int main(int argc, char **argv) { struct s2n_connection *conn; uint8_t mac_key[] = "sample mac key"; uint8_t aes128_key[] = "123456789012345"; struct s2n_blob aes128 = {.data = aes128_key,.size = sizeof(aes128_key) }; uint8_t random_data[S2N_LARGE_RECORD_LENGTH + 1]; struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)}; BEGIN_TEST(); EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_get_urandom_data(&r)); /* Peer and we are in sync */ conn->server = &conn->secure; conn->client = &conn->secure; /* test the AES128 cipher with a SHA1 hash */ conn->secure.cipher_suite->cipher = &s2n_aes128; conn->secure.cipher_suite->hmac_alg = S2N_HMAC_SHA1; EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.server_key, &aes128)); EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.client_key, &aes128)); EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); conn->actual_protocol_version = S2N_TLS11; /* Align the record size, then subtract 20 bytes for the HMAC, 16 bytes for the explicit IV, and one byte * for the padding length byte. */ int small_aligned_payload = S2N_SMALL_FRAGMENT_LENGTH - (S2N_SMALL_FRAGMENT_LENGTH % 16) - 20 - 16 - 1; int large_aligned_payload = S2N_LARGE_FRAGMENT_LENGTH - (S2N_LARGE_FRAGMENT_LENGTH % 16) - 20 - 16 - 1; int bytes_written; /* Check the default: small record */ EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r)); EXPECT_EQUAL(bytes_written, small_aligned_payload); /* Check explicitly small records */ EXPECT_SUCCESS(s2n_connection_prefer_low_latency(conn)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r)); EXPECT_EQUAL(bytes_written, small_aligned_payload); /* Check explicitly large records */ EXPECT_SUCCESS(s2n_connection_prefer_throughput(conn)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r)); EXPECT_EQUAL(bytes_written, large_aligned_payload); /* Clean up */ EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->destroy_key(&conn->secure.server_key)); EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->destroy_key(&conn->secure.client_key)); EXPECT_SUCCESS(s2n_connection_free(conn)); EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); END_TEST(); }
static int s2n_p_hash(union s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *out) { struct s2n_hmac_state *hmac = &ws->tls.hmac; uint32_t digest_size = s2n_hmac_digest_size(alg); /* First compute hmac(secret + A(0)) */ GUARD(s2n_hmac_init(hmac, alg, secret->data, secret->size)); GUARD(s2n_hmac_update(hmac, label->data, label->size)); GUARD(s2n_hmac_update(hmac, seed_a->data, seed_a->size)); if (seed_b) { GUARD(s2n_hmac_update(hmac, seed_b->data, seed_b->size)); } GUARD(s2n_hmac_digest(hmac, ws->tls.digest0, digest_size)); uint32_t outputlen = out->size; uint8_t *output = out->data; while (outputlen) { /* Now compute hmac(secret + A(N - 1) + seed) */ GUARD(s2n_hmac_reset(hmac)); GUARD(s2n_hmac_update(hmac, ws->tls.digest0, digest_size)); /* Add the label + seed and compute this round's A */ GUARD(s2n_hmac_update(hmac, label->data, label->size)); GUARD(s2n_hmac_update(hmac, seed_a->data, seed_a->size)); if (seed_b) { GUARD(s2n_hmac_update(hmac, seed_b->data, seed_b->size)); } GUARD(s2n_hmac_digest(hmac, ws->tls.digest1, digest_size)); uint32_t bytes_to_xor = MIN(outputlen, digest_size); for (int i = 0; i < bytes_to_xor; i++) { *output ^= ws->tls.digest1[i]; output++; outputlen--; } /* Stash a digest of A(N), in A(N), for the next round */ GUARD(s2n_hmac_reset(hmac)); GUARD(s2n_hmac_update(hmac, ws->tls.digest0, digest_size)); GUARD(s2n_hmac_digest(hmac, ws->tls.digest0, digest_size)); } return 0; }
int main(int argc, char **argv) { struct s2n_connection *conn; uint8_t mac_key[] = "sample mac key"; uint8_t rc4_key[] = "123456789012345"; struct s2n_blob key_iv = {.data = rc4_key,.size = sizeof(rc4_key) }; uint8_t random_data[S2N_SMALL_FRAGMENT_LENGTH + 1]; struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)}; BEGIN_TEST(); EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_get_urandom_data(&r)); /* Peer and we are in sync */ conn->server = &conn->active; /* test the RC4 cipher with a SHA1 hash */ conn->active.cipher_suite->cipher = &s2n_rc4; conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1; EXPECT_SUCCESS(conn->active.cipher_suite->cipher->init(&conn->active.server_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->init(&conn->active.client_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &key_iv)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &key_iv)); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); conn->actual_protocol_version = S2N_TLS11; for (int i = 0; i <= S2N_SMALL_FRAGMENT_LENGTH + 1; i++) { struct s2n_blob in = {.data = random_data,.size = i }; int bytes_written; EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in)); if (i <= S2N_SMALL_FRAGMENT_LENGTH - 20) { EXPECT_EQUAL(bytes_written, i); } else { EXPECT_EQUAL(bytes_written, S2N_SMALL_FRAGMENT_LENGTH - 20); } uint16_t predicted_length = bytes_written + 20; EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA); EXPECT_EQUAL(conn->out.blob.data[1], 3); EXPECT_EQUAL(conn->out.blob.data[2], 2); EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff); EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff); /* The data should be encrypted */ if (bytes_written > 10) { EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0); } /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)) EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))) /* Check that the data looks right */ EXPECT_EQUAL(bytes_written + 20, s2n_stuffer_data_available(&conn->in)); /* Let's decrypt it */ uint8_t content_type; uint16_t fragment_length; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_SUCCESS(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_EQUAL(fragment_length, predicted_length); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key)); EXPECT_SUCCESS(s2n_connection_free(conn)); END_TEST(); }
int s2n_connection_wipe(struct s2n_connection *conn) { /* First make a copy of everything we'd like to save, which isn't very * much. */ int mode = conn->mode; struct s2n_config *config = conn->config; struct s2n_stuffer alert_in; struct s2n_stuffer reader_alert_out; struct s2n_stuffer writer_alert_out; struct s2n_stuffer handshake_io; struct s2n_stuffer header_in; struct s2n_stuffer in; struct s2n_stuffer out; /* Wipe all of the sensitive stuff */ GUARD(s2n_connection_free_keys(conn)); GUARD(s2n_stuffer_wipe(&conn->alert_in)); GUARD(s2n_stuffer_wipe(&conn->reader_alert_out)); GUARD(s2n_stuffer_wipe(&conn->writer_alert_out)); GUARD(s2n_stuffer_wipe(&conn->handshake.io)); GUARD(s2n_stuffer_wipe(&conn->header_in)); GUARD(s2n_stuffer_wipe(&conn->in)); GUARD(s2n_stuffer_wipe(&conn->out)); /* Allocate or resize to their original sizes */ GUARD(s2n_stuffer_resize(&conn->in, S2N_DEFAULT_FRAGMENT_LENGTH)); /* Allocate memory for handling handshakes */ GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_DEFAULT_RECORD_LENGTH)); /* Clone the stuffers */ /* ignore gcc 4.7 address warnings because dest is allocated on the stack */ /* pragma gcc diagnostic was added in gcc 4.6 */ #if defined(__GNUC__) && GCC_VERSION >= 40600 #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Waddress" #endif memcpy_check(&alert_in, &conn->alert_in, sizeof(struct s2n_stuffer)); memcpy_check(&reader_alert_out, &conn->reader_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&writer_alert_out, &conn->writer_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&handshake_io, &conn->handshake.io, sizeof(struct s2n_stuffer)); memcpy_check(&header_in, &conn->header_in, sizeof(struct s2n_stuffer)); memcpy_check(&in, &conn->in, sizeof(struct s2n_stuffer)); memcpy_check(&out, &conn->out, sizeof(struct s2n_stuffer)); #if defined(__GNUC__) && GCC_VERSION >= 40600 #pragma GCC diagnostic pop #endif /* Zero the whole connection structure */ memset_check(conn, 0, sizeof(struct s2n_connection)); conn->readfd = -1; conn->writefd = -1; conn->mode = mode; conn->config = config; conn->active.cipher_suite = &s2n_null_cipher_suite; conn->pending.cipher_suite = &s2n_null_cipher_suite; conn->server = &conn->active; conn->client = &conn->active; conn->max_fragment_length = S2N_DEFAULT_FRAGMENT_LENGTH; conn->handshake.state = CLIENT_HELLO; GUARD(s2n_hash_init(&conn->handshake.client_md5, S2N_HASH_MD5)); GUARD(s2n_hash_init(&conn->handshake.client_sha1, S2N_HASH_SHA1)); GUARD(s2n_hash_init(&conn->handshake.client_sha256, S2N_HASH_SHA256)); GUARD(s2n_hash_init(&conn->handshake.server_md5, S2N_HASH_MD5)); GUARD(s2n_hash_init(&conn->handshake.server_sha1, S2N_HASH_SHA1)); GUARD(s2n_hash_init(&conn->handshake.server_sha256, S2N_HASH_SHA256)); GUARD(s2n_hmac_init(&conn->client->client_record_mac, S2N_HMAC_NONE, NULL, 0)); GUARD(s2n_hmac_init(&conn->server->server_record_mac, S2N_HMAC_NONE, NULL, 0)); memcpy_check(&conn->alert_in, &alert_in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->reader_alert_out, &reader_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->writer_alert_out, &writer_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->handshake.io, &handshake_io, sizeof(struct s2n_stuffer)); memcpy_check(&conn->header_in, &header_in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->in, &in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->out, &out, sizeof(struct s2n_stuffer)); /* Set everything to the highest version at first */ conn->server_protocol_version = s2n_highest_protocol_version; conn->client_protocol_version = s2n_highest_protocol_version; conn->actual_protocol_version = s2n_highest_protocol_version; return 0; }
int main(int argc, char **argv) { struct s2n_connection *conn; uint8_t random_data[S2N_DEFAULT_FRAGMENT_LENGTH + 1]; uint8_t mac_key[] = "sample mac key"; uint8_t aes128_key[] = "123456789012345"; uint8_t aes256_key[] = "1234567890123456789012345678901"; struct s2n_blob aes128 = {.data = aes128_key,.size = sizeof(aes128_key) }; struct s2n_blob aes256 = {.data = aes256_key,.size = sizeof(aes256_key) }; struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)}; BEGIN_TEST(); EXPECT_SUCCESS(s2n_init()); EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_get_urandom_data(&r)); /* Peer and we are in sync */ conn->server = &conn->active; conn->client = &conn->active; /* test the AES128 cipher with a SHA1 hash */ conn->active.cipher_suite->cipher = &s2n_aes128_gcm; conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1; EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &aes128)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &aes128)); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); conn->actual_protocol_version = S2N_TLS12; int max_fragment = S2N_DEFAULT_FRAGMENT_LENGTH; for (int i = 0; i <= max_fragment + 1; i++) { struct s2n_blob in = {.data = random_data,.size = i }; int bytes_written; EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in)); static const int overhead = 20 /* TLS header */ + 8 /* IV */ + 16; /* TAG */ if (i < max_fragment - overhead) { EXPECT_EQUAL(bytes_written, i); } else { EXPECT_EQUAL(bytes_written, max_fragment - overhead); } uint16_t predicted_length = bytes_written + 20; predicted_length += conn->active.cipher_suite->cipher->io.aead.record_iv_size; predicted_length += conn->active.cipher_suite->cipher->io.aead.tag_size; EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA); EXPECT_EQUAL(conn->out.blob.data[1], 3); EXPECT_EQUAL(conn->out.blob.data[2], 3); EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff); EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff); /* The data should be encrypted */ if (bytes_written > 10) { EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0); } /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); /* Let's decrypt it */ uint8_t content_type; uint16_t fragment_length; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_SUCCESS(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_EQUAL(fragment_length, predicted_length); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); /* Now lets corrupt some data and ensure the tests pass */ /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); /* Tamper the protocol version in the header, and ensure decryption fails, as we use this in the AAD */ conn->in.blob.data[2] = 2; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); /* Tamper with the IV and ensure decryption fails */ for (int j = 0; j < S2N_TLS_GCM_IV_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[5 + j] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } /* Tamper with the TAG and ensure decryption fails */ for (int j = 0; j < S2N_TLS_GCM_TAG_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[conn->in.blob.size - j - 1] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } /* Tamper w ith the cipher text and ensure decryption fails */ for (int j = S2N_TLS_GCM_IV_LEN; j < conn->in.blob.size - S2N_TLS_GCM_TAG_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[5 + j] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } } EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key)); EXPECT_SUCCESS(s2n_connection_free(conn)); /* test the AES256 cipher with a SHA1 hash */ EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); conn->active.cipher_suite->cipher = &s2n_aes256_gcm; conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1; EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &aes256)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &aes256)); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); conn->actual_protocol_version = S2N_TLS12; for (int i = 0; i <= max_fragment + 1; i++) { struct s2n_blob in = {.data = random_data,.size = i }; int bytes_written; EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out)); EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in)); static const int overhead = 20 /* TLS header */ + 8 /* IV */ + 16; /* TAG */ if (i < max_fragment - overhead) { EXPECT_EQUAL(bytes_written, i); } else { EXPECT_EQUAL(bytes_written, max_fragment - overhead); } uint16_t predicted_length = bytes_written + 20; predicted_length += conn->active.cipher_suite->cipher->io.aead.record_iv_size; predicted_length += conn->active.cipher_suite->cipher->io.aead.tag_size; EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA); EXPECT_EQUAL(conn->out.blob.data[1], 3); EXPECT_EQUAL(conn->out.blob.data[2], 3); EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff); EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff); /* The data should be encrypted */ if (bytes_written > 10) { EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0); } /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); /* Let's decrypt it */ uint8_t content_type; uint16_t fragment_length; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_SUCCESS(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_EQUAL(fragment_length, predicted_length); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); /* Now lets corrupt some data and ensure the tests pass */ /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); /* Tamper the protocol version in the header, and ensure decryption fails, as we use this in the AAD */ conn->in.blob.data[2] = 2; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); /* Tamper with the IV and ensure decryption fails */ for (int j = 0; j < S2N_TLS_GCM_IV_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[5 + j] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } /* Tamper with the TAG and ensure decryption fails */ for (int j = 0; j < S2N_TLS_GCM_TAG_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[conn->in.blob.size - j - 1] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } /* Tamper w ith the cipher text and ensure decryption fails */ for (int j = S2N_TLS_GCM_IV_LEN; j < conn->in.blob.size - S2N_TLS_GCM_TAG_LEN; j++) { /* Copy the encrypted out data to the in data */ EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5)); EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out))); conn->in.blob.data[5 + j] ++; EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length)); EXPECT_FAILURE(s2n_record_parse(conn)); EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in)); EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in)); } } EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key)); EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key)); EXPECT_SUCCESS(s2n_connection_free(conn)); END_TEST(); }
static int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out) { /* seed_a is always required, seed_b is optional, if seed_c is provided seed_b must also be provided */ S2N_ERROR_IF(seed_a == NULL, S2N_ERR_PRF_INVALID_SEED); S2N_ERROR_IF(seed_b == NULL && seed_c != NULL, S2N_ERR_PRF_INVALID_SEED); if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_prf(&conn->prf_space, secret, seed_a, seed_b, seed_c, out); } /* We zero the out blob because p_hash works by XOR'ing with the existing * buffer. This is a little convoluted but means we can avoid dynamic memory * allocation. When we call p_hash once (in the TLS1.2 case) it will produce * the right values. When we call it twice in the regular case, the two * outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require. */ GUARD(s2n_blob_zero(out)); /* Ensure that p_hash_hmac_impl is set, as it may have been reset for prf_space on s2n_connection_wipe. * When in FIPS mode, the EVP API's must be used for the p_hash HMAC. */ conn->prf_space.tls.p_hash_hmac_impl = s2n_is_in_fips_mode() ? &s2n_evp_hmac : &s2n_hmac; if (conn->actual_protocol_version == S2N_TLS12) { return s2n_p_hash(&conn->prf_space, conn->secure.cipher_suite->tls12_prf_alg, secret, label, seed_a, seed_b, seed_c, out); } struct s2n_blob half_secret = {.data = secret->data,.size = (secret->size + 1) / 2 }; GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out)); half_secret.data += secret->size - half_secret.size; GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, seed_c, out)); return 0; } int s2n_tls_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret) { struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random}; struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random}; struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret}; uint8_t master_secret_label[] = "master secret"; struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label}; return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret); } int s2n_hybrid_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret) { struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random}; struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random}; struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret}; uint8_t master_secret_label[] = "hybrid master secret"; struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label}; return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->secure.client_key_exchange_message, &master_secret); } static int s2n_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *md5, struct s2n_hash_state *sha1, uint8_t * out) { uint8_t xorpad1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 }; uint8_t xorpad2[48] = { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c }; uint8_t *md5_digest = out; uint8_t *sha_digest = out + MD5_DIGEST_LENGTH; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished)); GUARD(s2n_hash_update(md5, prefix, 4)); GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(md5, xorpad1, 48)); GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_reset(md5)); GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(md5, xorpad2, 48)); GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_reset(md5)); GUARD(s2n_hash_update(sha1, prefix, 4)); GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(sha1, xorpad1, 40)); GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_reset(sha1)); GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret))); GUARD(s2n_hash_update(sha1, xorpad2, 40)); GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH)); GUARD(s2n_hash_reset(sha1)); return 0; } static int s2n_sslv3_client_finished(struct s2n_connection *conn) { uint8_t prefix[4] = { 0x43, 0x4c, 0x4e, 0x54 }; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished)); GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.client_finished); } static int s2n_sslv3_server_finished(struct s2n_connection *conn) { uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 }; lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.server_finished)); GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.server_finished); } int s2n_prf_client_finished(struct s2n_connection *conn) { struct s2n_blob master_secret, md5, sha; uint8_t md5_digest[MD5_DIGEST_LENGTH]; uint8_t sha_digest[SHA384_DIGEST_LENGTH]; uint8_t client_finished_label[] = "client finished"; struct s2n_blob client_finished = {0}; struct s2n_blob label = {0}; if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_client_finished(conn); } client_finished.data = conn->handshake.client_finished; client_finished.size = S2N_TLS_FINISHED_LEN; label.data = client_finished_label; label.size = sizeof(client_finished_label) - 1; master_secret.data = conn->secure.master_secret; master_secret.size = sizeof(conn->secure.master_secret); if (conn->actual_protocol_version == S2N_TLS12) { switch (conn->secure.cipher_suite->tls12_prf_alg) { case S2N_HMAC_SHA256: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH)); sha.size = SHA256_DIGEST_LENGTH; break; case S2N_HMAC_SHA384: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH)); sha.size = SHA384_DIGEST_LENGTH; break; default: S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM); } sha.data = sha_digest; return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &client_finished); } GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH)); md5.data = md5_digest; md5.size = MD5_DIGEST_LENGTH; sha.data = sha_digest; sha.size = SHA_DIGEST_LENGTH; return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &client_finished); } int s2n_prf_server_finished(struct s2n_connection *conn) { struct s2n_blob master_secret, md5, sha; uint8_t md5_digest[MD5_DIGEST_LENGTH]; uint8_t sha_digest[SHA384_DIGEST_LENGTH]; uint8_t server_finished_label[] = "server finished"; struct s2n_blob server_finished = {0}; struct s2n_blob label = {0}; if (conn->actual_protocol_version == S2N_SSLv3) { return s2n_sslv3_server_finished(conn); } server_finished.data = conn->handshake.server_finished; server_finished.size = S2N_TLS_FINISHED_LEN; label.data = server_finished_label; label.size = sizeof(server_finished_label) - 1; master_secret.data = conn->secure.master_secret; master_secret.size = sizeof(conn->secure.master_secret); if (conn->actual_protocol_version == S2N_TLS12) { switch (conn->secure.cipher_suite->tls12_prf_alg) { case S2N_HMAC_SHA256: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH)); sha.size = SHA256_DIGEST_LENGTH; break; case S2N_HMAC_SHA384: GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384)); GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH)); sha.size = SHA384_DIGEST_LENGTH; break; default: S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM); } sha.data = sha_digest; return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &server_finished); } GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5)); GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1)); GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH)); GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH)); md5.data = md5_digest; md5.size = MD5_DIGEST_LENGTH; sha.data = sha_digest; sha.size = SHA_DIGEST_LENGTH; return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &server_finished); } static int s2n_prf_make_client_key(struct s2n_connection *conn, struct s2n_stuffer *key_material) { struct s2n_blob client_key = {0}; client_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size; client_key.data = s2n_stuffer_raw_read(key_material, client_key.size); notnull_check(client_key.data); if (conn->mode == S2N_CLIENT) { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.client_key, &client_key)); } else { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.client_key, &client_key)); } return 0; } static int s2n_prf_make_server_key(struct s2n_connection *conn, struct s2n_stuffer *key_material) { struct s2n_blob server_key = {0}; server_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size; server_key.data = s2n_stuffer_raw_read(key_material, server_key.size); notnull_check(server_key.data); if (conn->mode == S2N_SERVER) { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.server_key, &server_key)); } else { GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.server_key, &server_key)); } return 0; } int s2n_prf_key_expansion(struct s2n_connection *conn) { struct s2n_blob client_random = {.data = conn->secure.client_random,.size = sizeof(conn->secure.client_random) }; struct s2n_blob server_random = {.data = conn->secure.server_random,.size = sizeof(conn->secure.server_random) }; struct s2n_blob master_secret = {.data = conn->secure.master_secret,.size = sizeof(conn->secure.master_secret) }; struct s2n_blob label, out; uint8_t key_expansion_label[] = "key expansion"; uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN]; label.data = key_expansion_label; label.size = sizeof(key_expansion_label) - 1; out.data = key_block; out.size = sizeof(key_block); struct s2n_stuffer key_material = {{0}}; GUARD(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, NULL, &out)); GUARD(s2n_stuffer_init(&key_material, &out)); GUARD(s2n_stuffer_write(&key_material, &out)); GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.client_key)); GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.server_key)); /* Check that we have a valid MAC and key size */ uint8_t mac_size; if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { mac_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.mac_key_size; } else { GUARD(s2n_hmac_digest_size(conn->secure.cipher_suite->record_alg->hmac_alg, &mac_size)); } /* Seed the client MAC */ uint8_t *client_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(client_mac_write_key); GUARD(s2n_hmac_reset(&conn->secure.client_record_mac)); GUARD(s2n_hmac_init(&conn->secure.client_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, client_mac_write_key, mac_size)); /* Seed the server MAC */ uint8_t *server_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(server_mac_write_key); GUARD(s2n_hmac_reset(&conn->secure.server_record_mac)); GUARD(s2n_hmac_init(&conn->secure.server_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, server_mac_write_key, mac_size)); /* Make the client key */ GUARD(s2n_prf_make_client_key(conn, &key_material)); /* Make the server key */ GUARD(s2n_prf_make_server_key(conn, &key_material)); /* Composite CBC does MAC inside the cipher, pass it the MAC key. * Must happen after setting encryption/decryption keys. */ if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.server_key, server_mac_write_key, mac_size)); GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.client_key, client_mac_write_key, mac_size)); } /* TLS >= 1.1 has no implicit IVs for non AEAD ciphers */ if (conn->actual_protocol_version > S2N_TLS10 && conn->secure.cipher_suite->record_alg->cipher->type != S2N_AEAD) { return 0; } uint32_t implicit_iv_size = 0; switch (conn->secure.cipher_suite->record_alg->cipher->type) { case S2N_AEAD: implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.aead.fixed_iv_size; break; case S2N_CBC: implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.cbc.block_size; break; case S2N_COMPOSITE: implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.block_size; break; /* No-op for stream ciphers */ default: break; } struct s2n_blob client_implicit_iv = {.data = conn->secure.client_implicit_iv,.size = implicit_iv_size }; struct s2n_blob server_implicit_iv = {.data = conn->secure.server_implicit_iv,.size = implicit_iv_size }; GUARD(s2n_stuffer_read(&key_material, &client_implicit_iv)); GUARD(s2n_stuffer_read(&key_material, &server_implicit_iv)); return 0; }
static int s2n_hmac_p_hash_init(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret) { return s2n_hmac_init(&ws->tls.p_hash.s2n_hmac, alg, secret->data, secret->size); }
static int s2n_hmac_p_hash_new(struct s2n_prf_working_space *ws) { GUARD(s2n_hmac_new(&ws->tls.p_hash.s2n_hmac)); return s2n_hmac_init(&ws->tls.p_hash.s2n_hmac, S2N_HMAC_NONE, NULL, 0); }
int s2n_connection_wipe(struct s2n_connection *conn) { /* First make a copy of everything we'd like to save, which isn't very * much. */ int mode = conn->mode; struct s2n_config *config = conn->config; struct s2n_stuffer alert_in; struct s2n_stuffer reader_alert_out; struct s2n_stuffer writer_alert_out; struct s2n_stuffer handshake_io; struct s2n_stuffer header_in; struct s2n_stuffer in; struct s2n_stuffer out; /* Session keys will be wiped. Preserve structs to avoid reallocation */ struct s2n_session_key initial_client_key; struct s2n_session_key initial_server_key; struct s2n_session_key secure_client_key; struct s2n_session_key secure_server_key; /* Wipe all of the sensitive stuff */ GUARD(s2n_connection_wipe_keys(conn)); GUARD(s2n_stuffer_wipe(&conn->alert_in)); GUARD(s2n_stuffer_wipe(&conn->reader_alert_out)); GUARD(s2n_stuffer_wipe(&conn->writer_alert_out)); GUARD(s2n_stuffer_wipe(&conn->handshake.io)); GUARD(s2n_stuffer_wipe(&conn->header_in)); GUARD(s2n_stuffer_wipe(&conn->in)); GUARD(s2n_stuffer_wipe(&conn->out)); /* Restore the socket option values */ GUARD(s2n_socket_read_restore(conn)); GUARD(s2n_socket_write_restore(conn)); GUARD(s2n_free(&conn->status_response)); /* Allocate or resize to their original sizes */ GUARD(s2n_stuffer_resize(&conn->in, S2N_LARGE_FRAGMENT_LENGTH)); /* Allocate memory for handling handshakes */ GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_LARGE_RECORD_LENGTH)); /* Clone the stuffers */ /* ignore gcc 4.7 address warnings because dest is allocated on the stack */ /* pragma gcc diagnostic was added in gcc 4.6 */ #if defined(__GNUC__) && GCC_VERSION >= 40600 #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Waddress" #endif memcpy_check(&alert_in, &conn->alert_in, sizeof(struct s2n_stuffer)); memcpy_check(&reader_alert_out, &conn->reader_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&writer_alert_out, &conn->writer_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&handshake_io, &conn->handshake.io, sizeof(struct s2n_stuffer)); memcpy_check(&header_in, &conn->header_in, sizeof(struct s2n_stuffer)); memcpy_check(&in, &conn->in, sizeof(struct s2n_stuffer)); memcpy_check(&out, &conn->out, sizeof(struct s2n_stuffer)); memcpy_check(&initial_client_key, &conn->initial.client_key, sizeof(struct s2n_session_key)); memcpy_check(&initial_server_key, &conn->initial.server_key, sizeof(struct s2n_session_key)); memcpy_check(&secure_client_key, &conn->secure.client_key, sizeof(struct s2n_session_key)); memcpy_check(&secure_server_key, &conn->secure.server_key, sizeof(struct s2n_session_key)); #if defined(__GNUC__) && GCC_VERSION >= 40600 #pragma GCC diagnostic pop #endif /* Zero the whole connection structure */ memset_check(conn, 0, sizeof(struct s2n_connection)); conn->readfd = -1; conn->writefd = -1; conn->mode = mode; conn->config = config; conn->close_notify_queued = 0; conn->current_user_data_consumed = 0; conn->initial.cipher_suite = &s2n_null_cipher_suite; conn->secure.cipher_suite = &s2n_null_cipher_suite; conn->server = &conn->initial; conn->client = &conn->initial; conn->max_fragment_length = S2N_SMALL_FRAGMENT_LENGTH; conn->handshake.handshake_type = INITIAL; conn->handshake.message_number = 0; GUARD(s2n_hash_init(&conn->handshake.md5, S2N_HASH_MD5)); GUARD(s2n_hash_init(&conn->handshake.sha1, S2N_HASH_SHA1)); GUARD(s2n_hash_init(&conn->handshake.sha256, S2N_HASH_SHA256)); GUARD(s2n_hash_init(&conn->handshake.sha384, S2N_HASH_SHA384)); GUARD(s2n_hmac_init(&conn->client->client_record_mac, S2N_HMAC_NONE, NULL, 0)); GUARD(s2n_hmac_init(&conn->server->server_record_mac, S2N_HMAC_NONE, NULL, 0)); memcpy_check(&conn->alert_in, &alert_in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->reader_alert_out, &reader_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->writer_alert_out, &writer_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->handshake.io, &handshake_io, sizeof(struct s2n_stuffer)); memcpy_check(&conn->header_in, &header_in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->in, &in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->out, &out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->initial.client_key, &initial_client_key, sizeof(struct s2n_session_key)); memcpy_check(&conn->initial.server_key, &initial_server_key, sizeof(struct s2n_session_key)); memcpy_check(&conn->secure.client_key, &secure_client_key, sizeof(struct s2n_session_key)); memcpy_check(&conn->secure.server_key, &secure_server_key, sizeof(struct s2n_session_key)); if (conn->mode == S2N_SERVER) { conn->server_protocol_version = s2n_highest_protocol_version; conn->client_protocol_version = s2n_unknown_protocol_version; } else { conn->server_protocol_version = s2n_unknown_protocol_version; conn->client_protocol_version = s2n_highest_protocol_version; } conn->actual_protocol_version = s2n_unknown_protocol_version; return 0; }
int main(int argc, char **argv) { uint8_t digest_pad[256]; uint8_t check_pad[256]; uint8_t output_pad[256]; struct s2n_stuffer output; uint8_t sekrit[] = "sekrit"; uint8_t longsekrit[] = "This is a really really really long key on purpose to make sure that it's longer than the block size"; uint8_t hello[] = "Hello world!"; struct s2n_hmac_state hmac, copy; struct s2n_hmac_state cmac; struct s2n_blob out = {.data = output_pad,.size = sizeof(output_pad) }; BEGIN_TEST(); /* Initialise our output stuffers */ EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_MD5), 16); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_MD5, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_copy(©, &hmac)); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0); /* Check the copy */ EXPECT_SUCCESS(s2n_hmac_digest(©, digest_pad, 16)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_MD5, longsekrit, strlen((char *)longsekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "2ce569d61f4ee6ad9ceebe02a112ace7", 16 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "2ce569d61f4ee6ad9ceebe02a112ace7", 16 * 2), 0); /* Verify that _verify works */ EXPECT_SUCCESS(s2n_hmac_init(&cmac, S2N_HMAC_MD5, longsekrit, strlen((char *)longsekrit))); EXPECT_SUCCESS(s2n_hmac_update(&cmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&cmac, check_pad, 16)); EXPECT_SUCCESS(s2n_hmac_digest_verify(digest_pad, 16, check_pad, 16)); /* Try SHA1 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA1), 20); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA1, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "6d301861b599938eca94f6de917362886d97882f", 20 * 2), 0); /* Try SHA256 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA256), 32); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA256, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 32)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 32; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "adc20b12d236e6d1824d690622e33ead4f67ba5a2be9606fe762b2dd859a78a9", 32 * 2), 0); /* Try SHA384 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA384), 48); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA384, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 48)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 48; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "8552563cadd583b79dcc7225bb79bc6483c63f259187162e1c9d4283eb6299ef1bc3ca81c0c40fc7b22f7a1f3b93adb4", 48 * 2), 0); /* Try SHA512 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA512), 64); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA512, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 64)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 64; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "0a834a1ed265042e2897405edb4fdd9818950cd5bea10b828f2fed45a1cb6dbd2107e4b04eb20f211998cd4e8c7e11ebdcb0103ac63882481e1bb8083d07f4be", 64 * 2), 0); /* Try SSLv3 MD5 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SSLv3_MD5), 16); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from Go */ EXPECT_EQUAL(memcmp(output_pad, "d4f0d06b9765de23e6c3e33a24c5ded0", 16 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } EXPECT_EQUAL(memcmp(output_pad, "d4f0d06b9765de23e6c3e33a24c5ded0", 16 * 2), 0); /* Try SSLv3 SHA1 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SSLv3_SHA1), 20); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_SHA1, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from Go */ EXPECT_EQUAL(memcmp(output_pad, "b0c66179f6eb5a46b4b7c4fca84b3ea5161b7326", 20 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } EXPECT_EQUAL(memcmp(output_pad, "b0c66179f6eb5a46b4b7c4fca84b3ea5161b7326", 20 * 2), 0); END_TEST(); }
int s2n_prf_key_expansion(struct s2n_connection *conn) { struct s2n_blob client_random = {.data = conn->secure.client_random,.size = sizeof(conn->secure.client_random) }; struct s2n_blob server_random = {.data = conn->secure.server_random,.size = sizeof(conn->secure.server_random) }; struct s2n_blob master_secret = {.data = conn->secure.master_secret,.size = sizeof(conn->secure.master_secret) }; struct s2n_blob label, out; uint8_t key_expansion_label[] = "key expansion"; uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN]; label.data = key_expansion_label; label.size = sizeof(key_expansion_label) - 1; out.data = key_block; out.size = sizeof(key_block); struct s2n_stuffer key_material; GUARD(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, &out)); GUARD(s2n_stuffer_init(&key_material, &out)); GUARD(s2n_stuffer_write(&key_material, &out)); GUARD(conn->secure.cipher_suite->cipher->init(&conn->secure.client_key)); GUARD(conn->secure.cipher_suite->cipher->init(&conn->secure.server_key)); /* What's our hmac algorithm? */ s2n_hmac_algorithm hmac_alg = conn->secure.cipher_suite->hmac_alg; if (conn->actual_protocol_version == S2N_SSLv3) { if (hmac_alg == S2N_HMAC_SHA1) { hmac_alg = S2N_HMAC_SSLv3_SHA1; } else if (hmac_alg == S2N_HMAC_MD5) { hmac_alg = S2N_HMAC_SSLv3_MD5; } else { S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM); } } /* Check that we have a valid MAC and key size */ int mac_size; GUARD((mac_size = s2n_hmac_digest_size(hmac_alg))); /* Seed the client MAC */ uint8_t *client_write_mac_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(client_write_mac_key); GUARD(s2n_hmac_init(&conn->secure.client_record_mac, hmac_alg, client_write_mac_key, mac_size)); /* Seed the server MAC */ uint8_t *server_write_mac_key = s2n_stuffer_raw_read(&key_material, mac_size); notnull_check(server_write_mac_key); GUARD(s2n_hmac_init(&conn->secure.server_record_mac, hmac_alg, server_write_mac_key, mac_size)); /* Make the client key */ struct s2n_blob client_key; client_key.size = conn->secure.cipher_suite->cipher->key_material_size; client_key.data = s2n_stuffer_raw_read(&key_material, client_key.size); notnull_check(client_key.data); if (conn->mode == S2N_CLIENT) { GUARD(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.client_key, &client_key)); } else { GUARD(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.client_key, &client_key)); } /* Make the server key */ struct s2n_blob server_key; server_key.size = conn->secure.cipher_suite->cipher->key_material_size; server_key.data = s2n_stuffer_raw_read(&key_material, server_key.size); notnull_check(server_key.data); if (conn->mode == S2N_SERVER) { GUARD(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.server_key, &server_key)); } else { GUARD(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.server_key, &server_key)); } /* TLS >= 1.1 has no implicit IVs for non AEAD ciphers */ if (conn->actual_protocol_version > S2N_TLS10 && conn->secure.cipher_suite->cipher->type != S2N_AEAD) { return 0; } uint32_t implicit_iv_size = 0; switch(conn->secure.cipher_suite->cipher->type) { case S2N_AEAD: implicit_iv_size = conn->secure.cipher_suite->cipher->io.aead.fixed_iv_size; break; case S2N_CBC: implicit_iv_size = conn->secure.cipher_suite->cipher->io.cbc.block_size; break; /* No-op for stream ciphers */ default: break; } struct s2n_blob client_implicit_iv = { .data = conn->secure.client_implicit_iv, .size = implicit_iv_size }; struct s2n_blob server_implicit_iv = { .data = conn->secure.server_implicit_iv, .size = implicit_iv_size }; GUARD(s2n_stuffer_read(&key_material, &client_implicit_iv)); GUARD(s2n_stuffer_read(&key_material, &server_implicit_iv)); return 0; }