static int s2n_sslv3_mac_init(struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen) { s2n_hash_algorithm hash_alg = S2N_HASH_NONE; if (alg == S2N_HMAC_SSLv3_MD5) { hash_alg = S2N_HASH_MD5; } if (alg == S2N_HMAC_SSLv3_SHA1) { hash_alg = S2N_HASH_SHA1; } for (int i = 0; i < state->block_size; i++) { state->xor_pad[i] = 0x36; } GUARD(s2n_hash_init(&state->inner_just_key, hash_alg)); GUARD(s2n_hash_update(&state->inner_just_key, key, klen)); GUARD(s2n_hash_update(&state->inner_just_key, state->xor_pad, state->block_size)); for (int i = 0; i < state->block_size; i++) { state->xor_pad[i] = 0x5c; } GUARD(s2n_hash_init(&state->outer, hash_alg)); GUARD(s2n_hash_update(&state->outer, key, klen)); GUARD(s2n_hash_update(&state->outer, state->xor_pad, state->block_size)); /* Copy inner_just_key to inner */ return s2n_hmac_reset(state); }
int s2n_server_key_recv(struct s2n_connection *conn) { struct s2n_hash_state *signature_hash = &conn->secure.signature_hash; const struct s2n_kex *key_exchange = conn->secure.cipher_suite->key_exchange_alg; struct s2n_stuffer *in = &conn->handshake.io; struct s2n_blob data_to_verify = {0}; /* Read the KEX data */ union s2n_kex_raw_server_data kex_data = {{{0}}}; GUARD(s2n_kex_server_key_recv_read_data(key_exchange, conn, &data_to_verify, &kex_data)); /* Add common signature data */ if (conn->actual_protocol_version == S2N_TLS12) { s2n_hash_algorithm hash_algorithm; s2n_signature_algorithm signature_algorithm; GUARD(s2n_get_signature_hash_pair_if_supported(in, &hash_algorithm, &signature_algorithm)); GUARD(s2n_hash_init(signature_hash, hash_algorithm)); } else { GUARD(s2n_hash_init(signature_hash, conn->secure.conn_hash_alg)); } GUARD(s2n_hash_update(signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_hash_update(signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN)); /* Add KEX specific data */ GUARD(s2n_hash_update(signature_hash, data_to_verify.data, data_to_verify.size)); /* Verify the signature */ uint16_t signature_length; GUARD(s2n_stuffer_read_uint16(in, &signature_length)); struct s2n_blob signature = {.size = signature_length, .data = s2n_stuffer_raw_read(in, signature_length)}; notnull_check(signature.data); gt_check(signature_length, 0); S2N_ERROR_IF(s2n_pkey_verify(&conn->secure.server_public_key, signature_hash, &signature) < 0, S2N_ERR_BAD_MESSAGE); /* We don't need the key any more, so free it */ GUARD(s2n_pkey_free(&conn->secure.server_public_key)); /* Parse the KEX data into whatever form needed and save it to the connection object */ GUARD(s2n_kex_server_key_recv_parse_data(key_exchange, conn, &kex_data)); return 0; } int s2n_ecdhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify, union s2n_kex_raw_server_data *raw_server_data) { struct s2n_stuffer *in = &conn->handshake.io; GUARD(s2n_ecc_read_ecc_params(in, data_to_verify, &raw_server_data->ecdhe_data)); return 0; } int s2n_ecdhe_server_key_recv_parse_data(struct s2n_connection *conn, union s2n_kex_raw_server_data *raw_server_data) { GUARD(s2n_ecc_parse_ecc_params(&conn->secure.server_ecc_params, &raw_server_data->ecdhe_data)); return 0; }
int s2n_server_key_send(struct s2n_connection *conn) { struct s2n_hash_state *signature_hash = &conn->secure.signature_hash; const struct s2n_kex *key_exchange = conn->secure.cipher_suite->key_exchange_alg; struct s2n_stuffer *out = &conn->handshake.io; struct s2n_blob data_to_sign = {0}; /* Call the negotiated key exchange method to send it's data */ GUARD(s2n_kex_server_key_send(key_exchange, conn, &data_to_sign)); /* Add common signature data */ if (conn->actual_protocol_version == S2N_TLS12) { GUARD(s2n_stuffer_write_uint8(out, s2n_hash_alg_to_tls[ conn->secure.conn_hash_alg ])); GUARD(s2n_stuffer_write_uint8(out, conn->secure.conn_sig_alg)); } /* Add the random data to the hash */ GUARD(s2n_hash_init(signature_hash, conn->secure.conn_hash_alg)); GUARD(s2n_hash_update(signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_hash_update(signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN)); /* Add KEX specific data to the hash */ GUARD(s2n_hash_update(signature_hash, data_to_sign.data, data_to_sign.size)); /* Sign and write the signature */ GUARD(s2n_write_signature_blob(out, conn->handshake_params.our_chain_and_key->private_key, signature_hash)); return 0; }
static int s2n_sslv3_prf(union s2n_prf_working_space *ws, struct s2n_blob *secret, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *out) { struct s2n_hash_state *md5 = &ws->ssl3.md5; struct s2n_hash_state *sha1 = &ws->ssl3.sha1; uint32_t outputlen = out->size; uint8_t *output = out->data; uint8_t iteration = 1; uint8_t A = 'A'; while (outputlen) { GUARD(s2n_hash_init(sha1, S2N_HASH_SHA1)); for (int i = 0; i < iteration; i++) { GUARD(s2n_hash_update(sha1, &A, 1)); } GUARD(s2n_hash_update(sha1, secret->data, secret->size)); GUARD(s2n_hash_update(sha1, seed_a->data, seed_a->size)); if (seed_b) { GUARD(s2n_hash_update(sha1, seed_b->data, seed_b->size)); } GUARD(s2n_hash_digest(sha1, ws->ssl3.sha1_digest, sizeof(ws->ssl3.sha1_digest))); GUARD(s2n_hash_init(md5, S2N_HASH_MD5)); GUARD(s2n_hash_update(md5, secret->data, secret->size)); GUARD(s2n_hash_update(md5, ws->ssl3.sha1_digest, sizeof(ws->ssl3.sha1_digest))); GUARD(s2n_hash_digest(md5, ws->ssl3.md5_digest, sizeof(ws->ssl3.md5_digest))); uint32_t bytes_to_copy = MIN(outputlen, sizeof(ws->ssl3.md5_digest)); memcpy_check(output, ws->ssl3.md5_digest, bytes_to_copy); outputlen -= bytes_to_copy; output += bytes_to_copy; /* Increment the letter */ A++; iteration++; } return 0; }
static int s2n_ecdsa_keys_match(const struct s2n_pkey *pub, const struct s2n_pkey *priv) { uint8_t input[16] = { 1 }; DEFER_CLEANUP(struct s2n_blob signature = { 0 }, s2n_free); DEFER_CLEANUP(struct s2n_hash_state state_in = { 0 }, s2n_hash_free); DEFER_CLEANUP(struct s2n_hash_state state_out = { 0 }, s2n_hash_free); /* s2n_hash_new only allocates memory when using high-level EVP hashes, currently restricted to FIPS mode. */ GUARD(s2n_hash_new(&state_in)); GUARD(s2n_hash_new(&state_out)); GUARD(s2n_hash_init(&state_in, S2N_HASH_SHA1)); GUARD(s2n_hash_init(&state_out, S2N_HASH_SHA1)); GUARD(s2n_hash_update(&state_in, input, sizeof(input))); GUARD(s2n_hash_update(&state_out, input, sizeof(input))); GUARD(s2n_alloc(&signature, s2n_ecdsa_der_signature_size(priv))); GUARD(s2n_ecdsa_sign(priv, &state_in, &signature)); GUARD(s2n_ecdsa_verify(pub, &state_out, &signature)); return 0; }
static uint32_t s2n_map_slot(struct s2n_map *map, struct s2n_blob *key) { struct s2n_hash_state sha256; union { uint8_t u8[32]; uint32_t u32[8]; } digest; GUARD(s2n_hash_init(&sha256, S2N_HASH_SHA256)); GUARD(s2n_hash_update(&sha256, key->data, key->size)); GUARD(s2n_hash_digest(&sha256, digest.u8, sizeof(digest))); return digest.u32[0] % map->capacity; }
struct s2n_map *s2n_map_new() { struct s2n_blob mem; struct s2n_map *map; GUARD_PTR(s2n_alloc(&mem, sizeof(struct s2n_map))); map = (void *) mem.data; map->capacity = 0; map->size = 0; map->immutable = 0; map->table = NULL; GUARD_PTR(s2n_hash_new(&map->sha256)); GUARD_PTR(s2n_hash_init(&map->sha256, S2N_HASH_SHA256)); GUARD_PTR(s2n_map_embiggen(map, S2N_INITIAL_TABLE_SIZE)); return map; }
static int s2n_dhe_server_key_send(struct s2n_connection *conn) { struct s2n_blob serverDHparams, signature; struct s2n_stuffer *out = &conn->handshake.io; struct s2n_hash_state signature_hash; /* Duplicate the DH key from the config */ GUARD(s2n_dh_params_copy(conn->config->dhparams, &conn->secure.server_dh_params)); /* Generate an ephemeral key */ GUARD(s2n_dh_generate_ephemeral_key(&conn->secure.server_dh_params)); /* Write it out */ GUARD(s2n_dh_params_to_p_g_Ys(&conn->secure.server_dh_params, out, &serverDHparams)); if (conn->actual_protocol_version == S2N_TLS12) { GUARD(s2n_stuffer_write_uint8(out, TLS_HASH_ALGORITHM_SHA1)); GUARD(s2n_stuffer_write_uint8(out, TLS_SIGNATURE_ALGORITHM_RSA)); } GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg)); GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_hash_update(&signature_hash, serverDHparams.data, serverDHparams.size)); signature.size = s2n_rsa_private_encrypted_size(&conn->config->cert_and_key_pairs->private_key); GUARD(s2n_stuffer_write_uint16(out, signature.size)); signature.data = s2n_stuffer_raw_write(out, signature.size); notnull_check(signature.data); if (s2n_rsa_sign(&conn->config->cert_and_key_pairs->private_key, &signature_hash, &signature) < 0) { S2N_ERROR(S2N_ERR_DH_FAILED_SIGNING); } return 0; }
int s2n_connection_wipe(struct s2n_connection *conn) { /* First make a copy of everything we'd like to save, which isn't very * much. */ int mode = conn->mode; struct s2n_config *config = conn->config; struct s2n_stuffer alert_in; struct s2n_stuffer reader_alert_out; struct s2n_stuffer writer_alert_out; struct s2n_stuffer handshake_io; struct s2n_stuffer header_in; struct s2n_stuffer in; struct s2n_stuffer out; /* Wipe all of the sensitive stuff */ GUARD(s2n_connection_free_keys(conn)); GUARD(s2n_stuffer_wipe(&conn->alert_in)); GUARD(s2n_stuffer_wipe(&conn->reader_alert_out)); GUARD(s2n_stuffer_wipe(&conn->writer_alert_out)); GUARD(s2n_stuffer_wipe(&conn->handshake.io)); GUARD(s2n_stuffer_wipe(&conn->header_in)); GUARD(s2n_stuffer_wipe(&conn->in)); GUARD(s2n_stuffer_wipe(&conn->out)); /* Allocate or resize to their original sizes */ GUARD(s2n_stuffer_resize(&conn->in, S2N_DEFAULT_FRAGMENT_LENGTH)); /* Allocate memory for handling handshakes */ GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_DEFAULT_RECORD_LENGTH)); /* Clone the stuffers */ /* ignore gcc 4.7 address warnings because dest is allocated on the stack */ #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Waddress" memcpy_check(&alert_in, &conn->alert_in, sizeof(struct s2n_stuffer)); memcpy_check(&reader_alert_out, &conn->reader_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&writer_alert_out, &conn->writer_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&handshake_io, &conn->handshake.io, sizeof(struct s2n_stuffer)); memcpy_check(&header_in, &conn->header_in, sizeof(struct s2n_stuffer)); memcpy_check(&in, &conn->in, sizeof(struct s2n_stuffer)); memcpy_check(&out, &conn->out, sizeof(struct s2n_stuffer)); #pragma GCC diagnostic pop /* Zero the whole connection structure */ memset_check(conn, 0, sizeof(struct s2n_connection)); conn->mode = mode; conn->config = config; conn->active.cipher_suite = &s2n_null_cipher_suite; conn->pending.cipher_suite = &s2n_null_cipher_suite; conn->server = &conn->active; conn->client = &conn->active; conn->max_fragment_length = S2N_DEFAULT_FRAGMENT_LENGTH; conn->handshake.state = CLIENT_HELLO; GUARD(s2n_hash_init(&conn->handshake.client_md5, S2N_HASH_MD5)); GUARD(s2n_hash_init(&conn->handshake.client_sha1, S2N_HASH_SHA1)); GUARD(s2n_hash_init(&conn->handshake.client_sha256, S2N_HASH_SHA256)); GUARD(s2n_hash_init(&conn->handshake.server_md5, S2N_HASH_MD5)); GUARD(s2n_hash_init(&conn->handshake.server_sha1, S2N_HASH_SHA1)); GUARD(s2n_hash_init(&conn->handshake.server_sha256, S2N_HASH_SHA256)); memcpy_check(&conn->alert_in, &alert_in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->reader_alert_out, &reader_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->writer_alert_out, &writer_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->handshake.io, &handshake_io, sizeof(struct s2n_stuffer)); memcpy_check(&conn->header_in, &header_in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->in, &in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->out, &out, sizeof(struct s2n_stuffer)); /* Set everything to the highest version at first */ conn->server_protocol_version = s2n_highest_protocol_version; conn->client_protocol_version = s2n_highest_protocol_version; conn->actual_protocol_version = s2n_highest_protocol_version; return 0; }
int main(int argc, char **argv) { uint8_t digest_pad[64]; uint8_t output_pad[96]; uint8_t hello[] = "Hello world!\n"; struct s2n_stuffer output; struct s2n_hash_state hash, copy; struct s2n_blob out = {.data = output_pad,.size = sizeof(output_pad) }; BEGIN_TEST(); /* Initialise our output stuffers */ EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); uint8_t md5_digest_size; GUARD(s2n_hash_digest_size(S2N_HASH_MD5, &md5_digest_size)); EXPECT_EQUAL(md5_digest_size, 16); EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_MD5)); EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hash_copy(©, &hash)); EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, MD5_DIGEST_LENGTH)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line md5sum */ EXPECT_EQUAL(memcmp(output_pad, "59ca0efa9f5633cb0371bbc0355478d8", 16 * 2), 0); /* Check the copy */ EXPECT_SUCCESS(s2n_hash_digest(©, digest_pad, MD5_DIGEST_LENGTH)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line md5sum */ EXPECT_EQUAL(memcmp(output_pad, "59ca0efa9f5633cb0371bbc0355478d8", 16 * 2), 0); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); uint8_t sha1_digest_size; GUARD(s2n_hash_digest_size(S2N_HASH_SHA1, &sha1_digest_size)); EXPECT_EQUAL(sha1_digest_size, 20); EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA1)); EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA_DIGEST_LENGTH)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line sha1sum */ EXPECT_EQUAL(memcmp(output_pad, "47a013e660d408619d894b20806b1d5086aab03b", 20 * 2), 0); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); uint8_t sha256_digest_size; GUARD(s2n_hash_digest_size(S2N_HASH_SHA256, &sha256_digest_size)); EXPECT_EQUAL(sha256_digest_size, 32); EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA256)); EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA256_DIGEST_LENGTH)); for (int i = 0; i < 32; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line sha256sum */ EXPECT_EQUAL(memcmp(output_pad, "0ba904eae8773b70c75333db4de2f3ac45a8ad4ddba1b242f0b3cfc199391dd8", 32 * 2), 0); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); uint8_t sha384_digest_size; GUARD(s2n_hash_digest_size(S2N_HASH_SHA384, &sha384_digest_size)); EXPECT_EQUAL(sha384_digest_size, 48); EXPECT_SUCCESS(s2n_hash_init(&hash, S2N_HASH_SHA384)); EXPECT_SUCCESS(s2n_hash_update(&hash, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hash_digest(&hash, digest_pad, SHA384_DIGEST_LENGTH)); for (int i = 0; i < 48; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from command line sha512sum */ EXPECT_EQUAL(memcmp(output_pad, "f7f8f1b9d5a9a61742eeda26c20990282ac08dabda14e70376fcb4c8b46198a9959ea9d7d194b38520eed5397ffe6d8e", 48 * 2), 0); END_TEST(); }
static int s2n_ecdhe_server_key_recv(struct s2n_connection *conn) { struct s2n_hash_state signature_hash; struct s2n_stuffer *in = &conn->handshake.io; struct s2n_blob ecdhparams; struct s2n_blob signature; uint16_t signature_length; /* Read server ECDH params and calculate their hash */ GUARD(s2n_ecc_read_ecc_params(&conn->secure.server_ecc_params, in, &ecdhparams)); GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg)); if (conn->actual_protocol_version == S2N_TLS12) { uint8_t hash_algorithm; uint8_t signature_algorithm; GUARD(s2n_stuffer_read_uint8(in, &hash_algorithm)); GUARD(s2n_stuffer_read_uint8(in, &signature_algorithm)); if (signature_algorithm != TLS_SIGNATURE_ALGORITHM_RSA) { S2N_ERROR(S2N_ERR_BAD_MESSAGE); } switch(hash_algorithm) { case TLS_HASH_ALGORITHM_MD5: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_MD5)); break; case TLS_HASH_ALGORITHM_SHA1: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA1)); break; case TLS_HASH_ALGORITHM_SHA224: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA224)); break; case TLS_HASH_ALGORITHM_SHA256: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA256)); break; case TLS_HASH_ALGORITHM_SHA384: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA384)); break; case TLS_HASH_ALGORITHM_SHA512: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA512)); break; default: S2N_ERROR(S2N_ERR_BAD_MESSAGE); } } GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_hash_update(&signature_hash, ecdhparams.data, ecdhparams.size)); /* Verify the signature */ GUARD(s2n_stuffer_read_uint16(in, &signature_length)); signature.size = signature_length; signature.data = s2n_stuffer_raw_read(in, signature.size); notnull_check(signature.data); gt_check(signature_length, 0); if (s2n_rsa_verify(&conn->secure.server_rsa_public_key, &signature_hash, &signature) < 0) { S2N_ERROR(S2N_ERR_BAD_MESSAGE); } /* We don't need the key any more, so free it */ GUARD(s2n_rsa_public_key_free(&conn->secure.server_rsa_public_key)); return 0; }
static int s2n_dhe_server_key_recv(struct s2n_connection *conn) { struct s2n_hash_state signature_hash; struct s2n_stuffer *in = &conn->handshake.io; struct s2n_blob p, g, Ys, serverDHparams, signature; uint16_t p_length; uint16_t g_length; uint16_t Ys_length; uint16_t signature_length; /* Keep a copy to the start of the whole structure for the signature check */ serverDHparams.data = s2n_stuffer_raw_read(in, 0); notnull_check(serverDHparams.data); /* Read each of the three elements in */ GUARD(s2n_stuffer_read_uint16(in, &p_length)); p.size = p_length; p.data = s2n_stuffer_raw_read(in, p.size); notnull_check(p.data); GUARD(s2n_stuffer_read_uint16(in, &g_length)); g.size = g_length; g.data = s2n_stuffer_raw_read(in, g.size); notnull_check(g.data); GUARD(s2n_stuffer_read_uint16(in, &Ys_length)); Ys.size = Ys_length; Ys.data = s2n_stuffer_raw_read(in, Ys.size); notnull_check(Ys.data); /* Now we know the total size of the structure */ serverDHparams.size = 2 + p_length + 2 + g_length + 2 + Ys_length; GUARD(s2n_hash_init(&signature_hash, conn->secure.signature_digest_alg)); if (conn->actual_protocol_version == S2N_TLS12) { uint8_t hash_algorithm; uint8_t signature_algorithm; GUARD(s2n_stuffer_read_uint8(in, &hash_algorithm)); GUARD(s2n_stuffer_read_uint8(in, &signature_algorithm)); if (signature_algorithm != TLS_SIGNATURE_ALGORITHM_RSA) { S2N_ERROR(S2N_ERR_BAD_MESSAGE); } switch(hash_algorithm) { case TLS_HASH_ALGORITHM_MD5: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_MD5)); break; case TLS_HASH_ALGORITHM_SHA1: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA1)); break; case TLS_HASH_ALGORITHM_SHA224: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA224)); break; case TLS_HASH_ALGORITHM_SHA256: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA256)); break; case TLS_HASH_ALGORITHM_SHA384: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA384)); break; case TLS_HASH_ALGORITHM_SHA512: GUARD(s2n_hash_init(&signature_hash, S2N_HASH_SHA512)); break; default: S2N_ERROR(S2N_ERR_BAD_MESSAGE); } } GUARD(s2n_hash_update(&signature_hash, conn->secure.client_random, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_hash_update(&signature_hash, conn->secure.server_random, S2N_TLS_RANDOM_DATA_LEN)); GUARD(s2n_hash_update(&signature_hash, serverDHparams.data, serverDHparams.size)); GUARD(s2n_stuffer_read_uint16(in, &signature_length)); signature.size = signature_length; signature.data = s2n_stuffer_raw_read(in, signature.size); notnull_check(signature.data); gt_check(signature_length, 0); if (s2n_rsa_verify(&conn->secure.server_rsa_public_key, &signature_hash, &signature) < 0) { S2N_ERROR(S2N_ERR_BAD_MESSAGE); } /* We don't need the key any more, so free it */ GUARD(s2n_rsa_public_key_free(&conn->secure.server_rsa_public_key)); /* Copy the DH details */ GUARD(s2n_dh_p_g_Ys_to_dh_params(&conn->secure.server_dh_params, &p, &g, &Ys)); return 0; }
int main(int argc, char **argv) { struct s2n_stuffer certificate_in, certificate_out; struct s2n_stuffer dhparams_in, dhparams_out; struct s2n_stuffer rsa_key_in, rsa_key_out; struct s2n_blob b; BEGIN_TEST(); EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_in, sizeof(certificate))); EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_out, sizeof(certificate))); EXPECT_SUCCESS(s2n_stuffer_alloc(&dhparams_in, sizeof(dhparams))); EXPECT_SUCCESS(s2n_stuffer_alloc(&dhparams_out, sizeof(dhparams))); EXPECT_SUCCESS(s2n_stuffer_alloc(&rsa_key_in, sizeof(private_key))); EXPECT_SUCCESS(s2n_stuffer_alloc(&rsa_key_out, sizeof(private_key))); b.data = certificate; b.size = sizeof(certificate); EXPECT_SUCCESS(s2n_stuffer_write(&certificate_in, &b)); b.data = private_key; b.size = sizeof(private_key); EXPECT_SUCCESS(s2n_stuffer_write(&rsa_key_in, &b)); b.data = dhparams; b.size = sizeof(dhparams); EXPECT_SUCCESS(s2n_stuffer_write(&dhparams_in, &b)); EXPECT_SUCCESS(s2n_stuffer_certificate_from_pem(&certificate_in, &certificate_out)); EXPECT_SUCCESS(s2n_stuffer_rsa_private_key_from_pem(&rsa_key_in, &rsa_key_out)); EXPECT_SUCCESS(s2n_stuffer_dhparams_from_pem(&dhparams_in, &dhparams_out)); struct s2n_rsa_private_key priv_key; struct s2n_rsa_public_key pub_key; b.size = s2n_stuffer_data_available(&certificate_out); b.data = s2n_stuffer_raw_read(&certificate_out, b.size); EXPECT_SUCCESS(s2n_asn1der_to_rsa_public_key(&pub_key, &b)); b.size = s2n_stuffer_data_available(&rsa_key_out); b.data = s2n_stuffer_raw_read(&rsa_key_out, b.size); EXPECT_SUCCESS(s2n_asn1der_to_rsa_private_key(&priv_key, &b)); EXPECT_SUCCESS(s2n_rsa_keys_match(&pub_key, &priv_key)); struct s2n_connection *conn; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(conn->config, (char *)chain, (char *)private_key)); struct s2n_dh_params dh_params; b.size = s2n_stuffer_data_available(&dhparams_out); b.data = s2n_stuffer_raw_read(&dhparams_out, b.size); EXPECT_SUCCESS(s2n_pkcs3_to_dh_params(&dh_params, &b)); EXPECT_SUCCESS(s2n_config_add_dhparams(conn->config, (char *)dhparams)); /* Try signing and verification with RSA */ uint8_t inputpad[] = "Hello world!"; struct s2n_blob signature; struct s2n_hash_state tls10_one, tls10_two, tls12_one, tls12_two; EXPECT_SUCCESS(s2n_hash_init(&tls10_one, S2N_HASH_MD5_SHA1)); EXPECT_SUCCESS(s2n_hash_init(&tls10_two, S2N_HASH_MD5_SHA1)); EXPECT_SUCCESS(s2n_hash_init(&tls12_one, S2N_HASH_SHA1)); EXPECT_SUCCESS(s2n_hash_init(&tls12_two, S2N_HASH_SHA1)); EXPECT_SUCCESS(s2n_alloc(&signature, s2n_rsa_public_encrypted_size(&pub_key))); EXPECT_SUCCESS(s2n_hash_update(&tls10_one, inputpad, sizeof(inputpad))); EXPECT_SUCCESS(s2n_hash_update(&tls10_two, inputpad, sizeof(inputpad))); EXPECT_SUCCESS(s2n_rsa_sign(&priv_key, &tls10_one, &signature)); EXPECT_SUCCESS(s2n_rsa_verify(&pub_key, &tls10_two, &signature)); EXPECT_SUCCESS(s2n_hash_update(&tls12_one, inputpad, sizeof(inputpad))); EXPECT_SUCCESS(s2n_hash_update(&tls12_two, inputpad, sizeof(inputpad))); EXPECT_SUCCESS(s2n_rsa_sign(&priv_key, &tls12_one, &signature)); EXPECT_SUCCESS(s2n_rsa_verify(&pub_key, &tls12_two, &signature)); EXPECT_SUCCESS(s2n_dh_params_free(&dh_params)); EXPECT_SUCCESS(s2n_rsa_private_key_free(&priv_key)); EXPECT_SUCCESS(s2n_rsa_public_key_free(&pub_key)); EXPECT_SUCCESS(s2n_config_free_dhparams(conn->config)); EXPECT_SUCCESS(s2n_config_free_cert_chain_and_key(conn->config)); EXPECT_SUCCESS(s2n_connection_free(conn)); EXPECT_SUCCESS(s2n_free(&signature)); EXPECT_SUCCESS(s2n_stuffer_free(&certificate_in)); EXPECT_SUCCESS(s2n_stuffer_free(&certificate_out)); EXPECT_SUCCESS(s2n_stuffer_free(&dhparams_in)); EXPECT_SUCCESS(s2n_stuffer_free(&dhparams_out)); EXPECT_SUCCESS(s2n_stuffer_free(&rsa_key_in)); EXPECT_SUCCESS(s2n_stuffer_free(&rsa_key_out)); END_TEST(); }
int s2n_hmac_init(struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen) { s2n_hash_algorithm hash_alg = S2N_HASH_NONE; state->currently_in_hash_block = 0; state->digest_size = 0; state->block_size = 64; state->hash_block_size = 64; switch (alg) { case S2N_HMAC_NONE: break; case S2N_HMAC_SSLv3_MD5: state->block_size = 48; /* Fall through ... */ case S2N_HMAC_MD5: hash_alg = S2N_HASH_MD5; state->digest_size = MD5_DIGEST_LENGTH; break; case S2N_HMAC_SSLv3_SHA1: state->block_size = 40; /* Fall through ... */ case S2N_HMAC_SHA1: hash_alg = S2N_HASH_SHA1; state->digest_size = SHA_DIGEST_LENGTH; break; case S2N_HMAC_SHA224: hash_alg = S2N_HASH_SHA224; state->digest_size = SHA224_DIGEST_LENGTH; break; case S2N_HMAC_SHA256: hash_alg = S2N_HASH_SHA256; state->digest_size = SHA256_DIGEST_LENGTH; break; case S2N_HMAC_SHA384: hash_alg = S2N_HASH_SHA384; state->digest_size = SHA384_DIGEST_LENGTH; state->block_size = 128; state->hash_block_size = 128; break; case S2N_HMAC_SHA512: hash_alg = S2N_HASH_SHA512; state->digest_size = SHA512_DIGEST_LENGTH; state->block_size = 128; state->hash_block_size = 128; break; default: S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM); } gte_check(sizeof(state->xor_pad), state->block_size); gte_check(sizeof(state->digest_pad), state->digest_size); state->alg = alg; if (alg == S2N_HMAC_SSLv3_SHA1 || alg == S2N_HMAC_SSLv3_MD5) { return s2n_sslv3_mac_init(state, alg, key, klen); } GUARD(s2n_hash_init(&state->inner_just_key, hash_alg)); GUARD(s2n_hash_init(&state->outer, hash_alg)); uint32_t copied = klen; if (klen > state->block_size) { GUARD(s2n_hash_update(&state->outer, key, klen)); GUARD(s2n_hash_digest(&state->outer, state->digest_pad, state->digest_size)); memcpy_check(state->xor_pad, state->digest_pad, state->digest_size); copied = state->digest_size; } else { memcpy_check(state->xor_pad, key, klen); } for (int i = 0; i < copied; i++) { state->xor_pad[i] ^= 0x36; } for (int i = copied; i < state->block_size; i++) { state->xor_pad[i] = 0x36; } GUARD(s2n_hash_update(&state->inner_just_key, state->xor_pad, state->block_size)); /* 0x36 xor 0x5c == 0x6a */ for (int i = 0; i < state->block_size; i++) { state->xor_pad[i] ^= 0x6a; } return s2n_hmac_reset(state); }
int s2n_connection_wipe(struct s2n_connection *conn) { /* First make a copy of everything we'd like to save, which isn't very * much. */ int mode = conn->mode; struct s2n_config *config = conn->config; struct s2n_stuffer alert_in; struct s2n_stuffer reader_alert_out; struct s2n_stuffer writer_alert_out; struct s2n_stuffer handshake_io; struct s2n_stuffer header_in; struct s2n_stuffer in; struct s2n_stuffer out; /* Session keys will be wiped. Preserve structs to avoid reallocation */ struct s2n_session_key initial_client_key; struct s2n_session_key initial_server_key; struct s2n_session_key secure_client_key; struct s2n_session_key secure_server_key; /* Wipe all of the sensitive stuff */ GUARD(s2n_connection_wipe_keys(conn)); GUARD(s2n_stuffer_wipe(&conn->alert_in)); GUARD(s2n_stuffer_wipe(&conn->reader_alert_out)); GUARD(s2n_stuffer_wipe(&conn->writer_alert_out)); GUARD(s2n_stuffer_wipe(&conn->handshake.io)); GUARD(s2n_stuffer_wipe(&conn->header_in)); GUARD(s2n_stuffer_wipe(&conn->in)); GUARD(s2n_stuffer_wipe(&conn->out)); /* Restore the socket option values */ GUARD(s2n_socket_read_restore(conn)); GUARD(s2n_socket_write_restore(conn)); GUARD(s2n_free(&conn->status_response)); /* Allocate or resize to their original sizes */ GUARD(s2n_stuffer_resize(&conn->in, S2N_LARGE_FRAGMENT_LENGTH)); /* Allocate memory for handling handshakes */ GUARD(s2n_stuffer_resize(&conn->handshake.io, S2N_LARGE_RECORD_LENGTH)); /* Clone the stuffers */ /* ignore gcc 4.7 address warnings because dest is allocated on the stack */ /* pragma gcc diagnostic was added in gcc 4.6 */ #if defined(__GNUC__) && GCC_VERSION >= 40600 #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Waddress" #endif memcpy_check(&alert_in, &conn->alert_in, sizeof(struct s2n_stuffer)); memcpy_check(&reader_alert_out, &conn->reader_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&writer_alert_out, &conn->writer_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&handshake_io, &conn->handshake.io, sizeof(struct s2n_stuffer)); memcpy_check(&header_in, &conn->header_in, sizeof(struct s2n_stuffer)); memcpy_check(&in, &conn->in, sizeof(struct s2n_stuffer)); memcpy_check(&out, &conn->out, sizeof(struct s2n_stuffer)); memcpy_check(&initial_client_key, &conn->initial.client_key, sizeof(struct s2n_session_key)); memcpy_check(&initial_server_key, &conn->initial.server_key, sizeof(struct s2n_session_key)); memcpy_check(&secure_client_key, &conn->secure.client_key, sizeof(struct s2n_session_key)); memcpy_check(&secure_server_key, &conn->secure.server_key, sizeof(struct s2n_session_key)); #if defined(__GNUC__) && GCC_VERSION >= 40600 #pragma GCC diagnostic pop #endif /* Zero the whole connection structure */ memset_check(conn, 0, sizeof(struct s2n_connection)); conn->readfd = -1; conn->writefd = -1; conn->mode = mode; conn->config = config; conn->close_notify_queued = 0; conn->current_user_data_consumed = 0; conn->initial.cipher_suite = &s2n_null_cipher_suite; conn->secure.cipher_suite = &s2n_null_cipher_suite; conn->server = &conn->initial; conn->client = &conn->initial; conn->max_fragment_length = S2N_SMALL_FRAGMENT_LENGTH; conn->handshake.handshake_type = INITIAL; conn->handshake.message_number = 0; GUARD(s2n_hash_init(&conn->handshake.md5, S2N_HASH_MD5)); GUARD(s2n_hash_init(&conn->handshake.sha1, S2N_HASH_SHA1)); GUARD(s2n_hash_init(&conn->handshake.sha256, S2N_HASH_SHA256)); GUARD(s2n_hash_init(&conn->handshake.sha384, S2N_HASH_SHA384)); GUARD(s2n_hmac_init(&conn->client->client_record_mac, S2N_HMAC_NONE, NULL, 0)); GUARD(s2n_hmac_init(&conn->server->server_record_mac, S2N_HMAC_NONE, NULL, 0)); memcpy_check(&conn->alert_in, &alert_in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->reader_alert_out, &reader_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->writer_alert_out, &writer_alert_out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->handshake.io, &handshake_io, sizeof(struct s2n_stuffer)); memcpy_check(&conn->header_in, &header_in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->in, &in, sizeof(struct s2n_stuffer)); memcpy_check(&conn->out, &out, sizeof(struct s2n_stuffer)); memcpy_check(&conn->initial.client_key, &initial_client_key, sizeof(struct s2n_session_key)); memcpy_check(&conn->initial.server_key, &initial_server_key, sizeof(struct s2n_session_key)); memcpy_check(&conn->secure.client_key, &secure_client_key, sizeof(struct s2n_session_key)); memcpy_check(&conn->secure.server_key, &secure_server_key, sizeof(struct s2n_session_key)); if (conn->mode == S2N_SERVER) { conn->server_protocol_version = s2n_highest_protocol_version; conn->client_protocol_version = s2n_unknown_protocol_version; } else { conn->server_protocol_version = s2n_unknown_protocol_version; conn->client_protocol_version = s2n_highest_protocol_version; } conn->actual_protocol_version = s2n_unknown_protocol_version; return 0; }