAL(waitpid(-1, &status, 0), pid); EXPECT_EQUAL(status, 0); EXPECT_SUCCESS(s2n_config_free(config)); END_TEST(); return 0; }