LCOV - code coverage report
Current view: top level - tls/extensions - s2n_client_psk.c (source / functions) Hit Total Coverage
Test: unit_test_coverage.info Lines: 202 208 97.1 %
Date: 2026-07-04 07:27:58 Functions: 11 11 100.0 %
Branches: 114 250 45.6 %

           Branch data     Line data    Source code
       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #include "tls/extensions/s2n_client_psk.h"
      17                 :            : 
      18                 :            : #include <stdint.h>
      19                 :            : 
      20                 :            : #include "crypto/s2n_hash.h"
      21                 :            : #include "tls/s2n_psk.h"
      22                 :            : #include "tls/s2n_tls.h"
      23                 :            : #include "tls/s2n_tls_parameters.h"
      24                 :            : #include "utils/s2n_bitmap.h"
      25                 :            : #include "utils/s2n_safety.h"
      26                 :            : 
      27                 :       1092 : #define SIZE_OF_BINDER_SIZE      sizeof(uint8_t)
      28                 :       2140 : #define SIZE_OF_BINDER_LIST_SIZE sizeof(uint16_t)
      29                 :            : 
      30                 :            : /* To avoid a DoS attack triggered by decrypting too many session tickets,
      31                 :            :  * set a limit on the number of tickets we will attempt to decrypt before giving up.
      32                 :            :  * We may want to make this configurable someday, but just set a reasonable maximum for now. */
      33                 :        113 : #define MAX_REJECTED_TICKETS 3
      34                 :            : 
      35                 :            : static int s2n_client_psk_send(struct s2n_connection *conn, struct s2n_stuffer *out);
      36                 :            : static int s2n_client_psk_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
      37                 :            : static int s2n_client_psk_is_missing(struct s2n_connection *conn);
      38                 :            : 
      39                 :            : const s2n_extension_type s2n_client_psk_extension = {
      40                 :            :     .iana_value = TLS_EXTENSION_PRE_SHARED_KEY,
      41                 :            :     .minimum_version = S2N_TLS13,
      42                 :            :     .is_response = false,
      43                 :            :     .send = s2n_client_psk_send,
      44                 :            :     .recv = s2n_client_psk_recv,
      45                 :            :     .should_send = s2n_client_psk_should_send,
      46                 :            :     .if_missing = s2n_client_psk_is_missing,
      47                 :            : };
      48                 :            : 
      49                 :            : int s2n_client_psk_is_missing(struct s2n_connection *conn)
      50                 :       4169 : {
      51 [ #  # ][ -  + ]:       4169 :     POSIX_ENSURE_REF(conn);
      52                 :            : 
      53                 :            :     /* If the PSK extension is missing, we must not have received
      54                 :            :      * a request for early data.
      55                 :            :      *
      56                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.10
      57                 :            :      *# When a PSK is used and early data is allowed for that PSK, the client
      58                 :            :      *# can send Application Data in its first flight of messages.  If the
      59                 :            :      *# client opts to do so, it MUST supply both the "pre_shared_key" and
      60                 :            :      *# "early_data" extensions.
      61                 :            :      */
      62 [ #  # ][ -  + ]:       4169 :     POSIX_ENSURE(conn->early_data_state != S2N_EARLY_DATA_REQUESTED, S2N_ERR_UNSUPPORTED_EXTENSION);
      63                 :       4169 :     return S2N_SUCCESS;
      64                 :       4169 : }
      65                 :            : 
      66                 :            : bool s2n_client_psk_should_send(struct s2n_connection *conn)
      67                 :       6416 : {
      68 [ +  + ][ -  + ]:       6416 :     if (!conn || !conn->secure) {
      69                 :          1 :         return false;
      70                 :          1 :     }
      71                 :            : 
      72                 :            :     /* If this is NOT the second ClientHello after a retry, then all PSKs are viable.
      73                 :            :      * Send the extension if any PSKs are configured.
      74                 :            :      */
      75         [ +  + ]:       6415 :     if (!s2n_is_hello_retry_handshake(conn)) {
      76                 :       5731 :         return conn->psk_params.psk_list.len > 0;
      77                 :       5731 :     }
      78                 :            : 
      79                 :            :     /* If this is the second ClientHello after a retry, then only PSKs that match the cipher suite
      80                 :            :      * are viable. Only send the extension if at least one configured PSK matches the cipher suite.
      81                 :            :      */
      82         [ +  + ]:        690 :     for (size_t i = 0; i < conn->psk_params.psk_list.len; i++) {
      83                 :        480 :         struct s2n_psk *psk = NULL;
      84         [ +  - ]:        480 :         if (s2n_result_is_ok(s2n_array_get(&conn->psk_params.psk_list, i, (void **) &psk))
      85         [ +  - ]:        480 :                 && psk != NULL
      86         [ +  + ]:        480 :                 && conn->secure->cipher_suite->prf_alg == psk->hmac_alg) {
      87                 :        474 :             return true;
      88                 :        474 :         }
      89                 :        480 :     }
      90                 :        210 :     return false;
      91                 :        684 : }
      92                 :            : 
      93                 :            : /**
      94                 :            :  *= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11.1
      95                 :            :  *# The "obfuscated_ticket_age"
      96                 :            :  *# field of each PskIdentity contains an obfuscated version of the
      97                 :            :  *# ticket age formed by taking the age in milliseconds and adding the
      98                 :            :  *# "ticket_age_add" value that was included with the ticket (see
      99                 :            :  *# Section 4.6.1), modulo 2^32.
     100                 :            : */
     101                 :            : static S2N_RESULT s2n_generate_obfuscated_ticket_age(struct s2n_psk *psk, uint64_t current_time, uint32_t *output)
     102                 :       1092 : {
     103 [ -  + ][ #  # ]:       1092 :     RESULT_ENSURE_REF(psk);
     104 [ -  + ][ #  # ]:       1092 :     RESULT_ENSURE_MUT(output);
     105                 :            : 
     106                 :            :     /**
     107                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11
     108                 :            :      *# For identities
     109                 :            :      *# established externally, an obfuscated_ticket_age of 0 SHOULD be
     110                 :            :      *# used,
     111                 :            :      **/
     112         [ +  + ]:       1092 :     if (psk->type == S2N_PSK_TYPE_EXTERNAL) {
     113                 :        980 :         *output = 0;
     114                 :        980 :         return S2N_RESULT_OK;
     115                 :        980 :     }
     116                 :            : 
     117 [ -  + ][ #  # ]:        112 :     RESULT_ENSURE(current_time >= psk->ticket_issue_time, S2N_ERR_SAFETY);
     118                 :            : 
     119                 :            :     /* Calculate ticket age */
     120                 :        112 :     uint64_t ticket_age_in_nanos = current_time - psk->ticket_issue_time;
     121                 :            : 
     122                 :            :     /* Convert ticket age to milliseconds */
     123                 :        112 :     uint64_t ticket_age_in_millis = ticket_age_in_nanos / ONE_MILLISEC_IN_NANOS;
     124 [ -  + ][ #  # ]:        112 :     RESULT_ENSURE(ticket_age_in_millis <= UINT32_MAX, S2N_ERR_SAFETY);
     125                 :            : 
     126                 :            :     /* Add the ticket_age_add value to the ticket age in milliseconds. The resulting uint32_t value
     127                 :            :      * may wrap, resulting in the modulo 2^32 operation. */
     128                 :        112 :     *output = ticket_age_in_millis + psk->ticket_age_add;
     129                 :            : 
     130                 :        112 :     return S2N_RESULT_OK;
     131                 :        112 : }
     132                 :            : 
     133                 :            : static int s2n_client_psk_send(struct s2n_connection *conn, struct s2n_stuffer *out)
     134                 :       1076 : {
     135 [ -  + ][ #  # ]:       1076 :     POSIX_ENSURE_REF(conn);
     136 [ -  + ][ #  # ]:       1076 :     POSIX_ENSURE_REF(conn->secure);
     137                 :            : 
     138                 :       1076 :     struct s2n_psk_parameters *psk_params = &conn->psk_params;
     139                 :       1076 :     struct s2n_array *psk_list = &psk_params->psk_list;
     140                 :            : 
     141                 :       1076 :     struct s2n_stuffer_reservation identity_list_size;
     142         [ -  + ]:       1076 :     POSIX_GUARD(s2n_stuffer_reserve_uint16(out, &identity_list_size));
     143                 :            : 
     144                 :       1076 :     uint16_t binder_list_size = SIZE_OF_BINDER_LIST_SIZE;
     145                 :            : 
     146         [ +  + ]:       2168 :     for (size_t i = 0; i < psk_list->len; i++) {
     147                 :       1092 :         struct s2n_psk *psk = NULL;
     148         [ -  + ]:       1092 :         POSIX_GUARD_RESULT(s2n_array_get(psk_list, i, (void **) &psk));
     149 [ -  + ][ #  # ]:       1092 :         POSIX_ENSURE_REF(psk);
     150                 :            : 
     151                 :            :         /**
     152                 :            :          *= https://www.rfc-editor.org/rfc/rfc8446#section-4.1.4
     153                 :            :          *# In addition, in its updated ClientHello, the client SHOULD NOT offer
     154                 :            :          *# any pre-shared keys associated with a hash other than that of the
     155                 :            :          *# selected cipher suite.
     156                 :            :          */
     157 [ +  + ][ -  + ]:       1092 :         if (s2n_is_hello_retry_handshake(conn) && conn->secure->cipher_suite->prf_alg != psk->hmac_alg) {
     158                 :          0 :             continue;
     159                 :          0 :         }
     160                 :            : 
     161                 :            :         /* Write the identity */
     162         [ -  + ]:       1092 :         POSIX_GUARD(s2n_stuffer_write_uint16(out, psk->identity.size));
     163         [ -  + ]:       1092 :         POSIX_GUARD(s2n_stuffer_write(out, &psk->identity));
     164                 :            : 
     165                 :            :         /* Write obfuscated ticket age */
     166                 :       1092 :         uint32_t obfuscated_ticket_age = 0;
     167                 :       1092 :         uint64_t current_time = 0;
     168         [ -  + ]:       1092 :         POSIX_GUARD_RESULT(s2n_config_wall_clock(conn->config, &current_time));
     169         [ -  + ]:       1092 :         POSIX_GUARD_RESULT(s2n_generate_obfuscated_ticket_age(psk, current_time, &obfuscated_ticket_age));
     170         [ -  + ]:       1092 :         POSIX_GUARD(s2n_stuffer_write_uint32(out, obfuscated_ticket_age));
     171                 :            : 
     172                 :            :         /* Calculate binder size */
     173                 :       1092 :         uint8_t hash_size = 0;
     174         [ -  + ]:       1092 :         POSIX_GUARD(s2n_hmac_digest_size(psk->hmac_alg, &hash_size));
     175                 :       1092 :         binder_list_size += hash_size + SIZE_OF_BINDER_SIZE;
     176                 :       1092 :     }
     177                 :            : 
     178         [ -  + ]:       1076 :     POSIX_GUARD(s2n_stuffer_write_vector_size(&identity_list_size));
     179                 :            : 
     180                 :            :     /* Calculating the binders requires a complete ClientHello, and at this point
     181                 :            :      * the extension size, extension list size, and message size are all blank.
     182                 :            :      *
     183                 :            :      * We'll write placeholder data to ensure the extension and extension list sizes
     184                 :            :      * are calculated correctly, then rewrite the binders with real data later. */
     185                 :       1076 :     psk_params->binder_list_size = binder_list_size;
     186         [ -  + ]:       1076 :     POSIX_GUARD(s2n_stuffer_skip_write(out, binder_list_size));
     187                 :            : 
     188                 :       1076 :     return S2N_SUCCESS;
     189                 :       1076 : }
     190                 :            : 
     191                 :            : /* Find the first of the server's PSK identities that matches the client's identities.
     192                 :            :  * This method compares all server identities to all client identities.
     193                 :            :  *
     194                 :            :  * While both the client's identities and whether a match was found are public, we should make an attempt
     195                 :            :  * to keep the server's identities a secret. We will make comparisons to the server's identities constant
     196                 :            :  * time (to hide partial matches) and not end the search early when a match is found (to hide the ordering).
     197                 :            :  *
     198                 :            :  * Keeping these comparisons constant time is not high priority. There's no known attack using these timings,
     199                 :            :  * and an attacker could probably guess the server's known identities just by observing the public identities
     200                 :            :  * sent by clients.
     201                 :            :  */
     202                 :            : static S2N_RESULT s2n_select_external_psk(struct s2n_connection *conn, struct s2n_offered_psk_list *client_identity_list)
     203                 :        958 : {
     204 [ -  + ][ #  # ]:        958 :     RESULT_ENSURE_REF(conn);
     205 [ -  + ][ #  # ]:        958 :     RESULT_ENSURE_REF(client_identity_list);
     206                 :            : 
     207                 :        958 :     struct s2n_array *server_psks = &conn->psk_params.psk_list;
     208                 :        958 :     conn->psk_params.chosen_psk = NULL;
     209                 :            : 
     210         [ +  + ]:       1929 :     for (size_t i = 0; i < server_psks->len; i++) {
     211                 :        971 :         struct s2n_psk *server_psk = NULL;
     212         [ -  + ]:        971 :         RESULT_GUARD(s2n_array_get(server_psks, i, (void **) &server_psk));
     213 [ -  + ][ #  # ]:        971 :         RESULT_ENSURE_REF(server_psk);
     214                 :            : 
     215                 :        971 :         struct s2n_offered_psk client_psk = { 0 };
     216                 :        971 :         uint16_t wire_index = 0;
     217                 :            : 
     218         [ -  + ]:        971 :         RESULT_GUARD_POSIX(s2n_offered_psk_list_reread(client_identity_list));
     219         [ +  + ]:       1980 :         while (s2n_offered_psk_list_has_next(client_identity_list)) {
     220         [ -  + ]:       1009 :             RESULT_GUARD_POSIX(s2n_offered_psk_list_next(client_identity_list, &client_psk));
     221         [ +  + ]:       1009 :             uint16_t compare_size = S2N_MIN(client_psk.identity.size, server_psk->identity.size);
     222         [ +  + ]:       1009 :             if (s2n_constant_time_equals(client_psk.identity.data, server_psk->identity.data, compare_size)
     223                 :       1009 :                     & (client_psk.identity.size == server_psk->identity.size)
     224                 :       1009 :                     & (conn->psk_params.chosen_psk == NULL)) {
     225                 :        955 :                 conn->psk_params.chosen_psk = server_psk;
     226                 :        955 :                 conn->psk_params.chosen_psk_wire_index = wire_index;
     227                 :        955 :             }
     228                 :       1009 :             wire_index++;
     229                 :       1009 :         };
     230                 :        971 :     }
     231 [ +  - ][ +  + ]:        958 :     RESULT_ENSURE_REF(conn->psk_params.chosen_psk);
     232                 :        955 :     return S2N_RESULT_OK;
     233                 :        958 : }
     234                 :            : 
     235                 :            : static S2N_RESULT s2n_select_resumption_psk(struct s2n_connection *conn, struct s2n_offered_psk_list *client_identity_list)
     236                 :        113 : {
     237 [ #  # ][ -  + ]:        113 :     RESULT_ENSURE_REF(conn);
     238 [ #  # ][ -  + ]:        113 :     RESULT_ENSURE_REF(client_identity_list);
     239                 :            : 
     240                 :        113 :     struct s2n_offered_psk client_psk = { 0 };
     241                 :        113 :     conn->psk_params.chosen_psk = NULL;
     242                 :            : 
     243                 :        113 :     uint8_t rejected_count = 0;
     244 [ +  + ][ +  - ]:        118 :     while (s2n_offered_psk_list_has_next(client_identity_list) && (rejected_count < MAX_REJECTED_TICKETS)) {
     245         [ -  + ]:        113 :         RESULT_GUARD_POSIX(s2n_offered_psk_list_next(client_identity_list, &client_psk));
     246                 :            :         /* Select the first resumption PSK that can be decrypted */
     247         [ +  + ]:        113 :         if (s2n_offered_psk_list_choose_psk(client_identity_list, &client_psk) == S2N_SUCCESS) {
     248                 :        108 :             return S2N_RESULT_OK;
     249                 :        108 :         }
     250                 :          5 :         rejected_count++;
     251                 :          5 :     }
     252                 :            : 
     253         [ +  - ]:          5 :     RESULT_BAIL(S2N_ERR_INVALID_SESSION_TICKET);
     254                 :          5 : }
     255                 :            : 
     256                 :            : static S2N_RESULT s2n_client_psk_recv_identity_list(struct s2n_connection *conn, struct s2n_stuffer *wire_identities_in)
     257                 :       1072 : {
     258 [ -  + ][ #  # ]:       1072 :     RESULT_ENSURE_REF(conn);
     259 [ -  + ][ #  # ]:       1072 :     RESULT_ENSURE_REF(conn->config);
     260 [ -  + ][ #  # ]:       1072 :     RESULT_ENSURE_REF(wire_identities_in);
     261                 :            : 
     262                 :       1072 :     struct s2n_offered_psk_list identity_list = {
     263                 :       1072 :         .conn = conn,
     264                 :       1072 :         .wire_data = *wire_identities_in,
     265                 :       1072 :     };
     266                 :            : 
     267         [ +  + ]:       1072 :     if (conn->config->psk_selection_cb) {
     268         [ -  + ]:          1 :         RESULT_GUARD_POSIX(conn->config->psk_selection_cb(conn, conn->config->psk_selection_ctx, &identity_list));
     269         [ +  + ]:       1071 :     } else if (conn->psk_params.type == S2N_PSK_TYPE_EXTERNAL) {
     270         [ +  + ]:        958 :         RESULT_GUARD(s2n_select_external_psk(conn, &identity_list));
     271         [ +  - ]:        958 :     } else if (conn->psk_params.type == S2N_PSK_TYPE_RESUMPTION) {
     272         [ +  + ]:        113 :         RESULT_GUARD(s2n_select_resumption_psk(conn, &identity_list));
     273                 :        113 :     }
     274                 :            : 
     275 [ #  # ][ -  + ]:       1064 :     RESULT_ENSURE_REF(conn->psk_params.chosen_psk);
     276                 :       1064 :     return S2N_RESULT_OK;
     277                 :       1064 : }
     278                 :            : 
     279                 :            : static S2N_RESULT s2n_client_psk_recv_binder_list(struct s2n_connection *conn, struct s2n_blob *partial_client_hello,
     280                 :            :         struct s2n_stuffer *wire_binders_in)
     281                 :       1064 : {
     282 [ -  + ][ #  # ]:       1064 :     RESULT_ENSURE_REF(conn);
     283 [ #  # ][ -  + ]:       1064 :     RESULT_ENSURE_REF(wire_binders_in);
     284                 :            : 
     285                 :       1064 :     uint16_t wire_index = 0;
     286         [ +  - ]:       1073 :     while (s2n_stuffer_data_available(wire_binders_in) > 0) {
     287                 :       1073 :         uint8_t wire_binder_size = 0;
     288         [ -  + ]:       1073 :         RESULT_GUARD_POSIX(s2n_stuffer_read_uint8(wire_binders_in, &wire_binder_size));
     289                 :            : 
     290                 :       1073 :         uint8_t *wire_binder_data = NULL;
     291 [ #  # ][ -  + ]:       1073 :         RESULT_ENSURE_REF(wire_binder_data = s2n_stuffer_raw_read(wire_binders_in, wire_binder_size));
     292                 :            : 
     293                 :       1073 :         struct s2n_blob wire_binder = { 0 };
     294         [ -  + ]:       1073 :         RESULT_GUARD_POSIX(s2n_blob_init(&wire_binder, wire_binder_data, wire_binder_size));
     295                 :            : 
     296         [ +  + ]:       1073 :         if (wire_index == conn->psk_params.chosen_psk_wire_index) {
     297         [ -  + ]:       1064 :             RESULT_GUARD_POSIX(s2n_psk_verify_binder(conn, conn->psk_params.chosen_psk,
     298                 :       1064 :                     partial_client_hello, &wire_binder));
     299                 :       1064 :             return S2N_RESULT_OK;
     300                 :       1064 :         }
     301                 :          9 :         wire_index++;
     302                 :          9 :     }
     303         [ #  # ]:          0 :     RESULT_BAIL(S2N_ERR_BAD_MESSAGE);
     304                 :          0 : }
     305                 :            : 
     306                 :            : static S2N_RESULT s2n_client_psk_recv_identities(struct s2n_connection *conn, struct s2n_stuffer *extension)
     307                 :       1072 : {
     308 [ -  + ][ #  # ]:       1072 :     RESULT_ENSURE_REF(conn);
     309                 :            : 
     310                 :       1072 :     uint16_t identity_list_size = 0;
     311         [ -  + ]:       1072 :     RESULT_GUARD_POSIX(s2n_stuffer_read_uint16(extension, &identity_list_size));
     312                 :            : 
     313                 :       1072 :     uint8_t *identity_list_data = NULL;
     314 [ #  # ][ -  + ]:       1072 :     RESULT_ENSURE_REF(identity_list_data = s2n_stuffer_raw_read(extension, identity_list_size));
     315                 :            : 
     316                 :       1072 :     struct s2n_blob identity_list_blob = { 0 };
     317         [ -  + ]:       1072 :     RESULT_GUARD_POSIX(s2n_blob_init(&identity_list_blob, identity_list_data, identity_list_size));
     318                 :            : 
     319                 :       1072 :     struct s2n_stuffer identity_list = { 0 };
     320         [ -  + ]:       1072 :     RESULT_GUARD_POSIX(s2n_stuffer_init(&identity_list, &identity_list_blob));
     321         [ -  + ]:       1072 :     RESULT_GUARD_POSIX(s2n_stuffer_skip_write(&identity_list, identity_list_blob.size));
     322                 :            : 
     323                 :       1072 :     return s2n_client_psk_recv_identity_list(conn, &identity_list);
     324                 :       1072 : }
     325                 :            : 
     326                 :            : static S2N_RESULT s2n_client_psk_recv_binders(struct s2n_connection *conn, struct s2n_stuffer *extension)
     327                 :       1064 : {
     328 [ #  # ][ -  + ]:       1064 :     RESULT_ENSURE_REF(conn);
     329                 :            : 
     330                 :       1064 :     uint16_t binder_list_size = 0;
     331         [ -  + ]:       1064 :     RESULT_GUARD_POSIX(s2n_stuffer_read_uint16(extension, &binder_list_size));
     332                 :            : 
     333                 :       1064 :     uint8_t *binder_list_data = NULL;
     334 [ #  # ][ -  + ]:       1064 :     RESULT_ENSURE_REF(binder_list_data = s2n_stuffer_raw_read(extension, binder_list_size));
     335                 :            : 
     336                 :       1064 :     struct s2n_blob binder_list_blob = { 0 };
     337         [ -  + ]:       1064 :     RESULT_GUARD_POSIX(s2n_blob_init(&binder_list_blob, binder_list_data, binder_list_size));
     338                 :            : 
     339                 :       1064 :     struct s2n_stuffer binder_list = { 0 };
     340         [ -  + ]:       1064 :     RESULT_GUARD_POSIX(s2n_stuffer_init(&binder_list, &binder_list_blob));
     341         [ -  + ]:       1064 :     RESULT_GUARD_POSIX(s2n_stuffer_skip_write(&binder_list, binder_list_blob.size));
     342                 :            : 
     343                 :            :     /* Record the ClientHello message up to but not including the binder list.
     344                 :            :      * This is required to calculate the binder for the chosen PSK. */
     345                 :       1064 :     struct s2n_blob partial_client_hello = { 0 };
     346                 :       1064 :     const struct s2n_stuffer *client_hello = &conn->handshake.io;
     347                 :       1064 :     uint32_t binders_size = binder_list_blob.size + SIZE_OF_BINDER_LIST_SIZE;
     348 [ #  # ][ -  + ]:       1064 :     RESULT_ENSURE_GTE(client_hello->write_cursor, binders_size);
     349                 :       1064 :     uint32_t partial_client_hello_size = client_hello->write_cursor - binders_size;
     350         [ -  + ]:       1064 :     RESULT_GUARD_POSIX(s2n_blob_slice(&client_hello->blob, &partial_client_hello, 0, partial_client_hello_size));
     351                 :            : 
     352                 :       1064 :     return s2n_client_psk_recv_binder_list(conn, &partial_client_hello, &binder_list);
     353                 :       1064 : }
     354                 :            : 
     355                 :            : int s2n_client_psk_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
     356                 :       1072 : {
     357 [ #  # ][ -  + ]:       1072 :     POSIX_ENSURE_REF(conn);
     358                 :            : 
     359                 :            :     /**
     360                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11
     361                 :            :      *# The "pre_shared_key" extension MUST be the last extension in the
     362                 :            :      *# ClientHello (this facilitates implementation as described below).
     363                 :            :      *# Servers MUST check that it is the last extension and otherwise fail
     364                 :            :      *# the handshake with an "illegal_parameter" alert.
     365                 :            :      */
     366                 :       1072 :     s2n_extension_type_id psk_ext_id = 0;
     367         [ -  + ]:       1072 :     POSIX_GUARD(s2n_extension_supported_iana_value_to_id(TLS_EXTENSION_PRE_SHARED_KEY, &psk_ext_id));
     368 [ #  # ][ -  + ]:       1072 :     POSIX_ENSURE_NE(conn->client_hello.extensions.count, 0);
     369                 :       1072 :     uint16_t last_wire_index = conn->client_hello.extensions.count - 1;
     370                 :       1072 :     uint16_t extension_wire_index = conn->client_hello.extensions.parsed_extensions[psk_ext_id].wire_index;
     371 [ -  + ][ #  # ]:       1072 :     POSIX_ENSURE(extension_wire_index == last_wire_index, S2N_ERR_UNSUPPORTED_EXTENSION);
     372                 :            : 
     373                 :            :     /**
     374                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.9
     375                 :            :      *# If clients offer "pre_shared_key" without a "psk_key_exchange_modes" extension,
     376                 :            :      *# servers MUST abort the handshake.
     377                 :            :      *
     378                 :            :      * We can safely do this check here because s2n_client_psk is
     379                 :            :      * required to be the last extension sent in the list.
     380                 :            :      */
     381                 :       1072 :     s2n_extension_type_id psk_ke_mode_ext_id = 0;
     382         [ -  + ]:       1072 :     POSIX_GUARD(s2n_extension_supported_iana_value_to_id(TLS_EXTENSION_PSK_KEY_EXCHANGE_MODES, &psk_ke_mode_ext_id));
     383 [ -  + ][ #  # ]:       1072 :     POSIX_ENSURE(S2N_CBIT_TEST(conn->extension_requests_received, psk_ke_mode_ext_id), S2N_ERR_MISSING_EXTENSION);
     384                 :            : 
     385         [ +  - ]:       1072 :     if (conn->psk_params.psk_ke_mode == S2N_PSK_DHE_KE) {
     386                 :       1072 :         s2n_extension_type_id key_share_ext_id = 0;
     387         [ -  + ]:       1072 :         POSIX_GUARD(s2n_extension_supported_iana_value_to_id(TLS_EXTENSION_KEY_SHARE, &key_share_ext_id));
     388                 :            :         /* A key_share extension must have been received in order to use a pre-shared key
     389                 :            :          * in (EC)DHE key exchange mode.
     390                 :            :          */
     391 [ #  # ][ -  + ]:       1072 :         POSIX_ENSURE(S2N_CBIT_TEST(conn->extension_requests_received, key_share_ext_id), S2N_ERR_MISSING_EXTENSION);
     392                 :       1072 :     } else {
     393                 :            :         /* s2n currently only supports pre-shared keys in (EC)DHE key exchange mode. If we receive keys with any other
     394                 :            :          * exchange mode we fall back to a full handshake.
     395                 :            :          */
     396                 :          0 :         return S2N_SUCCESS;
     397                 :          0 :     }
     398                 :            : 
     399         [ +  + ]:       1072 :     if (s2n_result_is_error(s2n_client_psk_recv_identities(conn, extension))) {
     400                 :            :         /**
     401                 :            :          *= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11
     402                 :            :          *# If no acceptable PSKs are found, the server SHOULD perform a non-PSK
     403                 :            :          *# handshake if possible.
     404                 :            :          */
     405                 :          8 :         conn->psk_params.chosen_psk = NULL;
     406                 :          8 :     }
     407                 :            : 
     408         [ +  + ]:       1072 :     if (conn->psk_params.chosen_psk) {
     409                 :            :         /**
     410                 :            :          *= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11
     411                 :            :          *# Prior to accepting PSK key establishment, the server MUST validate
     412                 :            :          *# the corresponding binder value (see Section 4.2.11.2 below).  If this
     413                 :            :          *# value is not present or does not validate, the server MUST abort the
     414                 :            :          *# handshake.
     415                 :            :          */
     416         [ -  + ]:       1064 :         POSIX_GUARD_RESULT(s2n_client_psk_recv_binders(conn, extension));
     417                 :       1064 :     }
     418                 :            : 
     419                 :            :     /* At this point, we have either chosen a PSK or fallen back to a full handshake. */
     420                 :       1072 :     return S2N_SUCCESS;
     421                 :       1072 : }

Generated by: LCOV version 1.14