static int s2n_sslv3_mac_init(struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen)
{
s2n_hash_algorithm hash_alg = S2N_HASH_NONE;
if (alg == S2N_HMAC_SSLv3_MD5) {
hash_alg = S2N_HASH_MD5;
}
if (alg == S2N_HMAC_SSLv3_SHA1) {
hash_alg = S2N_HASH_SHA1;
}
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] = 0x36;
}
GUARD(s2n_hash_init(&state->inner_just_key, hash_alg));
GUARD(s2n_hash_update(&state->inner_just_key, key, klen));
GUARD(s2n_hash_update(&state->inner_just_key, state->xor_pad, state->block_size));
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] = 0x5c;
}
GUARD(s2n_hash_init(&state->outer, hash_alg));
GUARD(s2n_hash_update(&state->outer, key, klen));
GUARD(s2n_hash_update(&state->outer, state->xor_pad, state->block_size));
/* Copy inner_just_key to inner */
return s2n_hmac_reset(state);
}
int s2n_server_key_recv(struct s2n_connection *conn)
{
struct s2n_hash_state *signature_hash = &conn->secure.signature_hash;
const struct s2n_kex *key_exchange = conn->secure.cipher_suite->key_exchange_alg;
struct s2n_stuffer *in = &conn->handshake.io;
struct s2n_blob data_to_verify = {0};
/* Read the KEX data */
union s2n_kex_raw_server_data kex_data = {{{0}}};
GUARD(s2n_kex_server_key_recv_read_data(key_exchange, conn, &data_to_verify, &kex_data));
/* Add common signature data */
if (conn->actual_protocol_version == S2N_TLS12) {
s2n_hash_algorithm hash_algorithm;
s2n_signature_algorithm signature_algorithm;
GUARD(s2n_get_signature_hash_pair_if_supported(in, &hash_algorithm, &signature_algorithm));
GUARD(s2n_hash_init(signature_hash, hash_algorithm));
} else {
GUARD(s2n_hash_init(signature_hash, conn->secure.conn_hash_alg));
}
GUARD(s2n_hash_update(signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
/* Add KEX specific data */
GUARD(s2n_hash_update(signature_hash, data_to_verify.data, data_to_verify.size));
/* Verify the signature */
uint16_t signature_length;
GUARD(s2n_stuffer_read_uint16(in, &signature_length));
struct s2n_blob signature = {.size = signature_length, .data = s2n_stuffer_raw_read(in, signature_length)};
notnull_check(signature.data);
gt_check(signature_length, 0);
S2N_ERROR_IF(s2n_pkey_verify(&conn->secure.server_public_key, signature_hash, &signature) < 0, S2N_ERR_BAD_MESSAGE);
/* We don't need the key any more, so free it */
GUARD(s2n_pkey_free(&conn->secure.server_public_key));
/* Parse the KEX data into whatever form needed and save it to the connection object */
GUARD(s2n_kex_server_key_recv_parse_data(key_exchange, conn, &kex_data));
return 0;
}
int s2n_ecdhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify, union s2n_kex_raw_server_data *raw_server_data)
{
struct s2n_stuffer *in = &conn->handshake.io;
GUARD(s2n_ecc_read_ecc_params(in, data_to_verify, &raw_server_data->ecdhe_data));
return 0;
}
int s2n_ecdhe_server_key_recv_parse_data(struct s2n_connection *conn, union s2n_kex_raw_server_data *raw_server_data)
{
GUARD(s2n_ecc_parse_ecc_params(&conn->secure.server_ecc_params, &raw_server_data->ecdhe_data));
return 0;
}
int s2n_server_key_send(struct s2n_connection *conn)
{
struct s2n_hash_state *signature_hash = &conn->secure.signature_hash;
const struct s2n_kex *key_exchange = conn->secure.cipher_suite->key_exchange_alg;
struct s2n_stuffer *out = &conn->handshake.io;
struct s2n_blob data_to_sign = {0};
/* Call the negotiated key exchange method to send it's data */
GUARD(s2n_kex_server_key_send(key_exchange, conn, &data_to_sign));
/* Add common signature data */
if (conn->actual_protocol_version == S2N_TLS12) {
GUARD(s2n_stuffer_write_uint8(out, s2n_hash_alg_to_tls[ conn->secure.conn_hash_alg ]));
GUARD(s2n_stuffer_write_uint8(out, conn->secure.conn_sig_alg));
}
/* Add the random data to the hash */
GUARD(s2n_hash_init(signature_hash, conn->secure.conn_hash_alg));
GUARD(s2n_hash_update(signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
/* Add KEX specific data to the hash */
GUARD(s2n_hash_update(signature_hash, data_to_sign.data, data_to_sign.size));
/* Sign and write the signature */
GUARD(s2n_write_signature_blob(out, conn->handshake_params.our_chain_and_key->private_key, signature_hash));
return 0;
}
static int s2n_sslv3_prf(union s2n_prf_working_space *ws, struct s2n_blob *secret, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *out)
{
struct s2n_hash_state *md5 = &ws->ssl3.md5;
struct s2n_hash_state *sha1 = &ws->ssl3.sha1;
uint32_t outputlen = out->size;
uint8_t *output = out->data;
uint8_t iteration = 1;
uint8_t A = 'A';
while (outputlen) {
GUARD(s2n_hash_init(sha1, S2N_HASH_SHA1));
for (int i = 0; i < iteration; i++) {
GUARD(s2n_hash_update(sha1, &A, 1));
}
GUARD(s2n_hash_update(sha1, secret->data, secret->size));
GUARD(s2n_hash_update(sha1, seed_a->data, seed_a->size));
if (seed_b) {
GUARD(s2n_hash_update(sha1, seed_b->data, seed_b->size));
}
GUARD(s2n_hash_digest(sha1, ws->ssl3.sha1_digest, sizeof(ws->ssl3.sha1_digest)));
GUARD(s2n_hash_init(md5, S2N_HASH_MD5));
GUARD(s2n_hash_update(md5, secret->data, secret->size));
GUARD(s2n_hash_update(md5, ws->ssl3.sha1_digest, sizeof(ws->ssl3.sha1_digest)));
GUARD(s2n_hash_digest(md5, ws->ssl3.md5_digest, sizeof(ws->ssl3.md5_digest)));
uint32_t bytes_to_copy = MIN(outputlen, sizeof(ws->ssl3.md5_digest));
memcpy_check(output, ws->ssl3.md5_digest, bytes_to_copy);
outputlen -= bytes_to_copy;
output += bytes_to_copy;
/* Increment the letter */
A++;
iteration++;
}
return 0;
}
static int s2n_ecdsa_keys_match(const struct s2n_pkey *pub, const struct s2n_pkey *priv)
{
uint8_t input[16] = { 1 };
DEFER_CLEANUP(struct s2n_blob signature = { 0 }, s2n_free);
DEFER_CLEANUP(struct s2n_hash_state state_in = { 0 }, s2n_hash_free);
DEFER_CLEANUP(struct s2n_hash_state state_out = { 0 }, s2n_hash_free);
/* s2n_hash_new only allocates memory when using high-level EVP hashes, currently restricted to FIPS mode. */
GUARD(s2n_hash_new(&state_in));
GUARD(s2n_hash_new(&state_out));
GUARD(s2n_hash_init(&state_in, S2N_HASH_SHA1));
GUARD(s2n_hash_init(&state_out, S2N_HASH_SHA1));
GUARD(s2n_hash_update(&state_in, input, sizeof(input)));
GUARD(s2n_hash_update(&state_out, input, sizeof(input)));
GUARD(s2n_alloc(&signature, s2n_ecdsa_der_signature_size(priv)));
GUARD(s2n_ecdsa_sign(priv, &state_in, &signature));
GUARD(s2n_ecdsa_verify(pub, &state_out, &signature));
return 0;
}
static uint32_t s2n_map_slot(struct s2n_map *map, struct s2n_blob *key)
{
struct s2n_hash_state sha256;
union {
uint8_t u8[32];
uint32_t u32[8];
} digest;
GUARD(s2n_hash_init(&sha256, S2N_HASH_SHA256));
GUARD(s2n_hash_update(&sha256, key->data, key->size));
GUARD(s2n_hash_digest(&sha256, digest.u8, sizeof(digest)));
return digest.u32[0] % map->capacity;
}
struct s2n_map *s2n_map_new()
{
struct s2n_blob mem;
struct s2n_map *map;
GUARD_PTR(s2n_alloc(&mem, sizeof(struct s2n_map)));
map = (void *) mem.data;
map->capacity = 0;
map->size = 0;
map->immutable = 0;
map->table = NULL;
GUARD_PTR(s2n_hash_new(&map->sha256));
GUARD_PTR(s2n_hash_init(&map->sha256, S2N_HASH_SHA256));
GUARD_PTR(s2n_map_embiggen(map, S2N_INITIAL_TABLE_SIZE));
return map;
}
static int s2n_dhe_server_key_send(struct s2n_connection *conn)
{
struct s2n_blob serverDHparams, signature;
struct s2n_stuffer *out = &conn->handshake.io;
struct s2n_hash_state signature_hash;
/* Duplicate the DH key from the config */
GUARD(s2n_dh_params_copy(conn->config->dhparams, &conn->secure.server_dh_params));
/* Generate an ephemeral key */
GUARD(s2n_dh_generate_ephemeral_key(&conn->secure.server_dh_params));
/* Write it out */
GUARD(s2n_dh_params_to_p_g_Ys(&conn->secure.server_dh_params, out, &serverDHparams));
if (conn->actual_protocol_version == S2N_TLS12) {
GUARD(s2n_stuffer_write_uint8(out, TLS_HASH_ALGORITHM_SHA1));
GUARD(s2n_stuffer_write_uint8(out, TLS_SIGNATURE_ALGORITHM_RSA));
}
GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg));
GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, serverDHparams.data, serverDHparams.size));
signature.size = s2n_rsa_private_encrypted_size(&conn->config->cert_and_key_pairs->private_key);
GUARD(s2n_stuffer_write_uint16(out, signature.size));
signature.data = s2n_stuffer_raw_write(out, signature.size);
notnull_check(signature.data);
if (s2n_rsa_sign(&conn->config->cert_and_key_pairs->private_key, &signature_hash, &signature) < 0) {
S2N_ERROR(S2N_ERR_DH_FAILED_SIGNING);
}
return 0;
}
int s2n_connection_wipe(struct s2n_connection *conn)
{
/* First make a copy of everything we'd like to save, which isn't very
* much.
*/
int mode = conn->mode;
struct s2n_config *config = conn->config;
struct s2n_stuffer alert_in;
struct s2n_stuffer reader_alert_out;
struct s2n_stuffer writer_alert_out;
struct s2n_stuffer handshake_io;
struct s2n_stuffer header_in;
struct s2n_stuffer in;
struct s2n_stuffer out;
/* Wipe all of the sensitive stuff */
GUARD(s2n_connection_free_keys(conn));
GUARD(s2n_stuffer_wipe(&conn->alert_in));
GUARD(s2n_stuffer_wipe(&conn->reader_alert_out));
GUARD(s2n_stuffer_wipe(&conn->writer_alert_out));
GUARD(s2n_stuffer_wipe(&conn->handshake.io));
GUARD(s2n_stuffer_wipe(&conn->header_in));
GUARD(s2n_stuffer_wipe(&conn->in));
GUARD(s2n_stuffer_wipe(&conn->out));
/* Allocate or resize to their original sizes */
GUARD(s2n_stuffer_resize(&conn->in, S2N_DEFAULT_FRAGMENT_LENGTH));
/* Allocate memory for handling handshakes */
GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_DEFAULT_RECORD_LENGTH));
/* Clone the stuffers */
/* ignore gcc 4.7 address warnings because dest is allocated on the stack */
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Waddress"
memcpy_check(&alert_in, &conn->alert_in, sizeof(struct s2n_stuffer));
memcpy_check(&reader_alert_out, &conn->reader_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&writer_alert_out, &conn->writer_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&handshake_io, &conn->handshake.io, sizeof(struct s2n_stuffer));
memcpy_check(&header_in, &conn->header_in, sizeof(struct s2n_stuffer));
memcpy_check(&in, &conn->in, sizeof(struct s2n_stuffer));
memcpy_check(&out, &conn->out, sizeof(struct s2n_stuffer));
#pragma GCC diagnostic pop
/* Zero the whole connection structure */
memset_check(conn, 0, sizeof(struct s2n_connection));
conn->mode = mode;
conn->config = config;
conn->active.cipher_suite = &s2n_null_cipher_suite;
conn->pending.cipher_suite = &s2n_null_cipher_suite;
conn->server = &conn->active;
conn->client = &conn->active;
conn->max_fragment_length = S2N_DEFAULT_FRAGMENT_LENGTH;
conn->handshake.state = CLIENT_HELLO;
GUARD(s2n_hash_init(&conn->handshake.client_md5, S2N_HASH_MD5));
GUARD(s2n_hash_init(&conn->handshake.client_sha1, S2N_HASH_SHA1));
GUARD(s2n_hash_init(&conn->handshake.client_sha256, S2N_HASH_SHA256));
GUARD(s2n_hash_init(&conn->handshake.server_md5, S2N_HASH_MD5));
GUARD(s2n_hash_init(&conn->handshake.server_sha1, S2N_HASH_SHA1));
GUARD(s2n_hash_init(&conn->handshake.server_sha256, S2N_HASH_SHA256));
memcpy_check(&conn->alert_in, &alert_in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->reader_alert_out, &reader_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->writer_alert_out, &writer_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->handshake.io, &handshake_io, sizeof(struct s2n_stuffer));
memcpy_check(&conn->header_in, &header_in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->in, &in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->out, &out, sizeof(struct s2n_stuffer));
/* Set everything to the highest version at first */
conn->server_protocol_version = s2n_highest_protocol_version;
conn->client_protocol_version = s2n_highest_protocol_version;
conn->actual_protocol_version = s2n_highest_protocol_version;
return 0;
}
int main(int argc, char **argv)
{
uint8_t digest_pad[64];
uint8_t output_pad[96];
uint8_t hello[] = "Hello world!\n";
struct s2n_stuffer output;
struct s2n_hash_state hash, copy;
struct s2n_blob out = {.data = output_pad,.size = sizeof(output_pad) };
BEGIN_TEST();
/* Initialise our output stuffers */
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
uint8_t md5_digest_size;
GUARD(s2n_hash_digest_size(S2N_HASH_MD5, &md5_digest_size));
EXPECT_EQUAL(md5_digest_size, 16);
EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_MD5));
EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hash_copy(©, &hash));
EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, MD5_DIGEST_LENGTH));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line md5sum */
EXPECT_EQUAL(memcmp(output_pad, "59ca0efa9f5633cb0371bbc0355478d8", 16 * 2), 0);
/* Check the copy */
EXPECT_SUCCESS(s2n_hash_digest(©, digest_pad, MD5_DIGEST_LENGTH));
for (int i = 0; i < 16; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line md5sum */
EXPECT_EQUAL(memcmp(output_pad, "59ca0efa9f5633cb0371bbc0355478d8", 16 * 2), 0);
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
uint8_t sha1_digest_size;
GUARD(s2n_hash_digest_size(S2N_HASH_SHA1, &sha1_digest_size));
EXPECT_EQUAL(sha1_digest_size, 20);
EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA1));
EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA_DIGEST_LENGTH));
for (int i = 0; i < 20; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line sha1sum */
EXPECT_EQUAL(memcmp(output_pad, "47a013e660d408619d894b20806b1d5086aab03b", 20 * 2), 0);
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
uint8_t sha256_digest_size;
GUARD(s2n_hash_digest_size(S2N_HASH_SHA256, &sha256_digest_size));
EXPECT_EQUAL(sha256_digest_size, 32);
EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA256));
EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA256_DIGEST_LENGTH));
for (int i = 0; i < 32; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line sha256sum */
EXPECT_EQUAL(memcmp(output_pad, "0ba904eae8773b70c75333db4de2f3ac45a8ad4ddba1b242f0b3cfc199391dd8", 32 * 2), 0);
EXPECT_SUCCESS(s2n_stuffer_init(&output, &out));
uint8_t sha384_digest_size;
GUARD(s2n_hash_digest_size(S2N_HASH_SHA384, &sha384_digest_size));
EXPECT_EQUAL(sha384_digest_size, 48);
EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA384));
EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello)));
EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA384_DIGEST_LENGTH));
for (int i = 0; i < 48; i++) {
EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i]));
}
/* Reference value from command line sha512sum */
EXPECT_EQUAL(memcmp(output_pad, "f7f8f1b9d5a9a61742eeda26c20990282ac08dabda14e70376fcb4c8b46198a9959ea9d7d194b38520eed5397ffe6d8e", 48 * 2), 0);
END_TEST();
}
static int s2n_ecdhe_server_key_recv(struct s2n_connection *conn)
{
struct s2n_hash_state signature_hash;
struct s2n_stuffer *in = &conn->handshake.io;
struct s2n_blob ecdhparams;
struct s2n_blob signature;
uint16_t signature_length;
/* Read server ECDH params and calculate their hash */
GUARD(s2n_ecc_read_ecc_params(&conn->secure.server_ecc_params, in, &ecdhparams));
GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg));
if (conn->actual_protocol_version == S2N_TLS12) {
uint8_t hash_algorithm;
uint8_t signature_algorithm;
GUARD(s2n_stuffer_read_uint8(in, &hash_algorithm));
GUARD(s2n_stuffer_read_uint8(in, &signature_algorithm));
if (signature_algorithm != TLS_SIGNATURE_ALGORITHM_RSA) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
switch(hash_algorithm) {
case TLS_HASH_ALGORITHM_MD5:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_MD5));
break;
case TLS_HASH_ALGORITHM_SHA1:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA1));
break;
case TLS_HASH_ALGORITHM_SHA224:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA224));
break;
case TLS_HASH_ALGORITHM_SHA256:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA256));
break;
case TLS_HASH_ALGORITHM_SHA384:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA384));
break;
case TLS_HASH_ALGORITHM_SHA512:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA512));
break;
default:
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
}
GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, ecdhparams.data, ecdhparams.size));
/* Verify the signature */
GUARD(s2n_stuffer_read_uint16(in, &signature_length));
signature.size = signature_length;
signature.data = s2n_stuffer_raw_read(in, signature.size);
notnull_check(signature.data);
gt_check(signature_length, 0);
if (s2n_rsa_verify(&conn->secure.server_rsa_public_key, &signature_hash, &signature) < 0) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
/* We don't need the key any more, so free it */
GUARD(s2n_rsa_public_key_free(&conn->secure.server_rsa_public_key));
return 0;
}
static int s2n_dhe_server_key_recv(struct s2n_connection *conn)
{
struct s2n_hash_state signature_hash;
struct s2n_stuffer *in = &conn->handshake.io;
struct s2n_blob p, g, Ys, serverDHparams, signature;
uint16_t p_length;
uint16_t g_length;
uint16_t Ys_length;
uint16_t signature_length;
/* Keep a copy to the start of the whole structure for the signature check */
serverDHparams.data = s2n_stuffer_raw_read(in, 0);
notnull_check(serverDHparams.data);
/* Read each of the three elements in */
GUARD(s2n_stuffer_read_uint16(in, &p_length));
p.size = p_length;
p.data = s2n_stuffer_raw_read(in, p.size);
notnull_check(p.data);
GUARD(s2n_stuffer_read_uint16(in, &g_length));
g.size = g_length;
g.data = s2n_stuffer_raw_read(in, g.size);
notnull_check(g.data);
GUARD(s2n_stuffer_read_uint16(in, &Ys_length));
Ys.size = Ys_length;
Ys.data = s2n_stuffer_raw_read(in, Ys.size);
notnull_check(Ys.data);
/* Now we know the total size of the structure */
serverDHparams.size = 2 + p_length + 2 + g_length + 2 + Ys_length;
GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg));
if (conn->actual_protocol_version == S2N_TLS12) {
uint8_t hash_algorithm;
uint8_t signature_algorithm;
GUARD(s2n_stuffer_read_uint8(in, &hash_algorithm));
GUARD(s2n_stuffer_read_uint8(in, &signature_algorithm));
if (signature_algorithm != TLS_SIGNATURE_ALGORITHM_RSA) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
switch(hash_algorithm) {
case TLS_HASH_ALGORITHM_MD5:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_MD5));
break;
case TLS_HASH_ALGORITHM_SHA1:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA1));
break;
case TLS_HASH_ALGORITHM_SHA224:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA224));
break;
case TLS_HASH_ALGORITHM_SHA256:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA256));
break;
case TLS_HASH_ALGORITHM_SHA384:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA384));
break;
case TLS_HASH_ALGORITHM_SHA512:
GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA512));
break;
default:
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
}
GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN));
GUARD(s2n_hash_update(&signature_hash, serverDHparams.data, serverDHparams.size));
GUARD(s2n_stuffer_read_uint16(in, &signature_length));
signature.size = signature_length;
signature.data = s2n_stuffer_raw_read(in, signature.size);
notnull_check(signature.data);
gt_check(signature_length, 0);
if (s2n_rsa_verify(&conn->secure.server_rsa_public_key, &signature_hash, &signature) < 0) {
S2N_ERROR(S2N_ERR_BAD_MESSAGE);
}
/* We don't need the key any more, so free it */
GUARD(s2n_rsa_public_key_free(&conn->secure.server_rsa_public_key));
/* Copy the DH details */
GUARD(s2n_dh_p_g_Ys_to_dh_params(&conn->secure.server_dh_params, &p, &g, &Ys));
return 0;
}
int main(int argc, char **argv)
{
struct s2n_stuffer certificate_in, certificate_out;
struct s2n_stuffer dhparams_in, dhparams_out;
struct s2n_stuffer rsa_key_in, rsa_key_out;
struct s2n_blob b;
BEGIN_TEST();
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_in, sizeof(certificate)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_out, sizeof(certificate)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&dhparams_in, sizeof(dhparams)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&dhparams_out, sizeof(dhparams)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&rsa_key_in, sizeof(private_key)));
EXPECT_SUCCESS(s2n_stuffer_alloc(&rsa_key_out, sizeof(private_key)));
b.data = certificate;
b.size = sizeof(certificate);
EXPECT_SUCCESS(s2n_stuffer_write(&certificate_in, &b));
b.data = private_key;
b.size = sizeof(private_key);
EXPECT_SUCCESS(s2n_stuffer_write(&rsa_key_in, &b));
b.data = dhparams;
b.size = sizeof(dhparams);
EXPECT_SUCCESS(s2n_stuffer_write(&dhparams_in, &b));
EXPECT_SUCCESS(s2n_stuffer_certificate_from_pem(&certificate_in, &certificate_out));
EXPECT_SUCCESS(s2n_stuffer_rsa_private_key_from_pem(&rsa_key_in, &rsa_key_out));
EXPECT_SUCCESS(s2n_stuffer_dhparams_from_pem(&dhparams_in, &dhparams_out));
struct s2n_rsa_private_key priv_key;
struct s2n_rsa_public_key pub_key;
b.size = s2n_stuffer_data_available(&certificate_out);
b.data = s2n_stuffer_raw_read(&certificate_out, b.size);
EXPECT_SUCCESS(s2n_asn1der_to_rsa_public_key(&pub_key, &b));
b.size = s2n_stuffer_data_available(&rsa_key_out);
b.data = s2n_stuffer_raw_read(&rsa_key_out, b.size);
EXPECT_SUCCESS(s2n_asn1der_to_rsa_private_key(&priv_key, &b));
EXPECT_SUCCESS(s2n_rsa_keys_match(&pub_key, &priv_key));
struct s2n_connection *conn;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(conn->config, (char *)chain, (char *)private_key));
struct s2n_dh_params dh_params;
b.size = s2n_stuffer_data_available(&dhparams_out);
b.data = s2n_stuffer_raw_read(&dhparams_out, b.size);
EXPECT_SUCCESS(s2n_pkcs3_to_dh_params(&dh_params, &b));
EXPECT_SUCCESS(s2n_config_add_dhparams(conn->config, (char *)dhparams));
/* Try signing and verification with RSA */
uint8_t inputpad[] = "Hello world!";
struct s2n_blob signature;
struct s2n_hash_state tls10_one, tls10_two, tls12_one, tls12_two;
EXPECT_SUCCESS(s2n_hash_init(&tls10_one, S2N_HASH_MD5_SHA1));
EXPECT_SUCCESS(s2n_hash_init(&tls10_two, S2N_HASH_MD5_SHA1));
EXPECT_SUCCESS(s2n_hash_init(&tls12_one, S2N_HASH_SHA1));
EXPECT_SUCCESS(s2n_hash_init(&tls12_two, S2N_HASH_SHA1));
EXPECT_SUCCESS(s2n_alloc(&signature, s2n_rsa_public_encrypted_size(&pub_key)));
EXPECT_SUCCESS(s2n_hash_update(&tls10_one, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_hash_update(&tls10_two, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_rsa_sign(&priv_key, &tls10_one, &signature));
EXPECT_SUCCESS(s2n_rsa_verify(&pub_key, &tls10_two, &signature));
EXPECT_SUCCESS(s2n_hash_update(&tls12_one, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_hash_update(&tls12_two, inputpad, sizeof(inputpad)));
EXPECT_SUCCESS(s2n_rsa_sign(&priv_key, &tls12_one, &signature));
EXPECT_SUCCESS(s2n_rsa_verify(&pub_key, &tls12_two, &signature));
EXPECT_SUCCESS(s2n_dh_params_free(&dh_params));
EXPECT_SUCCESS(s2n_rsa_private_key_free(&priv_key));
EXPECT_SUCCESS(s2n_rsa_public_key_free(&pub_key));
EXPECT_SUCCESS(s2n_config_free_dhparams(conn->config));
EXPECT_SUCCESS(s2n_config_free_cert_chain_and_key(conn->config));
EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_free(&signature));
EXPECT_SUCCESS(s2n_stuffer_free(&certificate_in));
EXPECT_SUCCESS(s2n_stuffer_free(&certificate_out));
EXPECT_SUCCESS(s2n_stuffer_free(&dhparams_in));
EXPECT_SUCCESS(s2n_stuffer_free(&dhparams_out));
EXPECT_SUCCESS(s2n_stuffer_free(&rsa_key_in));
EXPECT_SUCCESS(s2n_stuffer_free(&rsa_key_out));
END_TEST();
}
int s2n_hmac_init(struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen)
{
s2n_hash_algorithm hash_alg = S2N_HASH_NONE;
state->currently_in_hash_block = 0;
state->digest_size = 0;
state->block_size = 64;
state->hash_block_size = 64;
switch (alg) {
case S2N_HMAC_NONE:
break;
case S2N_HMAC_SSLv3_MD5:
state->block_size = 48;
/* Fall through ... */
case S2N_HMAC_MD5:
hash_alg = S2N_HASH_MD5;
state->digest_size = MD5_DIGEST_LENGTH;
break;
case S2N_HMAC_SSLv3_SHA1:
state->block_size = 40;
/* Fall through ... */
case S2N_HMAC_SHA1:
hash_alg = S2N_HASH_SHA1;
state->digest_size = SHA_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA224:
hash_alg = S2N_HASH_SHA224;
state->digest_size = SHA224_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA256:
hash_alg = S2N_HASH_SHA256;
state->digest_size = SHA256_DIGEST_LENGTH;
break;
case S2N_HMAC_SHA384:
hash_alg = S2N_HASH_SHA384;
state->digest_size = SHA384_DIGEST_LENGTH;
state->block_size = 128;
state->hash_block_size = 128;
break;
case S2N_HMAC_SHA512:
hash_alg = S2N_HASH_SHA512;
state->digest_size = SHA512_DIGEST_LENGTH;
state->block_size = 128;
state->hash_block_size = 128;
break;
default:
S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM);
}
gte_check(sizeof(state->xor_pad), state->block_size);
gte_check(sizeof(state->digest_pad), state->digest_size);
state->alg = alg;
if (alg == S2N_HMAC_SSLv3_SHA1 || alg == S2N_HMAC_SSLv3_MD5) {
return s2n_sslv3_mac_init(state, alg, key, klen);
}
GUARD(s2n_hash_init(&state->inner_just_key, hash_alg));
GUARD(s2n_hash_init(&state->outer, hash_alg));
uint32_t copied = klen;
if (klen > state->block_size) {
GUARD(s2n_hash_update(&state->outer, key, klen));
GUARD(s2n_hash_digest(&state->outer, state->digest_pad, state->digest_size));
memcpy_check(state->xor_pad, state->digest_pad, state->digest_size);
copied = state->digest_size;
} else {
memcpy_check(state->xor_pad, key, klen);
}
for (int i = 0; i < copied; i++) {
state->xor_pad[i] ^= 0x36;
}
for (int i = copied; i < state->block_size; i++) {
state->xor_pad[i] = 0x36;
}
GUARD(s2n_hash_update(&state->inner_just_key, state->xor_pad, state->block_size));
/* 0x36 xor 0x5c == 0x6a */
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] ^= 0x6a;
}
return s2n_hmac_reset(state);
}
int s2n_connection_wipe(struct s2n_connection *conn)
{
/* First make a copy of everything we'd like to save, which isn't very
* much.
*/
int mode = conn->mode;
struct s2n_config *config = conn->config;
struct s2n_stuffer alert_in;
struct s2n_stuffer reader_alert_out;
struct s2n_stuffer writer_alert_out;
struct s2n_stuffer handshake_io;
struct s2n_stuffer header_in;
struct s2n_stuffer in;
struct s2n_stuffer out;
/* Session keys will be wiped. Preserve structs to avoid reallocation */
struct s2n_session_key initial_client_key;
struct s2n_session_key initial_server_key;
struct s2n_session_key secure_client_key;
struct s2n_session_key secure_server_key;
/* Wipe all of the sensitive stuff */
GUARD(s2n_connection_wipe_keys(conn));
GUARD(s2n_stuffer_wipe(&conn->alert_in));
GUARD(s2n_stuffer_wipe(&conn->reader_alert_out));
GUARD(s2n_stuffer_wipe(&conn->writer_alert_out));
GUARD(s2n_stuffer_wipe(&conn->handshake.io));
GUARD(s2n_stuffer_wipe(&conn->header_in));
GUARD(s2n_stuffer_wipe(&conn->in));
GUARD(s2n_stuffer_wipe(&conn->out));
/* Restore the socket option values */
GUARD(s2n_socket_read_restore(conn));
GUARD(s2n_socket_write_restore(conn));
GUARD(s2n_free(&conn->status_response));
/* Allocate or resize to their original sizes */
GUARD(s2n_stuffer_resize(&conn->in, S2N_LARGE_FRAGMENT_LENGTH));
/* Allocate memory for handling handshakes */
GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_LARGE_RECORD_LENGTH));
/* Clone the stuffers */
/* ignore gcc 4.7 address warnings because dest is allocated on the stack */
/* pragma gcc diagnostic was added in gcc 4.6 */
#if defined(__GNUC__) && GCC_VERSION >= 40600
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Waddress"
#endif
memcpy_check(&alert_in, &conn->alert_in, sizeof(struct s2n_stuffer));
memcpy_check(&reader_alert_out, &conn->reader_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&writer_alert_out, &conn->writer_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&handshake_io, &conn->handshake.io, sizeof(struct s2n_stuffer));
memcpy_check(&header_in, &conn->header_in, sizeof(struct s2n_stuffer));
memcpy_check(&in, &conn->in, sizeof(struct s2n_stuffer));
memcpy_check(&out, &conn->out, sizeof(struct s2n_stuffer));
memcpy_check(&initial_client_key, &conn->initial.client_key, sizeof(struct s2n_session_key));
memcpy_check(&initial_server_key, &conn->initial.server_key, sizeof(struct s2n_session_key));
memcpy_check(&secure_client_key, &conn->secure.client_key, sizeof(struct s2n_session_key));
memcpy_check(&secure_server_key, &conn->secure.server_key, sizeof(struct s2n_session_key));
#if defined(__GNUC__) && GCC_VERSION >= 40600
#pragma GCC diagnostic pop
#endif
/* Zero the whole connection structure */
memset_check(conn, 0, sizeof(struct s2n_connection));
conn->readfd = -1;
conn->writefd = -1;
conn->mode = mode;
conn->config = config;
conn->close_notify_queued = 0;
conn->current_user_data_consumed = 0;
conn->initial.cipher_suite = &s2n_null_cipher_suite;
conn->secure.cipher_suite = &s2n_null_cipher_suite;
conn->server = &conn->initial;
conn->client = &conn->initial;
conn->max_fragment_length = S2N_SMALL_FRAGMENT_LENGTH;
conn->handshake.handshake_type = INITIAL;
conn->handshake.message_number = 0;
GUARD(s2n_hash_init(&conn->handshake.md5, S2N_HASH_MD5));
GUARD(s2n_hash_init(&conn->handshake.sha1, S2N_HASH_SHA1));
GUARD(s2n_hash_init(&conn->handshake.sha256, S2N_HASH_SHA256));
GUARD(s2n_hash_init(&conn->handshake.sha384, S2N_HASH_SHA384));
GUARD(s2n_hmac_init(&conn->client->client_record_mac, S2N_HMAC_NONE, NULL, 0));
GUARD(s2n_hmac_init(&conn->server->server_record_mac, S2N_HMAC_NONE, NULL, 0));
memcpy_check(&conn->alert_in, &alert_in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->reader_alert_out, &reader_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->writer_alert_out, &writer_alert_out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->handshake.io, &handshake_io, sizeof(struct s2n_stuffer));
memcpy_check(&conn->header_in, &header_in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->in, &in, sizeof(struct s2n_stuffer));
memcpy_check(&conn->out, &out, sizeof(struct s2n_stuffer));
memcpy_check(&conn->initial.client_key, &initial_client_key, sizeof(struct s2n_session_key));
memcpy_check(&conn->initial.server_key, &initial_server_key, sizeof(struct s2n_session_key));
memcpy_check(&conn->secure.client_key, &secure_client_key, sizeof(struct s2n_session_key));
memcpy_check(&conn->secure.server_key, &secure_server_key, sizeof(struct s2n_session_key));
if (conn->mode == S2N_SERVER) {
conn->server_protocol_version = s2n_highest_protocol_version;
conn->client_protocol_version = s2n_unknown_protocol_version;
}
else {
conn->server_protocol_version = s2n_unknown_protocol_version;
conn->client_protocol_version = s2n_highest_protocol_version;
}
conn->actual_protocol_version = s2n_unknown_protocol_version;
return 0;
}
