static int s2n_sslv3_mac_init(struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen)
{
s2n_hash_algorithm hash_alg = S2N_HASH_NONE;
if (alg == S2N_HMAC_SSLv3_MD5) {
hash_alg = S2N_HASH_MD5;
}
if (alg == S2N_HMAC_SSLv3_SHA1) {
hash_alg = S2N_HASH_SHA1;
}
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] = 0x36;
}
GUARD(s2n_hash_init(&state->inner_just_key, hash_alg));
GUARD(s2n_hash_update(&state->inner_just_key, key, klen));
GUARD(s2n_hash_update(&state->inner_just_key, state->xor_pad, state->block_size));
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] = 0x5c;
}
GUARD(s2n_hash_init(&state->outer, hash_alg));
GUARD(s2n_hash_update(&state->outer, key, klen));
GUARD(s2n_hash_update(&state->outer, state->xor_pad, state->block_size));
/* Copy inner_just_key to inner */
return s2n_hmac_reset(state);
}
int s2n_server_key_send(struct s2n_connection *conn)
{
struct s2n_hash_state *signature_hash = &conn->secure.signature_hash;
const struct s2n_kex *key_exchange = conn->secure.cipher_suite->key_exchange_alg;
struct s2n_stuffer *out = &conn->handshake.io;
struct s2n_blob data_to_sign = {0};
/* Call the negotiated key exchange method to send it's data */
GUARD(s2n_kex_server_key_send(key_exchange, conn, &data_to_sign));
/* Add common signature data */
if (conn->actual_protocol_version == S2N_TLS12) {
GUARD(s2n_stuffer_write_uint8(out, s2n_hash_alg_to_tls[ conn->secure.conn_hash_alg ]));
GUARD(s2n_stuffer_write_uint8(out, conn->secure.conn_sig_alg));
}
/* Add the random data to the hash */
GUARD(s2n_hash_init(signature_hash, conn->secure.conn_hash_alg));
GUARD(s2n_hash_update(signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
/* Add KEX specific data to the hash */
GUARD(s2n_hash_update(signature_hash, data_to_sign.data, data_to_sign.size));
/* Sign and write the signature */
GUARD(s2n_write_signature_blob(out, conn->handshake_params.our_chain_and_key->private_key, signature_hash));
return 0;
}
int s2n_server_key_recv(struct s2n_connection *conn)
{
struct s2n_hash_state *signature_hash = &conn->secure.signature_hash;
const struct s2n_kex *key_exchange = conn->secure.cipher_suite->key_exchange_alg;
struct s2n_stuffer *in = &conn->handshake.io;
struct s2n_blob data_to_verify = {0};
/* Read the KEX data */
union s2n_kex_raw_server_data kex_data = {{{0}}};
GUARD(s2n_kex_server_key_recv_read_data(key_exchange, conn, &data_to_verify, &kex_data));
/* Add common signature data */
if (conn->actual_protocol_version == S2N_TLS12) {
s2n_hash_algorithm hash_algorithm;
s2n_signature_algorithm signature_algorithm;
GUARD(s2n_get_signature_hash_pair_if_supported(in, &hash_algorithm, &signature_algorithm));
GUARD(s2n_hash_init(signature_hash, hash_algorithm));
} else {
GUARD(s2n_hash_init(signature_hash, conn->secure.conn_hash_alg));
}
GUARD(s2n_hash_update(signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
/* Add KEX specific data */
GUARD(s2n_hash_update(signature_hash, data_to_verify.data, data_to_verify.size));
/* Verify the signature */
uint16_t signature_length;
GUARD(s2n_stuffer_read_uint16(in, &signature_length));
struct s2n_blob signature = {.size = signature_length, .data = s2n_stuffer_raw_read(in, signature_length)};
notnull_check(signature.data);
gt_check(signature_length, 0);
S2N_ERROR_IF(s2n_pkey_verify(&conn->secure.server_public_key, signature_hash, &signature) < 0, S2N_ERR_BAD_MESSAGE);
/* We don't need the key any more, so free it */
GUARD(s2n_pkey_free(&conn->secure.server_public_key));
/* Parse the KEX data into whatever form needed and save it to the connection object */
GUARD(s2n_kex_server_key_recv_parse_data(key_exchange, conn, &kex_data));
return 0;
}
int s2n_ecdhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify, union s2n_kex_raw_server_data *raw_server_data)
{
struct s2n_stuffer *in = &conn->handshake.io;
GUARD(s2n_ecc_read_ecc_params(in, data_to_verify, &raw_server_data->ecdhe_data));
return 0;
}
int s2n_ecdhe_server_key_recv_parse_data(struct s2n_connection *conn, union s2n_kex_raw_server_data *raw_server_data)
{
GUARD(s2n_ecc_parse_ecc_params(&conn->secure.server_ecc_params, &raw_server_data->ecdhe_data));
return 0;
}
int s2n_hmac_digest(struct s2n_hmac_state *state, void *out, uint32_t size)
{
if (state->alg == S2N_HMAC_SSLv3_SHA1 || state->alg == S2N_HMAC_SSLv3_MD5) {
return s2n_sslv3_mac_digest(state, out, size);
}
GUARD(s2n_hash_digest(&state->inner, state->digest_pad, state->digest_size));
GUARD(s2n_hash_reset(&state->outer));
GUARD(s2n_hash_update(&state->outer, state->xor_pad, state->block_size));
GUARD(s2n_hash_update(&state->outer, state->digest_pad, state->digest_size));
return s2n_hash_digest(&state->outer, out, size);
}
int s2n_hmac_update(struct s2n_hmac_state *state, const void *in, uint32_t size)
{
/* Keep track of how much of the current hash block is full */
state->currently_in_hash_block += (128000 + size) % state->hash_block_size;
state->currently_in_hash_block %= state->block_size;
return s2n_hash_update(&state->inner, in, size);
}
static int s2n_sslv3_mac_digest(struct s2n_hmac_state *state, void *out, uint32_t size)
{
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] = 0x5c;
}
GUARD(s2n_hash_digest(&state->inner, state->digest_pad, state->digest_size));
memcpy_check(&state->inner, &state->outer, sizeof(state->inner));
GUARD(s2n_hash_update(&state->inner, state->digest_pad, state->digest_size));
return s2n_hash_digest(&state->inner, out, size);
}
static int s2n_ecdsa_keys_match(const struct s2n_pkey *pub, const struct s2n_pkey *priv)
{
uint8_t input[16] = { 1 };
DEFER_CLEANUP(struct s2n_blob signature = { 0 }, s2n_free);
DEFER_CLEANUP(struct s2n_hash_state state_in = { 0 }, s2n_hash_free);
DEFER_CLEANUP(struct s2n_hash_state state_out = { 0 }, s2n_hash_free);
/* s2n_hash_new only allocates memory when using high-level EVP hashes, currently restricted to FIPS mode. */
GUARD(s2n_hash_new(&state_in));
GUARD(s2n_hash_new(&state_out));
GUARD(s2n_hash_init(&state_in, S2N_HASH_SHA1));
GUARD(s2n_hash_init(&state_out, S2N_HASH_SHA1));
GUARD(s2n_hash_update(&state_in, input, sizeof(input)));
GUARD(s2n_hash_update(&state_out, input, sizeof(input)));
GUARD(s2n_alloc(&signature, s2n_ecdsa_der_signature_size(priv)));
GUARD(s2n_ecdsa_sign(priv, &state_in, &signature));
GUARD(s2n_ecdsa_verify(pub, &state_out, &signature));
return 0;
}
static uint32_t s2n_map_slot(struct s2n_map *map, struct s2n_blob *key)
{
union {
uint8_t u8[32];
uint32_t u32[8];
} digest;
GUARD(s2n_hash_update(&map->sha256, key->data, key->size));
GUARD(s2n_hash_digest(&map->sha256, digest.u8, sizeof(digest)));
GUARD(s2n_hash_reset(&map->sha256));
return digest.u32[0] % map->capacity;
}
static int s2n_dhe_server_key_send(struct s2n_connection *conn)
{
struct s2n_blob serverDHparams, signature;
struct s2n_stuffer *out = &conn->handshake.io;
struct s2n_hash_state signature_hash;
/* Duplicate the DH key from the config */
GUARD(s2n_dh_params_copy(conn->config->dhparams, &conn->secure.server_dh_params));
/* Generate an ephemeral key */
GUARD(s2n_dh_generate_ephemeral_key(&conn->secure.server_dh_params));
/* Write it out */
GUARD(s2n_dh_params_to_p_g_Ys(&conn->secure.server_dh_params, out, &serverDHparams));
if (conn->actual_protocol_version == S2N_TLS12) {
GUARD(s2n_stuffer_write_uint8(out, TLS_HASH_ALGORITHM_SHA1));
GUARD(s2n_stuffer_write_uint8(out, TLS_SIGNATURE_ALGORITHM_RSA));
}
GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg));
GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, serverDHparams.data, serverDHparams.size));
signature.size = s2n_rsa_private_encrypted_size(&conn->config->cert_and_key_pairs->private_key);
GUARD(s2n_stuffer_write_uint16(out, signature.size));
signature.data = s2n_stuffer_raw_write(out, signature.size);
notnull_check(signature.data);
if (s2n_rsa_sign(&conn->config->cert_and_key_pairs->private_key, &signature_hash, &signature) < 0) {
S2N_ERROR(S2N_ERR_DH_FAILED_SIGNING);
}
return 0;
}
static int s2n_sslv3_prf(struct s2n_prf_working_space *ws, struct s2n_blob *secret, struct s2n_blob *seed_a,
struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
{
struct s2n_hash_state *md5 = &ws->ssl3.md5;
struct s2n_hash_state *sha1 = &ws->ssl3.sha1;
uint32_t outputlen = out->size;
uint8_t *output = out->data;
uint8_t iteration = 1;
uint8_t A = 'A';
while (outputlen) {
GUARD(s2n_hash_reset(sha1));
for (int i = 0; i < iteration; i++) {
GUARD(s2n_hash_update(sha1, &A, 1));
}
GUARD(s2n_hash_update(sha1, secret->data, secret->size));
GUARD(s2n_hash_update(sha1, seed_a->data, seed_a->size));
if (seed_b) {
GUARD(s2n_hash_update(sha1, seed_b->data, seed_b->size));
if (seed_c) {
GUARD(s2n_hash_update(sha1, seed_c->data, seed_c->size));
}
}
GUARD(s2n_hash_digest(sha1, ws->ssl3.sha1_digest, sizeof(ws->ssl3.sha1_digest)));
GUARD(s2n_hash_reset(md5));
GUARD(s2n_hash_update(md5, secret->data, secret->size));
GUARD(s2n_hash_update(md5, ws->ssl3.sha1_digest, sizeof(ws->ssl3.sha1_digest)));
GUARD(s2n_hash_digest(md5, ws->ssl3.md5_digest, sizeof(ws->ssl3.md5_digest)));
uint32_t bytes_to_copy = MIN(outputlen, sizeof(ws->ssl3.md5_digest));
memcpy_check(output, ws->ssl3.md5_digest, bytes_to_copy);
outputlen -= bytes_to_copy;
output += bytes_to_copy;
/* Increment the letter */
A++;
iteration++;
}
GUARD(s2n_hash_reset(md5));
GUARD(s2n_hash_reset(sha1));
return 0;
}
int s2n_hmac_digest_two_compression_rounds(struct s2n_hmac_state *state, void *out, uint32_t size)
{
GUARD(s2n_hmac_digest(state, out, size));
/* If there were 9 or more bytes of space left in the current hash block
* then the serialized length, plus an 0x80 byte, will have fit in that block.
* If there were fewer than 9 then adding the length will have caused an extra
* compression block round. This digest function always does two compression rounds,
* even if there is no need for the second.
*/
if (state->currently_in_hash_block > (state->hash_block_size - 9))
{
return 0;
}
return s2n_hash_update(&state->inner, state->xor_pad, state->hash_block_size);
}
static int s2n_dhe_server_key_recv(struct s2n_connection *conn)
{
struct s2n_hash_state signature_hash;
struct s2n_stuffer *in = &conn->handshake.io;
struct s2n_blob p, g, Ys, serverDHparams, signature;
uint16_t p_length;
uint16_t g_length;
uint16_t Ys_length;
uint16_t signature_length;
/* Keep a copy to the start of the whole structure for the signature check */
serverDHparams.data = s2n_stuffer_raw_read(in, 0);
notnull_check(serverDHparams.data);
/* Read each of the three elements in */
GUARD(s2n_stuffer_read_uint16(in, &p_length));
p.size = p_length;
p.data = s2n_stuffer_raw_read(in, p.size);
notnull_check(p.data);
GUARD(s2n_stuffer_read_uint16(in, &g_length));
g.size = g_length;
g.data = s2n_stuffer_raw_read(in, g.size);
notnull_check(g.data);
GUARD(s2n_stuffer_read_uint16(in, &Ys_length));
Ys.size = Ys_length;
Ys.data = s2n_stuffer_raw_read(in, Ys.size);
notnull_check(Ys.data);
/* Now we know the total size of the structure */
serverDHparams.size = 2 + p_length + 2 + g_length + 2 + Ys_length;
GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg));
if (conn->actual_protocol_version == S2N_TLS12) {
uint8_t hash_algorithm;
uint8_t signature_algorithm;
GUARD(s2n_stuffer_read_uint8(in, &hash_algorithm));
GUARD(s2n_stuffer_read_uint8(in, &signature_algorithm));
if (signature_algorithm != TLS_SIGNATURE_ALGORITHM_RSA) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
switch(hash_algorithm) {
case TLS_HASH_ALGORITHM_MD5:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_MD5));
break;
case TLS_HASH_ALGORITHM_SHA1:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA1));
break;
case TLS_HASH_ALGORITHM_SHA224:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA224));
break;
case TLS_HASH_ALGORITHM_SHA256:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA256));
break;
case TLS_HASH_ALGORITHM_SHA384:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA384));
break;
case TLS_HASH_ALGORITHM_SHA512:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA512));
break;
default:
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
}
GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, serverDHparams.data, serverDHparams.size));
GUARD(s2n_stuffer_read_uint16(in, &signature_length));
signature.size = signature_length;
signature.data = s2n_stuffer_raw_read(in, signature.size);
notnull_check(signature.data);
gt_check(signature_length, 0);
if (s2n_rsa_verify(&conn->secure.server_rsa_public_key, &signature_hash, &signature) < 0) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
/* We don't need the key any more, so free it */
GUARD(s2n_rsa_public_key_free(&conn->secure.server_rsa_public_key));
/* Copy the DH details */
GUARD(s2n_dh_p_g_Ys_to_dh_params(&conn->secure.server_dh_params, &p, &g, &Ys));
return 0;
}
static int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a,
struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
{
/* seed_a is always required, seed_b is optional, if seed_c is provided seed_b must also be provided */
S2N_ERROR_IF(seed_a == NULL, S2N_ERR_PRF_INVALID_SEED);
S2N_ERROR_IF(seed_b == NULL && seed_c != NULL, S2N_ERR_PRF_INVALID_SEED);
if (conn->actual_protocol_version == S2N_SSLv3) {
return s2n_sslv3_prf(&conn->prf_space, secret, seed_a, seed_b, seed_c, out);
}
/* We zero the out blob because p_hash works by XOR'ing with the existing
* buffer. This is a little convoluted but means we can avoid dynamic memory
* allocation. When we call p_hash once (in the TLS1.2 case) it will produce
* the right values. When we call it twice in the regular case, the two
* outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require.
*/
GUARD(s2n_blob_zero(out));
/* Ensure that p_hash_hmac_impl is set, as it may have been reset for prf_space on s2n_connection_wipe.
* When in FIPS mode, the EVP API's must be used for the p_hash HMAC.
*/
conn->prf_space.tls.p_hash_hmac_impl = s2n_is_in_fips_mode() ? &s2n_evp_hmac : &s2n_hmac;
if (conn->actual_protocol_version == S2N_TLS12) {
return s2n_p_hash(&conn->prf_space, conn->secure.cipher_suite->tls12_prf_alg, secret, label, seed_a, seed_b,
seed_c, out);
}
struct s2n_blob half_secret = {.data = secret->data,.size = (secret->size + 1) / 2 };
GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out));
half_secret.data += secret->size - half_secret.size;
GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, seed_c, out));
return 0;
}
int s2n_tls_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
{
struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random};
struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random};
struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret};
uint8_t master_secret_label[] = "master secret";
struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label};
return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret);
}
int s2n_hybrid_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
{
struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random};
struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random};
struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret};
uint8_t master_secret_label[] = "hybrid master secret";
struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label};
return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->secure.client_key_exchange_message, &master_secret);
}
static int s2n_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *md5, struct s2n_hash_state *sha1, uint8_t * out)
{
uint8_t xorpad1[48] =
{ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
};
uint8_t xorpad2[48] =
{ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
};
uint8_t *md5_digest = out;
uint8_t *sha_digest = out + MD5_DIGEST_LENGTH;
lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished));
GUARD(s2n_hash_update(md5, prefix, 4));
GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(md5, xorpad1, 48));
GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_reset(md5));
GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(md5, xorpad2, 48));
GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_reset(md5));
GUARD(s2n_hash_update(sha1, prefix, 4));
GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(sha1, xorpad1, 40));
GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
GUARD(s2n_hash_reset(sha1));
GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(sha1, xorpad2, 40));
GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH));
GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
GUARD(s2n_hash_reset(sha1));
return 0;
}
static int s2n_sslv3_client_finished(struct s2n_connection *conn)
{
uint8_t prefix[4] = { 0x43, 0x4c, 0x4e, 0x54 };
lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished));
GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5));
GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1));
return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.client_finished);
}
static int s2n_sslv3_server_finished(struct s2n_connection *conn)
{
uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 };
lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.server_finished));
GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5));
GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1));
return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.server_finished);
}
int s2n_prf_client_finished(struct s2n_connection *conn)
{
struct s2n_blob master_secret, md5, sha;
uint8_t md5_digest[MD5_DIGEST_LENGTH];
uint8_t sha_digest[SHA384_DIGEST_LENGTH];
uint8_t client_finished_label[] = "client finished";
struct s2n_blob client_finished = {0};
struct s2n_blob label = {0};
if (conn->actual_protocol_version == S2N_SSLv3) {
return s2n_sslv3_client_finished(conn);
}
client_finished.data = conn->handshake.client_finished;
client_finished.size = S2N_TLS_FINISHED_LEN;
label.data = client_finished_label;
label.size = sizeof(client_finished_label) - 1;
master_secret.data = conn->secure.master_secret;
master_secret.size = sizeof(conn->secure.master_secret);
if (conn->actual_protocol_version == S2N_TLS12) {
switch (conn->secure.cipher_suite->tls12_prf_alg) {
case S2N_HMAC_SHA256:
GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256));
GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH));
sha.size = SHA256_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA384:
GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384));
GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH));
sha.size = SHA384_DIGEST_LENGTH;
break;
default:
S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM);
}
sha.data = sha_digest;
return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &client_finished);
}
GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5));
GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1));
GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH));
md5.data = md5_digest;
md5.size = MD5_DIGEST_LENGTH;
sha.data = sha_digest;
sha.size = SHA_DIGEST_LENGTH;
return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &client_finished);
}
int s2n_prf_server_finished(struct s2n_connection *conn)
{
struct s2n_blob master_secret, md5, sha;
uint8_t md5_digest[MD5_DIGEST_LENGTH];
uint8_t sha_digest[SHA384_DIGEST_LENGTH];
uint8_t server_finished_label[] = "server finished";
struct s2n_blob server_finished = {0};
struct s2n_blob label = {0};
if (conn->actual_protocol_version == S2N_SSLv3) {
return s2n_sslv3_server_finished(conn);
}
server_finished.data = conn->handshake.server_finished;
server_finished.size = S2N_TLS_FINISHED_LEN;
label.data = server_finished_label;
label.size = sizeof(server_finished_label) - 1;
master_secret.data = conn->secure.master_secret;
master_secret.size = sizeof(conn->secure.master_secret);
if (conn->actual_protocol_version == S2N_TLS12) {
switch (conn->secure.cipher_suite->tls12_prf_alg) {
case S2N_HMAC_SHA256:
GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256));
GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH));
sha.size = SHA256_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA384:
GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384));
GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH));
sha.size = SHA384_DIGEST_LENGTH;
break;
default:
S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM);
}
sha.data = sha_digest;
return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &server_finished);
}
GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5));
GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1));
GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH));
md5.data = md5_digest;
md5.size = MD5_DIGEST_LENGTH;
sha.data = sha_digest;
sha.size = SHA_DIGEST_LENGTH;
return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &server_finished);
}
static int s2n_prf_make_client_key(struct s2n_connection *conn, struct s2n_stuffer *key_material)
{
struct s2n_blob client_key = {0};
client_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size;
client_key.data = s2n_stuffer_raw_read(key_material, client_key.size);
notnull_check(client_key.data);
if (conn->mode == S2N_CLIENT) {
GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.client_key, &client_key));
} else {
GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.client_key, &client_key));
}
return 0;
}
static int s2n_prf_make_server_key(struct s2n_connection *conn, struct s2n_stuffer *key_material)
{
struct s2n_blob server_key = {0};
server_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size;
server_key.data = s2n_stuffer_raw_read(key_material, server_key.size);
notnull_check(server_key.data);
if (conn->mode == S2N_SERVER) {
GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.server_key, &server_key));
} else {
GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.server_key, &server_key));
}
return 0;
}
int s2n_prf_key_expansion(struct s2n_connection *conn)
{
struct s2n_blob client_random = {.data = conn->secure.client_random,.size = sizeof(conn->secure.client_random) };
struct s2n_blob server_random = {.data = conn->secure.server_random,.size = sizeof(conn->secure.server_random) };
struct s2n_blob master_secret = {.data = conn->secure.master_secret,.size = sizeof(conn->secure.master_secret) };
struct s2n_blob label, out;
uint8_t key_expansion_label[] = "key expansion";
uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN];
label.data = key_expansion_label;
label.size = sizeof(key_expansion_label) - 1;
out.data = key_block;
out.size = sizeof(key_block);
struct s2n_stuffer key_material = {{0}};
GUARD(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, NULL, &out));
GUARD(s2n_stuffer_init(&key_material, &out));
GUARD(s2n_stuffer_write(&key_material, &out));
GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.client_key));
GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.server_key));
/* Check that we have a valid MAC and key size */
uint8_t mac_size;
if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
mac_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.mac_key_size;
} else {
GUARD(s2n_hmac_digest_size(conn->secure.cipher_suite->record_alg->hmac_alg, &mac_size));
}
/* Seed the client MAC */
uint8_t *client_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size);
notnull_check(client_mac_write_key);
GUARD(s2n_hmac_reset(&conn->secure.client_record_mac));
GUARD(s2n_hmac_init(&conn->secure.client_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, client_mac_write_key, mac_size));
/* Seed the server MAC */
uint8_t *server_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size);
notnull_check(server_mac_write_key);
GUARD(s2n_hmac_reset(&conn->secure.server_record_mac));
GUARD(s2n_hmac_init(&conn->secure.server_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, server_mac_write_key, mac_size));
/* Make the client key */
GUARD(s2n_prf_make_client_key(conn, &key_material));
/* Make the server key */
GUARD(s2n_prf_make_server_key(conn, &key_material));
/* Composite CBC does MAC inside the cipher, pass it the MAC key.
* Must happen after setting encryption/decryption keys.
*/
if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.server_key, server_mac_write_key, mac_size));
GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.client_key, client_mac_write_key, mac_size));
}
/* TLS >= 1.1 has no implicit IVs for non AEAD ciphers */
if (conn->actual_protocol_version > S2N_TLS10 && conn->secure.cipher_suite->record_alg->cipher->type != S2N_AEAD) {
return 0;
}
uint32_t implicit_iv_size = 0;
switch (conn->secure.cipher_suite->record_alg->cipher->type) {
case S2N_AEAD:
implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.aead.fixed_iv_size;
break;
case S2N_CBC:
implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.cbc.block_size;
break;
case S2N_COMPOSITE:
implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.block_size;
break;
/* No-op for stream ciphers */
default:
break;
}
struct s2n_blob client_implicit_iv = {.data = conn->secure.client_implicit_iv,.size = implicit_iv_size };
struct s2n_blob server_implicit_iv = {.data = conn->secure.server_implicit_iv,.size = implicit_iv_size };
GUARD(s2n_stuffer_read(&key_material, &client_implicit_iv));
GUARD(s2n_stuffer_read(&key_material, &server_implicit_iv));
return 0;
}
int main(int argc, char **argv)
{
struct s2n_stuffer certificate_in, certificate_out;
struct s2n_stuffer dhparams_in, dhparams_out;
struct s2n_stuffer rsa_key_in, rsa_key_out;
struct s2n_blob b;
BEGIN_TEST();
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_in, sizeof(certificate)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_out, sizeof(certificate)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&dhparams_in, sizeof(dhparams)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&dhparams_out, sizeof(dhparams)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&rsa_key_in, sizeof(private_key)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&rsa_key_out, sizeof(private_key)));
b.data = certificate;
b.size = sizeof(certificate);
EXPECT_SUCCESS(s2n_stuffer_write(&certificate_in, &b));
b.data = private_key;
b.size = sizeof(private_key);
EXPECT_SUCCESS(s2n_stuffer_write(&rsa_key_in, &b));
b.data = dhparams;
b.size = sizeof(dhparams);
EXPECT_SUCCESS(s2n_stuffer_write(&dhparams_in, &b));
EXPECT_SUCCESS(s2n_stuffer_certificate_from_pem(&certificate_in, &certificate_out));
EXPECT_SUCCESS(s2n_stuffer_rsa_private_key_from_pem(&rsa_key_in, &rsa_key_out));
EXPECT_SUCCESS(s2n_stuffer_dhparams_from_pem(&dhparams_in, &dhparams_out));
struct s2n_rsa_private_key priv_key;
struct s2n_rsa_public_key pub_key;
b.size = s2n_stuffer_data_available(&certificate_out);
b.data = s2n_stuffer_raw_read(&certificate_out, b.size);
EXPECT_SUCCESS(s2n_asn1der_to_rsa_public_key(&pub_key, &b));
b.size = s2n_stuffer_data_available(&rsa_key_out);
b.data = s2n_stuffer_raw_read(&rsa_key_out, b.size);
EXPECT_SUCCESS(s2n_asn1der_to_rsa_private_key(&priv_key, &b));
EXPECT_SUCCESS(s2n_rsa_keys_match(&pub_key, &priv_key));
struct s2n_connection *conn;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(conn->config, (char *)chain, (char *)private_key));
struct s2n_dh_params dh_params;
b.size = s2n_stuffer_data_available(&dhparams_out);
b.data = s2n_stuffer_raw_read(&dhparams_out, b.size);
EXPECT_SUCCESS(s2n_pkcs3_to_dh_params(&dh_params, &b));
EXPECT_SUCCESS(s2n_config_add_dhparams(conn->config, (char *)dhparams));
/* Try signing and verification with RSA */
uint8_t inputpad[] = "Hello world!";
struct s2n_blob signature;
struct s2n_hash_state tls10_one, tls10_two, tls12_one, tls12_two;
EXPECT_SUCCESS(s2n_hash_init(&tls10_one, S2N_HASH_MD5_SHA1));
EXPECT_SUCCESS(s2n_hash_init(&tls10_two, S2N_HASH_MD5_SHA1));
EXPECT_SUCCESS(s2n_hash_init(&tls12_one, S2N_HASH_SHA1));
EXPECT_SUCCESS(s2n_hash_init(&tls12_two, S2N_HASH_SHA1));
EXPECT_SUCCESS(s2n_alloc(&signature, s2n_rsa_public_encrypted_size(&pub_key)));
EXPECT_SUCCESS(s2n_hash_update(&tls10_one, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_hash_update(&tls10_two, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_rsa_sign(&priv_key, &tls10_one, &signature));
EXPECT_SUCCESS(s2n_rsa_verify(&pub_key, &tls10_two, &signature));
EXPECT_SUCCESS(s2n_hash_update(&tls12_one, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_hash_update(&tls12_two, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_rsa_sign(&priv_key, &tls12_one, &signature));
EXPECT_SUCCESS(s2n_rsa_verify(&pub_key, &tls12_two, &signature));
EXPECT_SUCCESS(s2n_dh_params_free(&dh_params));
EXPECT_SUCCESS(s2n_rsa_private_key_free(&priv_key));
EXPECT_SUCCESS(s2n_rsa_public_key_free(&pub_key));
EXPECT_SUCCESS(s2n_config_free_dhparams(conn->config));
EXPECT_SUCCESS(s2n_config_free_cert_chain_and_key(conn->config));
EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_free(&signature));
EXPECT_SUCCESS(s2n_stuffer_free(&certificate_in));
EXPECT_SUCCESS(s2n_stuffer_free(&certificate_out));
EXPECT_SUCCESS(s2n_stuffer_free(&dhparams_in));
EXPECT_SUCCESS(s2n_stuffer_free(&dhparams_out));
EXPECT_SUCCESS(s2n_stuffer_free(&rsa_key_in));
EXPECT_SUCCESS(s2n_stuffer_free(&rsa_key_out));
END_TEST();
}
int s2n_hmac_init(struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen)
{
s2n_hash_algorithm hash_alg = S2N_HASH_NONE;
state->currently_in_hash_block = 0;
state->digest_size = 0;
state->block_size = 64;
state->hash_block_size = 64;
switch (alg) {
case S2N_HMAC_NONE:
break;
case S2N_HMAC_SSLv3_MD5:
state->block_size = 48;
/* Fall through ... */
case S2N_HMAC_MD5:
hash_alg = S2N_HASH_MD5;
state->digest_size = MD5_DIGEST_LENGTH;
break;
case S2N_HMAC_SSLv3_SHA1:
state->block_size = 40;
/* Fall through ... */
case S2N_HMAC_SHA1:
hash_alg = S2N_HASH_SHA1;
state->digest_size = SHA_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA224:
hash_alg = S2N_HASH_SHA224;
state->digest_size = SHA224_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA256:
hash_alg = S2N_HASH_SHA256;
state->digest_size = SHA256_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA384:
hash_alg = S2N_HASH_SHA384;
state->digest_size = SHA384_DIGEST_LENGTH;
state->block_size = 128;
state->hash_block_size = 128;
break;
case S2N_HMAC_SHA512:
hash_alg = S2N_HASH_SHA512;
state->digest_size = SHA512_DIGEST_LENGTH;
state->block_size = 128;
state->hash_block_size = 128;
break;
default:
S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM);
}
gte_check(sizeof(state->xor_pad), state->block_size);
gte_check(sizeof(state->digest_pad), state->digest_size);
state->alg = alg;
if (alg == S2N_HMAC_SSLv3_SHA1 || alg == S2N_HMAC_SSLv3_MD5) {
return s2n_sslv3_mac_init(state, alg, key, klen);
}
GUARD(s2n_hash_init(&state->inner_just_key, hash_alg));
GUARD(s2n_hash_init(&state->outer, hash_alg));
uint32_t copied = klen;
if (klen > state->block_size) {
GUARD(s2n_hash_update(&state->outer, key, klen));
GUARD(s2n_hash_digest(&state->outer, state->digest_pad, state->digest_size));
memcpy_check(state->xor_pad, state->digest_pad, state->digest_size);
copied = state->digest_size;
} else {
memcpy_check(state->xor_pad, key, klen);
}
for (int i = 0; i < copied; i++) {
state->xor_pad[i] ^= 0x36;
}
for (int i = copied; i < state->block_size; i++) {
state->xor_pad[i] = 0x36;
}
GUARD(s2n_hash_update(&state->inner_just_key, state->xor_pad, state->block_size));
/* 0x36 xor 0x5c == 0x6a */
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] ^= 0x6a;
}
return s2n_hmac_reset(state);
}
static int s2n_ecdhe_server_key_recv(struct s2n_connection *conn)
{
struct s2n_hash_state signature_hash;
struct s2n_stuffer *in = &conn->handshake.io;
struct s2n_blob ecdhparams;
struct s2n_blob signature;
uint16_t signature_length;
/* Read server ECDH params and calculate their hash */
GUARD(s2n_ecc_read_ecc_params(&conn->secure.server_ecc_params, in, &ecdhparams));
GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg));
if (conn->actual_protocol_version == S2N_TLS12) {
uint8_t hash_algorithm;
uint8_t signature_algorithm;
GUARD(s2n_stuffer_read_uint8(in, &hash_algorithm));
GUARD(s2n_stuffer_read_uint8(in, &signature_algorithm));
if (signature_algorithm != TLS_SIGNATURE_ALGORITHM_RSA) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
switch(hash_algorithm) {
case TLS_HASH_ALGORITHM_MD5:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_MD5));
break;
case TLS_HASH_ALGORITHM_SHA1:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA1));
break;
case TLS_HASH_ALGORITHM_SHA224:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA224));
break;
case TLS_HASH_ALGORITHM_SHA256:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA256));
break;
case TLS_HASH_ALGORITHM_SHA384:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA384));
break;
case TLS_HASH_ALGORITHM_SHA512:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA512));
break;
default:
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
}
GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, ecdhparams.data, ecdhparams.size));
/* Verify the signature */
GUARD(s2n_stuffer_read_uint16(in, &signature_length));
signature.size = signature_length;
signature.data = s2n_stuffer_raw_read(in, signature.size);
notnull_check(signature.data);
gt_check(signature_length, 0);
if (s2n_rsa_verify(&conn->secure.server_rsa_public_key, &signature_hash, &signature) < 0) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
/* We don't need the key any more, so free it */
GUARD(s2n_rsa_public_key_free(&conn->secure.server_rsa_public_key));
return 0;
}
int main(int argc, char **argv)
{
uint8_t digest_pad[64];
uint8_t output_pad[96];
uint8_t hello[] = "Hello world!\n";
struct s2n_stuffer output;
struct s2n_hash_state hash, copy;
struct s2n_blob out = {.data = output_pad,.size = sizeof(output_pad) };
BEGIN_TEST();
/* Initialise our output stuffers */
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
uint8_t md5_digest_size;
GUARD(s2n_hash_digest_size(S2N_HASH_MD5, &md5_digest_size));
EXPECT_EQUAL(md5_digest_size, 16);
EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_MD5));
EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hash_copy(©, &hash));
EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, MD5_DIGEST_LENGTH));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line md5sum */
EXPECT_EQUAL(memcmp(output_pad, "59ca0efa9f5633cb0371bbc0355478d8", 16 * 2), 0);
/* Check the copy */
EXPECT_SUCCESS(s2n_hash_digest(©, digest_pad, MD5_DIGEST_LENGTH));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line md5sum */
EXPECT_EQUAL(memcmp(output_pad, "59ca0efa9f5633cb0371bbc0355478d8", 16 * 2), 0);
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
uint8_t sha1_digest_size;
GUARD(s2n_hash_digest_size(S2N_HASH_SHA1, &sha1_digest_size));
EXPECT_EQUAL(sha1_digest_size, 20);
EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA1));
EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA_DIGEST_LENGTH));
for (int i = 0; i < 20; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line sha1sum */
EXPECT_EQUAL(memcmp(output_pad, "47a013e660d408619d894b20806b1d5086aab03b", 20 * 2), 0);
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
uint8_t sha256_digest_size;
GUARD(s2n_hash_digest_size(S2N_HASH_SHA256, &sha256_digest_size));
EXPECT_EQUAL(sha256_digest_size, 32);
EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA256));
EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA256_DIGEST_LENGTH));
for (int i = 0; i < 32; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line sha256sum */
EXPECT_EQUAL(memcmp(output_pad, "0ba904eae8773b70c75333db4de2f3ac45a8ad4ddba1b242f0b3cfc199391dd8", 32 * 2), 0);
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
uint8_t sha384_digest_size;
GUARD(s2n_hash_digest_size(S2N_HASH_SHA384, &sha384_digest_size));
EXPECT_EQUAL(sha384_digest_size, 48);
EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA384));
EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA384_DIGEST_LENGTH));
for (int i = 0; i < 48; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line sha512sum */
EXPECT_EQUAL(memcmp(output_pad, "f7f8f1b9d5a9a61742eeda26c20990282ac08dabda14e70376fcb4c8b46198a9959ea9d7d194b38520eed5397ffe6d8e", 48 * 2), 0);
END_TEST();
}
static int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *out)
{
if (conn->actual_protocol_version == S2N_SSLv3) {
return s2n_sslv3_prf(&conn->prf_space, secret, seed_a, seed_b, out);
}
/* We zero the out blob because p_hash works by XOR'ing with the existing
* buffer. This is a little convuloted but means we can avoid dynamic memory
* allocation. When we call p_hash once (in the TLS1.2 case) it will produce
* the right values. When we call it twice in the regular case, the two
* outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require.
*/
GUARD(s2n_blob_zero(out));
if (conn->actual_protocol_version == S2N_TLS12) {
return s2n_p_hash(&conn->prf_space, conn->secure.cipher_suite->tls12_prf_alg, secret, label, seed_a, seed_b, out);
}
struct s2n_blob half_secret = {.data = secret->data,.size = (secret->size + 1) / 2 };
GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, out));
half_secret.data += secret->size - half_secret.size;
GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, out));
return 0;
}
int s2n_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
{
struct s2n_blob client_random, server_random, master_secret;
struct s2n_blob label;
uint8_t master_secret_label[] = "master secret";
client_random.data = conn->secure.client_random;
client_random.size = sizeof(conn->secure.client_random);
server_random.data = conn->secure.server_random;
server_random.size = sizeof(conn->secure.server_random);
master_secret.data = conn->secure.master_secret;
master_secret.size = sizeof(conn->secure.master_secret);
label.data = master_secret_label;
label.size = sizeof(master_secret_label) - 1;
return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &master_secret);
}
static int s2n_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *md5, struct s2n_hash_state *sha1, uint8_t *out)
{
uint8_t xorpad1[48] =
{ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
};
uint8_t xorpad2[48] =
{ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
};
uint8_t *md5_digest = out;
uint8_t *sha_digest = out + MD5_DIGEST_LENGTH;
lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished));
GUARD(s2n_hash_update(md5, prefix, 4));
GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(md5, xorpad1, 48));
GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_reset(md5));
GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(md5, xorpad2, 48));
GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_reset(md5));
GUARD(s2n_hash_update(sha1, prefix, 4));
GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(sha1, xorpad1, 40));
GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
GUARD(s2n_hash_reset(sha1));
GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(sha1, xorpad2, 40));
GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH));
GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
GUARD(s2n_hash_reset(sha1));
return 0;
}
