int main(int argc, char **argv)
{
struct s2n_connection *conn;
uint8_t mac_key[] = "sample mac key";
uint8_t aes128_key[] = "123456789012345";
struct s2n_blob aes128 = {.data = aes128_key,.size = sizeof(aes128_key) };
uint8_t random_data[S2N_LARGE_RECORD_LENGTH + 1];
struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)};
BEGIN_TEST();
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_get_urandom_data(&r));
/* Peer and we are in sync */
conn->server = &conn->secure;
conn->client = &conn->secure;
/* test the AES128 cipher with a SHA1 hash */
conn->secure.cipher_suite->cipher = &s2n_aes128;
conn->secure.cipher_suite->hmac_alg = S2N_HMAC_SHA1;
EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.server_key, &aes128));
EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.client_key, &aes128));
EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
conn->actual_protocol_version = S2N_TLS11;
/* Align the record size, then subtract 20 bytes for the HMAC, 16 bytes for the explicit IV, and one byte
* for the padding length byte.
*/
int small_aligned_payload = S2N_SMALL_FRAGMENT_LENGTH - (S2N_SMALL_FRAGMENT_LENGTH % 16) - 20 - 16 - 1;
int large_aligned_payload = S2N_LARGE_FRAGMENT_LENGTH - (S2N_LARGE_FRAGMENT_LENGTH % 16) - 20 - 16 - 1;
int bytes_written;
/* Check the default: small record */
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r));
EXPECT_EQUAL(bytes_written, small_aligned_payload);
/* Check explicitly small records */
EXPECT_SUCCESS(s2n_connection_prefer_low_latency(conn));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r));
EXPECT_EQUAL(bytes_written, small_aligned_payload);
/* Check explicitly large records */
EXPECT_SUCCESS(s2n_connection_prefer_throughput(conn));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &r));
EXPECT_EQUAL(bytes_written, large_aligned_payload);
/* Clean up */
EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->destroy_key(&conn->secure.server_key));
EXPECT_SUCCESS(conn->secure.cipher_suite->cipher->destroy_key(&conn->secure.client_key));
EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_hmac_init(&conn->secure.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
END_TEST();
}
static int s2n_p_hash(union s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret,
struct s2n_blob *label, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *out)
{
struct s2n_hmac_state *hmac = &ws->tls.hmac;
uint32_t digest_size = s2n_hmac_digest_size(alg);
/* First compute hmac(secret + A(0)) */
GUARD(s2n_hmac_init(hmac, alg, secret->data, secret->size));
GUARD(s2n_hmac_update(hmac, label->data, label->size));
GUARD(s2n_hmac_update(hmac, seed_a->data, seed_a->size));
if (seed_b) {
GUARD(s2n_hmac_update(hmac, seed_b->data, seed_b->size));
}
GUARD(s2n_hmac_digest(hmac, ws->tls.digest0, digest_size));
uint32_t outputlen = out->size;
uint8_t *output = out->data;
while (outputlen) {
/* Now compute hmac(secret + A(N - 1) + seed) */
GUARD(s2n_hmac_reset(hmac));
GUARD(s2n_hmac_update(hmac, ws->tls.digest0, digest_size));
/* Add the label + seed and compute this round's A */
GUARD(s2n_hmac_update(hmac, label->data, label->size));
GUARD(s2n_hmac_update(hmac, seed_a->data, seed_a->size));
if (seed_b) {
GUARD(s2n_hmac_update(hmac, seed_b->data, seed_b->size));
}
GUARD(s2n_hmac_digest(hmac, ws->tls.digest1, digest_size));
uint32_t bytes_to_xor = MIN(outputlen, digest_size);
for (int i = 0; i < bytes_to_xor; i++) {
*output ^= ws->tls.digest1[i];
output++;
outputlen--;
}
/* Stash a digest of A(N), in A(N), for the next round */
GUARD(s2n_hmac_reset(hmac));
GUARD(s2n_hmac_update(hmac, ws->tls.digest0, digest_size));
GUARD(s2n_hmac_digest(hmac, ws->tls.digest0, digest_size));
}
return 0;
}
int main(int argc, char **argv)
{
struct s2n_connection *conn;
uint8_t mac_key[] = "sample mac key";
uint8_t rc4_key[] = "123456789012345";
struct s2n_blob key_iv = {.data = rc4_key,.size = sizeof(rc4_key) };
uint8_t random_data[S2N_SMALL_FRAGMENT_LENGTH + 1];
struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)};
BEGIN_TEST();
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_get_urandom_data(&r));
/* Peer and we are in sync */
conn->server = &conn->active;
/* test the RC4 cipher with a SHA1 hash */
conn->active.cipher_suite->cipher = &s2n_rc4;
conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1;
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->init(&conn->active.server_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->init(&conn->active.client_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &key_iv));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &key_iv));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
conn->actual_protocol_version = S2N_TLS11;
for (int i = 0; i <= S2N_SMALL_FRAGMENT_LENGTH + 1; i++) {
struct s2n_blob in = {.data = random_data,.size = i };
int bytes_written;
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in));
if (i <= S2N_SMALL_FRAGMENT_LENGTH - 20) {
EXPECT_EQUAL(bytes_written, i);
} else {
EXPECT_EQUAL(bytes_written, S2N_SMALL_FRAGMENT_LENGTH - 20);
}
uint16_t predicted_length = bytes_written + 20;
EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA);
EXPECT_EQUAL(conn->out.blob.data[1], 3);
EXPECT_EQUAL(conn->out.blob.data[2], 2);
EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff);
EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff);
/* The data should be encrypted */
if (bytes_written > 10) {
EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0);
}
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5))
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)))
/* Check that the data looks right */
EXPECT_EQUAL(bytes_written + 20, s2n_stuffer_data_available(&conn->in));
/* Let's decrypt it */
uint8_t content_type;
uint16_t fragment_length;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_SUCCESS(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_EQUAL(fragment_length, predicted_length);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key));
EXPECT_SUCCESS(s2n_connection_free(conn));
END_TEST();
}
int s2n_connection_wipe(struct s2n_connection *conn)
{
/* First make a copy of everything we'd like to save, which isn't very
* much.
*/
int mode = conn->mode;
struct s2n_config *config = conn->config;
struct s2n_stuffer alert_in;
struct s2n_stuffer reader_alert_out;
struct s2n_stuffer writer_alert_out;
struct s2n_stuffer handshake_io;
struct s2n_stuffer header_in;
struct s2n_stuffer in;
struct s2n_stuffer out;
/* Wipe all of the sensitive stuff */
GUARD(s2n_connection_free_keys(conn));
GUARD(s2n_stuffer_wipe(&conn->alert_in));
GUARD(s2n_stuffer_wipe(&conn->reader_alert_out));
GUARD(s2n_stuffer_wipe(&conn->writer_alert_out));
GUARD(s2n_stuffer_wipe(&conn->handshake.io));
GUARD(s2n_stuffer_wipe(&conn->header_in));
GUARD(s2n_stuffer_wipe(&conn->in));
GUARD(s2n_stuffer_wipe(&conn->out));
/* Allocate or resize to their original sizes */
GUARD(s2n_stuffer_resize(&conn->in, S2N_DEFAULT_FRAGMENT_LENGTH));
/* Allocate memory for handling handshakes */
GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_DEFAULT_RECORD_LENGTH));
/* Clone the stuffers */
/* ignore gcc 4.7 address warnings because dest is allocated on the stack */
/* pragma gcc diagnostic was added in gcc 4.6 */
#if defined(__GNUC__) && GCC_VERSION >= 40600
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Waddress"
#endif
memcpy_check(&alert_in, &conn->alert_in, sizeof(struct s2n_stuffer));
memcpy_check(&reader_alert_out, &conn->reader_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&writer_alert_out, &conn->writer_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&handshake_io, &conn->handshake.io, sizeof(struct s2n_stuffer));
memcpy_check(&header_in, &conn->header_in, sizeof(struct s2n_stuffer));
memcpy_check(&in, &conn->in, sizeof(struct s2n_stuffer));
memcpy_check(&out, &conn->out, sizeof(struct s2n_stuffer));
#if defined(__GNUC__) && GCC_VERSION >= 40600
#pragma GCC diagnostic pop
#endif
/* Zero the whole connection structure */
memset_check(conn, 0, sizeof(struct s2n_connection));
conn->readfd = -1;
conn->writefd = -1;
conn->mode = mode;
conn->config = config;
conn->active.cipher_suite = &s2n_null_cipher_suite;
conn->pending.cipher_suite = &s2n_null_cipher_suite;
conn->server = &conn->active;
conn->client = &conn->active;
conn->max_fragment_length = S2N_DEFAULT_FRAGMENT_LENGTH;
conn->handshake.state = CLIENT_HELLO;
GUARD(s2n_hash_init(&conn->handshake.client_md5, S2N_HASH_MD5));
GUARD(s2n_hash_init(&conn->handshake.client_sha1, S2N_HASH_SHA1));
GUARD(s2n_hash_init(&conn->handshake.client_sha256, S2N_HASH_SHA256));
GUARD(s2n_hash_init(&conn->handshake.server_md5, S2N_HASH_MD5));
GUARD(s2n_hash_init(&conn->handshake.server_sha1, S2N_HASH_SHA1));
GUARD(s2n_hash_init(&conn->handshake.server_sha256, S2N_HASH_SHA256));
GUARD(s2n_hmac_init(&conn->client->client_record_mac, S2N_HMAC_NONE, NULL, 0));
GUARD(s2n_hmac_init(&conn->server->server_record_mac, S2N_HMAC_NONE, NULL, 0));
memcpy_check(&conn->alert_in, &alert_in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->reader_alert_out, &reader_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->writer_alert_out, &writer_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->handshake.io, &handshake_io, sizeof(struct s2n_stuffer));
memcpy_check(&conn->header_in, &header_in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->in, &in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->out, &out, sizeof(struct s2n_stuffer));
/* Set everything to the highest version at first */
conn->server_protocol_version = s2n_highest_protocol_version;
conn->client_protocol_version = s2n_highest_protocol_version;
conn->actual_protocol_version = s2n_highest_protocol_version;
return 0;
}
int main(int argc, char **argv)
{
struct s2n_connection *conn;
uint8_t random_data[S2N_DEFAULT_FRAGMENT_LENGTH + 1];
uint8_t mac_key[] = "sample mac key";
uint8_t aes128_key[] = "123456789012345";
uint8_t aes256_key[] = "1234567890123456789012345678901";
struct s2n_blob aes128 = {.data = aes128_key,.size = sizeof(aes128_key) };
struct s2n_blob aes256 = {.data = aes256_key,.size = sizeof(aes256_key) };
struct s2n_blob r = {.data = random_data, .size = sizeof(random_data)};
BEGIN_TEST();
EXPECT_SUCCESS(s2n_init());
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_get_urandom_data(&r));
/* Peer and we are in sync */
conn->server = &conn->active;
conn->client = &conn->active;
/* test the AES128 cipher with a SHA1 hash */
conn->active.cipher_suite->cipher = &s2n_aes128_gcm;
conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1;
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &aes128));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &aes128));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
conn->actual_protocol_version = S2N_TLS12;
int max_fragment = S2N_DEFAULT_FRAGMENT_LENGTH;
for (int i = 0; i <= max_fragment + 1; i++) {
struct s2n_blob in = {.data = random_data,.size = i };
int bytes_written;
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in));
static const int overhead = 20 /* TLS header */
+ 8 /* IV */
+ 16; /* TAG */
if (i < max_fragment - overhead) {
EXPECT_EQUAL(bytes_written, i);
} else {
EXPECT_EQUAL(bytes_written, max_fragment - overhead);
}
uint16_t predicted_length = bytes_written + 20;
predicted_length += conn->active.cipher_suite->cipher->io.aead.record_iv_size;
predicted_length += conn->active.cipher_suite->cipher->io.aead.tag_size;
EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA);
EXPECT_EQUAL(conn->out.blob.data[1], 3);
EXPECT_EQUAL(conn->out.blob.data[2], 3);
EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff);
EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff);
/* The data should be encrypted */
if (bytes_written > 10) {
EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0);
}
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
/* Let's decrypt it */
uint8_t content_type;
uint16_t fragment_length;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_SUCCESS(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_EQUAL(fragment_length, predicted_length);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
/* Now lets corrupt some data and ensure the tests pass */
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
/* Tamper the protocol version in the header, and ensure decryption fails, as we use this in the AAD */
conn->in.blob.data[2] = 2;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
/* Tamper with the IV and ensure decryption fails */
for (int j = 0; j < S2N_TLS_GCM_IV_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[5 + j] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
/* Tamper with the TAG and ensure decryption fails */
for (int j = 0; j < S2N_TLS_GCM_TAG_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[conn->in.blob.size - j - 1] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
/* Tamper w ith the cipher text and ensure decryption fails */
for (int j = S2N_TLS_GCM_IV_LEN; j < conn->in.blob.size - S2N_TLS_GCM_TAG_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[5 + j] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
}
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key));
EXPECT_SUCCESS(s2n_connection_free(conn));
/* test the AES256 cipher with a SHA1 hash */
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
conn->active.cipher_suite->cipher = &s2n_aes256_gcm;
conn->active.cipher_suite->hmac_alg = S2N_HMAC_SHA1;
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_encryption_key(&conn->active.server_key, &aes256));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->get_decryption_key(&conn->active.client_key, &aes256));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
EXPECT_SUCCESS(s2n_hmac_init(&conn->active.server_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key)));
conn->actual_protocol_version = S2N_TLS12;
for (int i = 0; i <= max_fragment + 1; i++) {
struct s2n_blob in = {.data = random_data,.size = i };
int bytes_written;
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->out));
EXPECT_SUCCESS(bytes_written = s2n_record_write(conn, TLS_APPLICATION_DATA, &in));
static const int overhead = 20 /* TLS header */
+ 8 /* IV */
+ 16; /* TAG */
if (i < max_fragment - overhead) {
EXPECT_EQUAL(bytes_written, i);
} else {
EXPECT_EQUAL(bytes_written, max_fragment - overhead);
}
uint16_t predicted_length = bytes_written + 20;
predicted_length += conn->active.cipher_suite->cipher->io.aead.record_iv_size;
predicted_length += conn->active.cipher_suite->cipher->io.aead.tag_size;
EXPECT_EQUAL(conn->out.blob.data[0], TLS_APPLICATION_DATA);
EXPECT_EQUAL(conn->out.blob.data[1], 3);
EXPECT_EQUAL(conn->out.blob.data[2], 3);
EXPECT_EQUAL(conn->out.blob.data[3], (predicted_length >> 8) & 0xff);
EXPECT_EQUAL(conn->out.blob.data[4], predicted_length & 0xff);
/* The data should be encrypted */
if (bytes_written > 10) {
EXPECT_NOT_EQUAL(memcmp(conn->out.blob.data + 5, random_data, bytes_written), 0);
}
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
/* Let's decrypt it */
uint8_t content_type;
uint16_t fragment_length;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_SUCCESS(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_EQUAL(fragment_length, predicted_length);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
/* Now lets corrupt some data and ensure the tests pass */
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
/* Tamper the protocol version in the header, and ensure decryption fails, as we use this in the AAD */
conn->in.blob.data[2] = 2;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
/* Tamper with the IV and ensure decryption fails */
for (int j = 0; j < S2N_TLS_GCM_IV_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[5 + j] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
/* Tamper with the TAG and ensure decryption fails */
for (int j = 0; j < S2N_TLS_GCM_TAG_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[conn->in.blob.size - j - 1] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
/* Tamper w ith the cipher text and ensure decryption fails */
for (int j = S2N_TLS_GCM_IV_LEN; j < conn->in.blob.size - S2N_TLS_GCM_TAG_LEN; j++) {
/* Copy the encrypted out data to the in data */
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->out));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->header_in, 5));
EXPECT_SUCCESS(s2n_stuffer_copy(&conn->out, &conn->in, s2n_stuffer_data_available(&conn->out)));
conn->in.blob.data[5 + j] ++;
EXPECT_SUCCESS(s2n_record_header_parse(conn, &content_type, &fragment_length));
EXPECT_FAILURE(s2n_record_parse(conn));
EXPECT_EQUAL(content_type, TLS_APPLICATION_DATA);
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->header_in));
EXPECT_SUCCESS(s2n_stuffer_wipe(&conn->in));
}
}
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.server_key));
EXPECT_SUCCESS(conn->active.cipher_suite->cipher->destroy_key(&conn->active.client_key));
EXPECT_SUCCESS(s2n_connection_free(conn));
END_TEST();
}
static int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a,
struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
{
/* seed_a is always required, seed_b is optional, if seed_c is provided seed_b must also be provided */
S2N_ERROR_IF(seed_a == NULL, S2N_ERR_PRF_INVALID_SEED);
S2N_ERROR_IF(seed_b == NULL && seed_c != NULL, S2N_ERR_PRF_INVALID_SEED);
if (conn->actual_protocol_version == S2N_SSLv3) {
return s2n_sslv3_prf(&conn->prf_space, secret, seed_a, seed_b, seed_c, out);
}
/* We zero the out blob because p_hash works by XOR'ing with the existing
* buffer. This is a little convoluted but means we can avoid dynamic memory
* allocation. When we call p_hash once (in the TLS1.2 case) it will produce
* the right values. When we call it twice in the regular case, the two
* outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require.
*/
GUARD(s2n_blob_zero(out));
/* Ensure that p_hash_hmac_impl is set, as it may have been reset for prf_space on s2n_connection_wipe.
* When in FIPS mode, the EVP API's must be used for the p_hash HMAC.
*/
conn->prf_space.tls.p_hash_hmac_impl = s2n_is_in_fips_mode() ? &s2n_evp_hmac : &s2n_hmac;
if (conn->actual_protocol_version == S2N_TLS12) {
return s2n_p_hash(&conn->prf_space, conn->secure.cipher_suite->tls12_prf_alg, secret, label, seed_a, seed_b,
seed_c, out);
}
struct s2n_blob half_secret = {.data = secret->data,.size = (secret->size + 1) / 2 };
GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out));
half_secret.data += secret->size - half_secret.size;
GUARD(s2n_p_hash(&conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, seed_c, out));
return 0;
}
int s2n_tls_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
{
struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random};
struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random};
struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret};
uint8_t master_secret_label[] = "master secret";
struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label};
return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret);
}
int s2n_hybrid_prf_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
{
struct s2n_blob client_random = {.size = sizeof(conn->secure.client_random), .data = conn->secure.client_random};
struct s2n_blob server_random = {.size = sizeof(conn->secure.server_random), .data = conn->secure.server_random};
struct s2n_blob master_secret = {.size = sizeof(conn->secure.master_secret), .data = conn->secure.master_secret};
uint8_t master_secret_label[] = "hybrid master secret";
struct s2n_blob label = {.size = sizeof(master_secret_label) - 1, .data = master_secret_label};
return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->secure.client_key_exchange_message, &master_secret);
}
static int s2n_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *md5, struct s2n_hash_state *sha1, uint8_t * out)
{
uint8_t xorpad1[48] =
{ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
};
uint8_t xorpad2[48] =
{ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
};
uint8_t *md5_digest = out;
uint8_t *sha_digest = out + MD5_DIGEST_LENGTH;
lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished));
GUARD(s2n_hash_update(md5, prefix, 4));
GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(md5, xorpad1, 48));
GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_reset(md5));
GUARD(s2n_hash_update(md5, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(md5, xorpad2, 48));
GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_reset(md5));
GUARD(s2n_hash_update(sha1, prefix, 4));
GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(sha1, xorpad1, 40));
GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
GUARD(s2n_hash_reset(sha1));
GUARD(s2n_hash_update(sha1, conn->secure.master_secret, sizeof(conn->secure.master_secret)));
GUARD(s2n_hash_update(sha1, xorpad2, 40));
GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH));
GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
GUARD(s2n_hash_reset(sha1));
return 0;
}
static int s2n_sslv3_client_finished(struct s2n_connection *conn)
{
uint8_t prefix[4] = { 0x43, 0x4c, 0x4e, 0x54 };
lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.client_finished));
GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5));
GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1));
return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.client_finished);
}
static int s2n_sslv3_server_finished(struct s2n_connection *conn)
{
uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 };
lte_check(MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, sizeof(conn->handshake.server_finished));
GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5));
GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1));
return s2n_sslv3_finished(conn, prefix, &conn->handshake.prf_md5_hash_copy, &conn->handshake.prf_sha1_hash_copy, conn->handshake.server_finished);
}
int s2n_prf_client_finished(struct s2n_connection *conn)
{
struct s2n_blob master_secret, md5, sha;
uint8_t md5_digest[MD5_DIGEST_LENGTH];
uint8_t sha_digest[SHA384_DIGEST_LENGTH];
uint8_t client_finished_label[] = "client finished";
struct s2n_blob client_finished = {0};
struct s2n_blob label = {0};
if (conn->actual_protocol_version == S2N_SSLv3) {
return s2n_sslv3_client_finished(conn);
}
client_finished.data = conn->handshake.client_finished;
client_finished.size = S2N_TLS_FINISHED_LEN;
label.data = client_finished_label;
label.size = sizeof(client_finished_label) - 1;
master_secret.data = conn->secure.master_secret;
master_secret.size = sizeof(conn->secure.master_secret);
if (conn->actual_protocol_version == S2N_TLS12) {
switch (conn->secure.cipher_suite->tls12_prf_alg) {
case S2N_HMAC_SHA256:
GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256));
GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH));
sha.size = SHA256_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA384:
GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384));
GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH));
sha.size = SHA384_DIGEST_LENGTH;
break;
default:
S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM);
}
sha.data = sha_digest;
return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &client_finished);
}
GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5));
GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1));
GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH));
md5.data = md5_digest;
md5.size = MD5_DIGEST_LENGTH;
sha.data = sha_digest;
sha.size = SHA_DIGEST_LENGTH;
return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &client_finished);
}
int s2n_prf_server_finished(struct s2n_connection *conn)
{
struct s2n_blob master_secret, md5, sha;
uint8_t md5_digest[MD5_DIGEST_LENGTH];
uint8_t sha_digest[SHA384_DIGEST_LENGTH];
uint8_t server_finished_label[] = "server finished";
struct s2n_blob server_finished = {0};
struct s2n_blob label = {0};
if (conn->actual_protocol_version == S2N_SSLv3) {
return s2n_sslv3_server_finished(conn);
}
server_finished.data = conn->handshake.server_finished;
server_finished.size = S2N_TLS_FINISHED_LEN;
label.data = server_finished_label;
label.size = sizeof(server_finished_label) - 1;
master_secret.data = conn->secure.master_secret;
master_secret.size = sizeof(conn->secure.master_secret);
if (conn->actual_protocol_version == S2N_TLS12) {
switch (conn->secure.cipher_suite->tls12_prf_alg) {
case S2N_HMAC_SHA256:
GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha256));
GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA256_DIGEST_LENGTH));
sha.size = SHA256_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA384:
GUARD(s2n_hash_copy(&conn->handshake.prf_tls12_hash_copy, &conn->handshake.sha384));
GUARD(s2n_hash_digest(&conn->handshake.prf_tls12_hash_copy, sha_digest, SHA384_DIGEST_LENGTH));
sha.size = SHA384_DIGEST_LENGTH;
break;
default:
S2N_ERROR(S2N_ERR_PRF_INVALID_ALGORITHM);
}
sha.data = sha_digest;
return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &server_finished);
}
GUARD(s2n_hash_copy(&conn->handshake.prf_md5_hash_copy, &conn->handshake.md5));
GUARD(s2n_hash_copy(&conn->handshake.prf_sha1_hash_copy, &conn->handshake.sha1));
GUARD(s2n_hash_digest(&conn->handshake.prf_md5_hash_copy, md5_digest, MD5_DIGEST_LENGTH));
GUARD(s2n_hash_digest(&conn->handshake.prf_sha1_hash_copy, sha_digest, SHA_DIGEST_LENGTH));
md5.data = md5_digest;
md5.size = MD5_DIGEST_LENGTH;
sha.data = sha_digest;
sha.size = SHA_DIGEST_LENGTH;
return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &server_finished);
}
static int s2n_prf_make_client_key(struct s2n_connection *conn, struct s2n_stuffer *key_material)
{
struct s2n_blob client_key = {0};
client_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size;
client_key.data = s2n_stuffer_raw_read(key_material, client_key.size);
notnull_check(client_key.data);
if (conn->mode == S2N_CLIENT) {
GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.client_key, &client_key));
} else {
GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.client_key, &client_key));
}
return 0;
}
static int s2n_prf_make_server_key(struct s2n_connection *conn, struct s2n_stuffer *key_material)
{
struct s2n_blob server_key = {0};
server_key.size = conn->secure.cipher_suite->record_alg->cipher->key_material_size;
server_key.data = s2n_stuffer_raw_read(key_material, server_key.size);
notnull_check(server_key.data);
if (conn->mode == S2N_SERVER) {
GUARD(conn->secure.cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure.server_key, &server_key));
} else {
GUARD(conn->secure.cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure.server_key, &server_key));
}
return 0;
}
int s2n_prf_key_expansion(struct s2n_connection *conn)
{
struct s2n_blob client_random = {.data = conn->secure.client_random,.size = sizeof(conn->secure.client_random) };
struct s2n_blob server_random = {.data = conn->secure.server_random,.size = sizeof(conn->secure.server_random) };
struct s2n_blob master_secret = {.data = conn->secure.master_secret,.size = sizeof(conn->secure.master_secret) };
struct s2n_blob label, out;
uint8_t key_expansion_label[] = "key expansion";
uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN];
label.data = key_expansion_label;
label.size = sizeof(key_expansion_label) - 1;
out.data = key_block;
out.size = sizeof(key_block);
struct s2n_stuffer key_material = {{0}};
GUARD(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, NULL, &out));
GUARD(s2n_stuffer_init(&key_material, &out));
GUARD(s2n_stuffer_write(&key_material, &out));
GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.client_key));
GUARD(conn->secure.cipher_suite->record_alg->cipher->init(&conn->secure.server_key));
/* Check that we have a valid MAC and key size */
uint8_t mac_size;
if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
mac_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.mac_key_size;
} else {
GUARD(s2n_hmac_digest_size(conn->secure.cipher_suite->record_alg->hmac_alg, &mac_size));
}
/* Seed the client MAC */
uint8_t *client_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size);
notnull_check(client_mac_write_key);
GUARD(s2n_hmac_reset(&conn->secure.client_record_mac));
GUARD(s2n_hmac_init(&conn->secure.client_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, client_mac_write_key, mac_size));
/* Seed the server MAC */
uint8_t *server_mac_write_key = s2n_stuffer_raw_read(&key_material, mac_size);
notnull_check(server_mac_write_key);
GUARD(s2n_hmac_reset(&conn->secure.server_record_mac));
GUARD(s2n_hmac_init(&conn->secure.server_record_mac, conn->secure.cipher_suite->record_alg->hmac_alg, server_mac_write_key, mac_size));
/* Make the client key */
GUARD(s2n_prf_make_client_key(conn, &key_material));
/* Make the server key */
GUARD(s2n_prf_make_server_key(conn, &key_material));
/* Composite CBC does MAC inside the cipher, pass it the MAC key.
* Must happen after setting encryption/decryption keys.
*/
if (conn->secure.cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) {
GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.server_key, server_mac_write_key, mac_size));
GUARD(conn->secure.cipher_suite->record_alg->cipher->io.comp.set_mac_write_key(&conn->secure.client_key, client_mac_write_key, mac_size));
}
/* TLS >= 1.1 has no implicit IVs for non AEAD ciphers */
if (conn->actual_protocol_version > S2N_TLS10 && conn->secure.cipher_suite->record_alg->cipher->type != S2N_AEAD) {
return 0;
}
uint32_t implicit_iv_size = 0;
switch (conn->secure.cipher_suite->record_alg->cipher->type) {
case S2N_AEAD:
implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.aead.fixed_iv_size;
break;
case S2N_CBC:
implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.cbc.block_size;
break;
case S2N_COMPOSITE:
implicit_iv_size = conn->secure.cipher_suite->record_alg->cipher->io.comp.block_size;
break;
/* No-op for stream ciphers */
default:
break;
}
struct s2n_blob client_implicit_iv = {.data = conn->secure.client_implicit_iv,.size = implicit_iv_size };
struct s2n_blob server_implicit_iv = {.data = conn->secure.server_implicit_iv,.size = implicit_iv_size };
GUARD(s2n_stuffer_read(&key_material, &client_implicit_iv));
GUARD(s2n_stuffer_read(&key_material, &server_implicit_iv));
return 0;
}
static int s2n_hmac_p_hash_init(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret)
{
return s2n_hmac_init(&ws->tls.p_hash.s2n_hmac, alg, secret->data, secret->size);
}
static int s2n_hmac_p_hash_new(struct s2n_prf_working_space *ws)
{
GUARD(s2n_hmac_new(&ws->tls.p_hash.s2n_hmac));
return s2n_hmac_init(&ws->tls.p_hash.s2n_hmac, S2N_HMAC_NONE, NULL, 0);
}
int s2n_connection_wipe(struct s2n_connection *conn)
{
/* First make a copy of everything we'd like to save, which isn't very
* much.
*/
int mode = conn->mode;
struct s2n_config *config = conn->config;
struct s2n_stuffer alert_in;
struct s2n_stuffer reader_alert_out;
struct s2n_stuffer writer_alert_out;
struct s2n_stuffer handshake_io;
struct s2n_stuffer header_in;
struct s2n_stuffer in;
struct s2n_stuffer out;
/* Session keys will be wiped. Preserve structs to avoid reallocation */
struct s2n_session_key initial_client_key;
struct s2n_session_key initial_server_key;
struct s2n_session_key secure_client_key;
struct s2n_session_key secure_server_key;
/* Wipe all of the sensitive stuff */
GUARD(s2n_connection_wipe_keys(conn));
GUARD(s2n_stuffer_wipe(&conn->alert_in));
GUARD(s2n_stuffer_wipe(&conn->reader_alert_out));
GUARD(s2n_stuffer_wipe(&conn->writer_alert_out));
GUARD(s2n_stuffer_wipe(&conn->handshake.io));
GUARD(s2n_stuffer_wipe(&conn->header_in));
GUARD(s2n_stuffer_wipe(&conn->in));
GUARD(s2n_stuffer_wipe(&conn->out));
/* Restore the socket option values */
GUARD(s2n_socket_read_restore(conn));
GUARD(s2n_socket_write_restore(conn));
GUARD(s2n_free(&conn->status_response));
/* Allocate or resize to their original sizes */
GUARD(s2n_stuffer_resize(&conn->in, S2N_LARGE_FRAGMENT_LENGTH));
/* Allocate memory for handling handshakes */
GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_LARGE_RECORD_LENGTH));
/* Clone the stuffers */
/* ignore gcc 4.7 address warnings because dest is allocated on the stack */
/* pragma gcc diagnostic was added in gcc 4.6 */
#if defined(__GNUC__) && GCC_VERSION >= 40600
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Waddress"
#endif
memcpy_check(&alert_in, &conn->alert_in, sizeof(struct s2n_stuffer));
memcpy_check(&reader_alert_out, &conn->reader_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&writer_alert_out, &conn->writer_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&handshake_io, &conn->handshake.io, sizeof(struct s2n_stuffer));
memcpy_check(&header_in, &conn->header_in, sizeof(struct s2n_stuffer));
memcpy_check(&in, &conn->in, sizeof(struct s2n_stuffer));
memcpy_check(&out, &conn->out, sizeof(struct s2n_stuffer));
memcpy_check(&initial_client_key, &conn->initial.client_key, sizeof(struct s2n_session_key));
memcpy_check(&initial_server_key, &conn->initial.server_key, sizeof(struct s2n_session_key));
memcpy_check(&secure_client_key, &conn->secure.client_key, sizeof(struct s2n_session_key));
memcpy_check(&secure_server_key, &conn->secure.server_key, sizeof(struct s2n_session_key));
#if defined(__GNUC__) && GCC_VERSION >= 40600
#pragma GCC diagnostic pop
#endif
/* Zero the whole connection structure */
memset_check(conn, 0, sizeof(struct s2n_connection));
conn->readfd = -1;
conn->writefd = -1;
conn->mode = mode;
conn->config = config;
conn->close_notify_queued = 0;
conn->current_user_data_consumed = 0;
conn->initial.cipher_suite = &s2n_null_cipher_suite;
conn->secure.cipher_suite = &s2n_null_cipher_suite;
conn->server = &conn->initial;
conn->client = &conn->initial;
conn->max_fragment_length = S2N_SMALL_FRAGMENT_LENGTH;
conn->handshake.handshake_type = INITIAL;
conn->handshake.message_number = 0;
GUARD(s2n_hash_init(&conn->handshake.md5, S2N_HASH_MD5));
GUARD(s2n_hash_init(&conn->handshake.sha1, S2N_HASH_SHA1));
GUARD(s2n_hash_init(&conn->handshake.sha256, S2N_HASH_SHA256));
GUARD(s2n_hash_init(&conn->handshake.sha384, S2N_HASH_SHA384));
GUARD(s2n_hmac_init(&conn->client->client_record_mac, S2N_HMAC_NONE, NULL, 0));
GUARD(s2n_hmac_init(&conn->server->server_record_mac, S2N_HMAC_NONE, NULL, 0));
memcpy_check(&conn->alert_in, &alert_in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->reader_alert_out, &reader_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->writer_alert_out, &writer_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->handshake.io, &handshake_io, sizeof(struct s2n_stuffer));
memcpy_check(&conn->header_in, &header_in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->in, &in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->out, &out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->initial.client_key, &initial_client_key, sizeof(struct s2n_session_key));
memcpy_check(&conn->initial.server_key, &initial_server_key, sizeof(struct s2n_session_key));
memcpy_check(&conn->secure.client_key, &secure_client_key, sizeof(struct s2n_session_key));
memcpy_check(&conn->secure.server_key, &secure_server_key, sizeof(struct s2n_session_key));
if (conn->mode == S2N_SERVER) {
conn->server_protocol_version = s2n_highest_protocol_version;
conn->client_protocol_version = s2n_unknown_protocol_version;
}
else {
conn->server_protocol_version = s2n_unknown_protocol_version;
conn->client_protocol_version = s2n_highest_protocol_version;
}
conn->actual_protocol_version = s2n_unknown_protocol_version;
return 0;
}
int main(int argc, char **argv)
{
uint8_t digest_pad[256];
uint8_t check_pad[256];
uint8_t output_pad[256];
struct s2n_stuffer output;
uint8_t sekrit[] = "sekrit";
uint8_t longsekrit[] = "This is a really really really long key on purpose to make sure that it's longer than the block size";
uint8_t hello[] = "Hello world!";
struct s2n_hmac_state hmac, copy;
struct s2n_hmac_state cmac;
struct s2n_blob out = {.data = output_pad,.size = sizeof(output_pad) };
BEGIN_TEST();
/* Initialise our output stuffers */
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_MD5), 16);
EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_MD5, sekrit, strlen((char *)sekrit)));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_copy(©, &hmac));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from python */
EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0);
/* Check the copy */
EXPECT_SUCCESS(s2n_hmac_digest(©, digest_pad, 16));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from python */
EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0);
/* Test that a reset works */
EXPECT_SUCCESS(s2n_hmac_reset(&hmac));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from python */
EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0);
EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_MD5, longsekrit, strlen((char *)longsekrit)));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from python */
EXPECT_EQUAL(memcmp(output_pad, "2ce569d61f4ee6ad9ceebe02a112ace7", 16 * 2), 0);
/* Test that a reset works */
EXPECT_SUCCESS(s2n_hmac_reset(&hmac));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from python */
EXPECT_EQUAL(memcmp(output_pad, "2ce569d61f4ee6ad9ceebe02a112ace7", 16 * 2), 0);
/* Verify that _verify works */
EXPECT_SUCCESS(s2n_hmac_init(&cmac, S2N_HMAC_MD5, longsekrit, strlen((char *)longsekrit)));
EXPECT_SUCCESS(s2n_hmac_update(&cmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&cmac, check_pad, 16));
EXPECT_SUCCESS(s2n_hmac_digest_verify(digest_pad, 16, check_pad, 16));
/* Try SHA1 */
EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA1), 20);
EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA1, sekrit, strlen((char *)sekrit)));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 20; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from python */
EXPECT_EQUAL(memcmp(output_pad, "6d301861b599938eca94f6de917362886d97882f", 20 * 2), 0);
/* Try SHA256 */
EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA256), 32);
EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA256, sekrit, strlen((char *)sekrit)));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 32));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 32; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from python */
EXPECT_EQUAL(memcmp(output_pad, "adc20b12d236e6d1824d690622e33ead4f67ba5a2be9606fe762b2dd859a78a9", 32 * 2), 0);
/* Try SHA384 */
EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA384), 48);
EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA384, sekrit, strlen((char *)sekrit)));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 48));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 48; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from python */
EXPECT_EQUAL(memcmp(output_pad, "8552563cadd583b79dcc7225bb79bc6483c63f259187162e1c9d4283eb6299ef1bc3ca81c0c40fc7b22f7a1f3b93adb4", 48 * 2), 0);
/* Try SHA512 */
EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA512), 64);
EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA512, sekrit, strlen((char *)sekrit)));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 64));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 64; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from python */
EXPECT_EQUAL(memcmp(output_pad, "0a834a1ed265042e2897405edb4fdd9818950cd5bea10b828f2fed45a1cb6dbd2107e4b04eb20f211998cd4e8c7e11ebdcb0103ac63882481e1bb8083d07f4be", 64 * 2), 0);
/* Try SSLv3 MD5 */
EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SSLv3_MD5), 16);
EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *)sekrit)));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from Go */
EXPECT_EQUAL(memcmp(output_pad, "d4f0d06b9765de23e6c3e33a24c5ded0", 16 * 2), 0);
/* Test that a reset works */
EXPECT_SUCCESS(s2n_hmac_reset(&hmac));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
EXPECT_EQUAL(memcmp(output_pad, "d4f0d06b9765de23e6c3e33a24c5ded0", 16 * 2), 0);
/* Try SSLv3 SHA1 */
EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SSLv3_SHA1), 20);
EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_SHA1, sekrit, strlen((char *)sekrit)));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 20; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from Go */
EXPECT_EQUAL(memcmp(output_pad, "b0c66179f6eb5a46b4b7c4fca84b3ea5161b7326", 20 * 2), 0);
/* Test that a reset works */
EXPECT_SUCCESS(s2n_hmac_reset(&hmac));
EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20));
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
for (int i = 0; i < 20; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
EXPECT_EQUAL(memcmp(output_pad, "b0c66179f6eb5a46b4b7c4fca84b3ea5161b7326", 20 * 2), 0);
END_TEST();
}
int s2n_prf_key_expansion(struct s2n_connection *conn)
{
struct s2n_blob client_random = {.data = conn->secure.client_random,.size = sizeof(conn->secure.client_random) };
struct s2n_blob server_random = {.data = conn->secure.server_random,.size = sizeof(conn->secure.server_random) };
struct s2n_blob master_secret = {.data = conn->secure.master_secret,.size = sizeof(conn->secure.master_secret) };
struct s2n_blob label, out;
uint8_t key_expansion_label[] = "key expansion";
uint8_t key_block[S2N_MAX_KEY_BLOCK_LEN];
label.data = key_expansion_label;
label.size = sizeof(key_expansion_label) - 1;
out.data = key_block;
out.size = sizeof(key_block);
struct s2n_stuffer key_material;
GUARD(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, &out));
GUARD(s2n_stuffer_init(&key_material, &out));
GUARD(s2n_stuffer_write(&key_material, &out));
GUARD(conn->secure.cipher_suite->cipher->init(&conn->secure.client_key));
GUARD(conn->secure.cipher_suite->cipher->init(&conn->secure.server_key));
/* What's our hmac algorithm? */
s2n_hmac_algorithm hmac_alg = conn->secure.cipher_suite->hmac_alg;
if (conn->actual_protocol_version == S2N_SSLv3) {
if (hmac_alg == S2N_HMAC_SHA1) {
hmac_alg = S2N_HMAC_SSLv3_SHA1;
} else if (hmac_alg == S2N_HMAC_MD5) {
hmac_alg = S2N_HMAC_SSLv3_MD5;
} else {
S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM);
}
}
/* Check that we have a valid MAC and key size */
int mac_size;
GUARD((mac_size = s2n_hmac_digest_size(hmac_alg)));
/* Seed the client MAC */
uint8_t *client_write_mac_key = s2n_stuffer_raw_read(&key_material, mac_size);
notnull_check(client_write_mac_key);
GUARD(s2n_hmac_init(&conn->secure.client_record_mac, hmac_alg, client_write_mac_key, mac_size));
/* Seed the server MAC */
uint8_t *server_write_mac_key = s2n_stuffer_raw_read(&key_material, mac_size);
notnull_check(server_write_mac_key);
GUARD(s2n_hmac_init(&conn->secure.server_record_mac, hmac_alg, server_write_mac_key, mac_size));
/* Make the client key */
struct s2n_blob client_key;
client_key.size = conn->secure.cipher_suite->cipher->key_material_size;
client_key.data = s2n_stuffer_raw_read(&key_material, client_key.size);
notnull_check(client_key.data);
if (conn->mode == S2N_CLIENT) {
GUARD(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.client_key, &client_key));
} else {
GUARD(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.client_key, &client_key));
}
/* Make the server key */
struct s2n_blob server_key;
server_key.size = conn->secure.cipher_suite->cipher->key_material_size;
server_key.data = s2n_stuffer_raw_read(&key_material, server_key.size);
notnull_check(server_key.data);
if (conn->mode == S2N_SERVER) {
GUARD(conn->secure.cipher_suite->cipher->get_encryption_key(&conn->secure.server_key, &server_key));
} else {
GUARD(conn->secure.cipher_suite->cipher->get_decryption_key(&conn->secure.server_key, &server_key));
}
/* TLS >= 1.1 has no implicit IVs for non AEAD ciphers */
if (conn->actual_protocol_version > S2N_TLS10 &&
conn->secure.cipher_suite->cipher->type != S2N_AEAD) {
return 0;
}
uint32_t implicit_iv_size = 0;
switch(conn->secure.cipher_suite->cipher->type) {
case S2N_AEAD:
implicit_iv_size = conn->secure.cipher_suite->cipher->io.aead.fixed_iv_size;
break;
case S2N_CBC:
implicit_iv_size = conn->secure.cipher_suite->cipher->io.cbc.block_size;
break;
/* No-op for stream ciphers */
default:
break;
}
struct s2n_blob client_implicit_iv = { .data = conn->secure.client_implicit_iv, .size = implicit_iv_size };
struct s2n_blob server_implicit_iv = { .data = conn->secure.server_implicit_iv, .size = implicit_iv_size };
GUARD(s2n_stuffer_read(&key_material, &client_implicit_iv));
GUARD(s2n_stuffer_read(&key_material, &server_implicit_iv));
return 0;
}
