Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/extensions/s2n_server_key_share.h"
17 : :
18 : : #include "crypto/s2n_pq.h"
19 : : #include "tls/s2n_security_policies.h"
20 : : #include "tls/s2n_supported_group_preferences.h"
21 : : #include "tls/s2n_tls.h"
22 : : #include "tls/s2n_tls13.h"
23 : : #include "utils/s2n_safety.h"
24 : :
25 : : static int s2n_server_key_share_send(struct s2n_connection *conn, struct s2n_stuffer *out);
26 : : static int s2n_server_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
27 : :
28 : : const s2n_extension_type s2n_server_key_share_extension = {
29 : : .iana_value = TLS_EXTENSION_KEY_SHARE,
30 : : .minimum_version = S2N_TLS13,
31 : : .is_response = true,
32 : : .send = s2n_server_key_share_send,
33 : : .recv = s2n_server_key_share_recv,
34 : : .should_send = s2n_extension_always_send,
35 : : .if_missing = s2n_extension_noop_if_missing,
36 : : };
37 : :
38 : : static int s2n_server_key_share_send_hybrid_partial_ecc(struct s2n_connection *conn, struct s2n_stuffer *out)
39 : 0 : {
40 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
41 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(out);
42 : :
43 : 0 : struct s2n_kem_group_params *server_kem_group_params = &conn->kex_params.server_kem_group_params;
44 : 0 : struct s2n_kem_params *client_kem_params = &conn->kex_params.client_kem_group_params.kem_params;
45 : :
46 : 0 : struct s2n_ecc_evp_params *server_ecc_params = &server_kem_group_params->ecc_params;
47 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(server_ecc_params->negotiated_curve);
48 [ # # ]: 0 : if (client_kem_params->len_prefixed) {
49 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_write_uint16(out, server_ecc_params->negotiated_curve->share_size));
50 : 0 : }
51 [ # # ]: 0 : POSIX_GUARD(s2n_ecc_evp_generate_ephemeral_key(server_ecc_params));
52 [ # # ]: 0 : POSIX_GUARD(s2n_ecc_evp_write_params_point(server_ecc_params, out));
53 : :
54 : 0 : return S2N_SUCCESS;
55 : 0 : }
56 : :
57 : : static int s2n_server_key_share_generate_pq(struct s2n_connection *conn, struct s2n_stuffer *out)
58 : 0 : {
59 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(out);
60 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
61 : :
62 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_UNIMPLEMENTED);
63 : :
64 : 0 : struct s2n_kem_group_params *server_kem_group_params = &conn->kex_params.server_kem_group_params;
65 : 0 : struct s2n_kem_params *client_kem_params = &conn->kex_params.client_kem_group_params.kem_params;
66 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(client_kem_params->public_key.data);
67 : :
68 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(server_kem_group_params->kem_group);
69 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_write_uint16(out, server_kem_group_params->kem_group->iana_id));
70 : :
71 : 0 : struct s2n_stuffer_reservation total_share_size = { 0 };
72 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_reserve_uint16(out, &total_share_size));
73 : :
74 : : /* s2n_kem_send_ciphertext() will generate the PQ shared secret and use
75 : : * the client's public key to encapsulate; the PQ shared secret will be
76 : : * stored in client_kem_params, and will be used during the shared
77 : : * secret derivation. */
78 [ # # ]: 0 : if (server_kem_group_params->kem_group->curve == &s2n_ecc_curve_none) { /* Pure PQ */
79 [ # # ]: 0 : POSIX_GUARD(s2n_kem_send_ciphertext(out, client_kem_params));
80 : 0 : } else { /* Hybrid PQ */
81 [ # # ]: 0 : if (server_kem_group_params->kem_group->send_kem_first) {
82 [ # # ]: 0 : POSIX_GUARD(s2n_kem_send_ciphertext(out, client_kem_params));
83 [ # # ]: 0 : POSIX_GUARD(s2n_server_key_share_send_hybrid_partial_ecc(conn, out));
84 : 0 : } else {
85 [ # # ]: 0 : POSIX_GUARD(s2n_server_key_share_send_hybrid_partial_ecc(conn, out));
86 [ # # ]: 0 : POSIX_GUARD(s2n_kem_send_ciphertext(out, client_kem_params));
87 : 0 : }
88 : 0 : }
89 : :
90 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_write_vector_size(&total_share_size));
91 : 0 : return S2N_SUCCESS;
92 : 0 : }
93 : :
94 : : /* Check that client has sent a corresponding key share for the server's KEM group */
95 : : int s2n_server_key_share_send_check_pq(struct s2n_connection *conn)
96 : 2 : {
97 [ + + ][ + - ]: 2 : POSIX_ENSURE_REF(conn);
98 : :
99 [ + - ][ + - ]: 1 : POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_UNIMPLEMENTED);
100 : :
101 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->kex_params.server_kem_group_params.kem_group);
102 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->kex_params.server_kem_group_params.kem_params.kem);
103 : :
104 : 0 : const struct s2n_kem_preferences *kem_pref = NULL;
105 [ # # ]: 0 : POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_pref));
106 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(kem_pref);
107 : :
108 : 0 : const struct s2n_kem_group *server_kem_group = conn->kex_params.server_kem_group_params.kem_group;
109 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_kem_preferences_includes_tls13_kem_group(kem_pref, server_kem_group->iana_id),
110 : 0 : S2N_ERR_KEM_UNSUPPORTED_PARAMS);
111 : :
112 : 0 : struct s2n_kem_group_params *client_params = &conn->kex_params.client_kem_group_params;
113 [ # # ][ # # ]: 0 : POSIX_ENSURE(client_params->kem_group == server_kem_group, S2N_ERR_BAD_KEY_SHARE);
114 : :
115 [ # # ][ # # ]: 0 : POSIX_ENSURE(client_params->kem_params.kem == server_kem_group->kem, S2N_ERR_BAD_KEY_SHARE);
116 [ # # ][ # # ]: 0 : POSIX_ENSURE(client_params->kem_params.public_key.size == server_kem_group->kem->public_key_length, S2N_ERR_BAD_KEY_SHARE);
117 [ # # ][ # # ]: 0 : POSIX_ENSURE(client_params->kem_params.public_key.data != NULL, S2N_ERR_BAD_KEY_SHARE);
118 : :
119 : 0 : return S2N_SUCCESS;
120 : 0 : }
121 : :
122 : : /* Check that client has sent a corresponding key share for the server's EC curve */
123 : : int s2n_server_key_share_send_check_ecdhe(struct s2n_connection *conn)
124 : 4618 : {
125 [ + + ][ + - ]: 4618 : POSIX_ENSURE_REF(conn);
126 : :
127 : 4617 : const struct s2n_ecc_preferences *ecc_pref = NULL;
128 [ - + ]: 4617 : POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
129 [ # # ][ - + ]: 4617 : POSIX_ENSURE_REF(ecc_pref);
130 : :
131 : 4617 : const struct s2n_ecc_named_curve *server_curve = conn->kex_params.server_ecc_evp_params.negotiated_curve;
132 [ + - ][ + + ]: 4617 : POSIX_ENSURE_REF(server_curve);
133 : :
134 : 4616 : struct s2n_ecc_evp_params *client_params = &conn->kex_params.client_ecc_evp_params;
135 [ + - ][ + + ]: 4616 : POSIX_ENSURE(client_params->negotiated_curve == server_curve, S2N_ERR_BAD_KEY_SHARE);
136 [ + + ][ + - ]: 4614 : POSIX_ENSURE(client_params->evp_pkey != NULL, S2N_ERR_BAD_KEY_SHARE);
137 : :
138 : 4608 : return S2N_SUCCESS;
139 : 4614 : }
140 : :
141 : : static int s2n_server_key_share_send(struct s2n_connection *conn, struct s2n_stuffer *out)
142 : 5294 : {
143 [ + - ][ + + ]: 5294 : POSIX_ENSURE_REF(conn);
144 [ + - ][ + + ]: 5293 : POSIX_ENSURE_REF(out);
145 : :
146 : 5292 : const struct s2n_ecc_named_curve *curve = conn->kex_params.server_ecc_evp_params.negotiated_curve;
147 : 5292 : const struct s2n_kem_group *kem_group = conn->kex_params.server_kem_group_params.kem_group;
148 : :
149 : : /* Boolean XOR: exactly one of {server_curve, server_kem_group} should be non-null. */
150 [ + - ][ + + ]: 5292 : POSIX_ENSURE((curve == NULL) != (kem_group == NULL), S2N_ERR_INVALID_SUPPORTED_GROUP_STATE);
151 : :
152 : : /* Retry requests only require the selected named group, not an actual share.
153 : : * https://tools.ietf.org/html/rfc8446#section-4.2.8 */
154 [ + + ]: 5290 : if (s2n_is_hello_retry_message(conn)) {
155 : 678 : uint16_t named_group_id = 0;
156 [ + - ]: 678 : if (curve != NULL) {
157 : 678 : named_group_id = curve->iana_id;
158 : 678 : } else {
159 : 0 : named_group_id = kem_group->iana_id;
160 : 0 : }
161 : :
162 [ - + ]: 678 : POSIX_GUARD(s2n_stuffer_write_uint16(out, named_group_id));
163 : 678 : return S2N_SUCCESS;
164 : 678 : }
165 : :
166 [ + - ]: 4612 : if (curve != NULL) {
167 [ + + ]: 4612 : POSIX_GUARD(s2n_server_key_share_send_check_ecdhe(conn));
168 [ - + ]: 4607 : POSIX_GUARD(s2n_ecdhe_parameters_send(&conn->kex_params.server_ecc_evp_params, out));
169 : 4607 : } else {
170 [ # # ]: 0 : POSIX_GUARD(s2n_server_key_share_send_check_pq(conn));
171 [ # # ]: 0 : POSIX_GUARD(s2n_server_key_share_generate_pq(conn, out));
172 : 0 : }
173 : :
174 : 4607 : return S2N_SUCCESS;
175 : 4612 : }
176 : :
177 : : static int s2n_server_key_share_recv_hybrid_partial_ecc(struct s2n_connection *conn, struct s2n_stuffer *extension)
178 : 0 : {
179 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
180 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(extension);
181 : :
182 : 0 : struct s2n_kem_params *client_kem_params = &conn->kex_params.client_kem_group_params.kem_params;
183 : 0 : struct s2n_kem_group_params *server_kem_group_params = &conn->kex_params.server_kem_group_params;
184 : 0 : const struct s2n_kem_group *server_kem_group = server_kem_group_params->kem_group;
185 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(server_kem_group);
186 : 0 : uint16_t expected_ecc_share_size = server_kem_group->curve->share_size;
187 : :
188 : : /* Parse ECC key share */
189 [ # # ]: 0 : if (client_kem_params->len_prefixed) {
190 : 0 : uint16_t actual_ecc_share_size = 0;
191 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_read_uint16(extension, &actual_ecc_share_size));
192 [ # # ][ # # ]: 0 : POSIX_ENSURE(actual_ecc_share_size == expected_ecc_share_size, S2N_ERR_BAD_KEY_SHARE);
193 : 0 : }
194 : :
195 : 0 : struct s2n_blob point_blob = { 0 };
196 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_ecc_evp_read_params_point(extension, expected_ecc_share_size, &point_blob) == S2N_SUCCESS, S2N_ERR_BAD_KEY_SHARE);
197 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_ecc_evp_parse_params_point(&point_blob, &server_kem_group_params->ecc_params) == S2N_SUCCESS, S2N_ERR_BAD_KEY_SHARE);
198 [ # # ][ # # ]: 0 : POSIX_ENSURE(server_kem_group_params->ecc_params.evp_pkey != NULL, S2N_ERR_BAD_KEY_SHARE);
199 : :
200 : 0 : return S2N_SUCCESS;
201 : 0 : }
202 : :
203 : : static int s2n_server_key_share_recv_pq(struct s2n_connection *conn, uint16_t named_group_iana,
204 : : struct s2n_stuffer *extension)
205 : 1 : {
206 [ - + ][ # # ]: 1 : POSIX_ENSURE_REF(conn);
207 [ - + ][ # # ]: 1 : POSIX_ENSURE_REF(extension);
208 : :
209 : : /* If PQ is disabled, the client should not have sent any PQ IDs
210 : : * in the supported_groups list of the initial ClientHello */
211 [ + - ][ + - ]: 1 : POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
212 : :
213 : 0 : const struct s2n_kem_preferences *kem_pref = NULL;
214 [ # # ]: 0 : POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_pref));
215 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(kem_pref);
216 : :
217 : : /* This check should have been done higher up, but including it here as well for extra defense.
218 : : * Uses S2N_ERR_ECDHE_UNSUPPORTED_CURVE for backward compatibility. */
219 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_kem_preferences_includes_tls13_kem_group(kem_pref, named_group_iana), S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
220 : :
221 : 0 : size_t kem_group_index = 0;
222 [ # # ]: 0 : for (size_t i = 0; i < kem_pref->tls13_kem_group_count; i++) {
223 [ # # ]: 0 : if (named_group_iana == kem_pref->tls13_kem_groups[i]->iana_id
224 [ # # ]: 0 : && s2n_kem_group_is_available(kem_pref->tls13_kem_groups[i])) {
225 : 0 : kem_group_index = i;
226 : 0 : break;
227 : 0 : }
228 : 0 : }
229 : :
230 : 0 : struct s2n_kem_group_params *server_kem_group_params = &conn->kex_params.server_kem_group_params;
231 : 0 : server_kem_group_params->kem_group = kem_pref->tls13_kem_groups[kem_group_index];
232 : 0 : server_kem_group_params->kem_params.kem = kem_pref->tls13_kem_groups[kem_group_index]->kem;
233 : 0 : server_kem_group_params->ecc_params.negotiated_curve = kem_pref->tls13_kem_groups[kem_group_index]->curve;
234 : :
235 : : /* If this a HRR, the server will only have sent the named group ID. We assign the
236 : : * appropriate KEM group params above, then exit early so that the client can
237 : : * generate the correct key share. */
238 [ # # ]: 0 : if (s2n_is_hello_retry_message(conn)) {
239 : 0 : return S2N_SUCCESS;
240 : 0 : }
241 : :
242 : : /* Ensure that the server's key share corresponds with a key share previously sent by the client */
243 : 0 : struct s2n_kem_group_params *client_kem_group_params = &conn->kex_params.client_kem_group_params;
244 [ # # ][ # # ]: 0 : POSIX_ENSURE(client_kem_group_params->kem_params.private_key.data, S2N_ERR_BAD_KEY_SHARE);
245 [ # # ][ # # ]: 0 : POSIX_ENSURE(client_kem_group_params->kem_group == server_kem_group_params->kem_group, S2N_ERR_BAD_KEY_SHARE);
246 : :
247 : 0 : uint16_t actual_hybrid_share_size = 0;
248 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_read_uint16(extension, &actual_hybrid_share_size));
249 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_stuffer_data_available(extension) == actual_hybrid_share_size, S2N_ERR_BAD_KEY_SHARE);
250 : :
251 : 0 : struct s2n_kem_params *client_kem_params = &conn->kex_params.client_kem_group_params.kem_params;
252 : :
253 : : /* Don't need to set client_kem_params->len_prefixed since we are the client;
254 : : * server-side should auto-detect hybrid share size and match our behavior. */
255 : :
256 [ # # ]: 0 : if (server_kem_group_params->kem_group->curve == &s2n_ecc_curve_none) { /* Pure PQ */
257 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_kem_recv_ciphertext(extension, client_kem_params) == S2N_SUCCESS, S2N_ERR_BAD_KEY_SHARE);
258 : 0 : } else { /* Hybrid PQ */
259 [ # # ]: 0 : if (!server_kem_group_params->kem_group->send_kem_first) {
260 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_server_key_share_recv_hybrid_partial_ecc(conn, extension) == S2N_SUCCESS, S2N_ERR_BAD_KEY_SHARE);
261 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_kem_recv_ciphertext(extension, client_kem_params) == S2N_SUCCESS, S2N_ERR_BAD_KEY_SHARE);
262 : 0 : } else {
263 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_kem_recv_ciphertext(extension, client_kem_params) == S2N_SUCCESS, S2N_ERR_BAD_KEY_SHARE);
264 [ # # ][ # # ]: 0 : POSIX_ENSURE(s2n_server_key_share_recv_hybrid_partial_ecc(conn, extension) == S2N_SUCCESS, S2N_ERR_BAD_KEY_SHARE);
265 : 0 : }
266 : 0 : }
267 : :
268 : 0 : return S2N_SUCCESS;
269 : 0 : }
270 : :
271 : : static int s2n_server_key_share_recv_ecc(struct s2n_connection *conn, uint16_t named_group_iana,
272 : : struct s2n_stuffer *extension)
273 : 5255 : {
274 [ # # ][ - + ]: 5255 : POSIX_ENSURE_REF(conn);
275 [ - + ][ # # ]: 5255 : POSIX_ENSURE_REF(extension);
276 : :
277 : 5255 : const struct s2n_ecc_preferences *ecc_pref = NULL;
278 [ - + ]: 5255 : POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
279 [ - + ][ # # ]: 5255 : POSIX_ENSURE_REF(ecc_pref);
280 : :
281 : : /* This check should have been done higher up, but including it here as well for extra defense. */
282 [ # # ][ - + ]: 5255 : POSIX_ENSURE(s2n_ecc_preferences_includes_curve(ecc_pref, named_group_iana),
283 : 5255 : S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
284 : :
285 : 5255 : size_t supported_curve_index = 0;
286 : :
287 [ + - ]: 7806 : for (size_t i = 0; i < ecc_pref->count; i++) {
288 [ + + ]: 7806 : if (named_group_iana == ecc_pref->ecc_curves[i]->iana_id) {
289 : 5255 : supported_curve_index = i;
290 : 5255 : break;
291 : 5255 : }
292 : 7806 : }
293 : :
294 : 5255 : struct s2n_ecc_evp_params *server_ecc_evp_params = &conn->kex_params.server_ecc_evp_params;
295 : 5255 : const struct s2n_ecc_named_curve *negotiated_curve = ecc_pref->ecc_curves[supported_curve_index];
296 : :
297 : : /**
298 : : *= https://www.rfc-editor.org/rfc/rfc8446#4.2.8
299 : : *# If using (EC)DHE key establishment and a HelloRetryRequest containing a
300 : : *# "key_share" extension was received by the client, the client MUST
301 : : *# verify that the selected NamedGroup in the ServerHello is the same as
302 : : *# that in the HelloRetryRequest. If this check fails, the client MUST
303 : : *# abort the handshake with an "illegal_parameter" alert.
304 : : **/
305 [ + + ][ + + ]: 5255 : if (s2n_is_hello_retry_handshake(conn) && !s2n_is_hello_retry_message(conn)) {
306 [ # # ][ - + ]: 640 : POSIX_ENSURE_REF(server_ecc_evp_params->negotiated_curve);
307 : 640 : const struct s2n_ecc_named_curve *previous_negotiated_curve = server_ecc_evp_params->negotiated_curve;
308 [ + - ][ + + ]: 640 : POSIX_ENSURE(negotiated_curve == previous_negotiated_curve,
309 : 640 : S2N_ERR_BAD_MESSAGE);
310 : 640 : }
311 : :
312 : 5254 : server_ecc_evp_params->negotiated_curve = negotiated_curve;
313 : :
314 : : /* Now that ECC has been negotiated, null out this connection's preferred Hybrid KEMs. They will not be used any
315 : : * more during this TLS connection, but can still be printed by s2nc's client debugging output. */
316 : 5254 : conn->kex_params.client_kem_group_params.kem_group = NULL;
317 : 5254 : conn->kex_params.server_kem_group_params.ecc_params.negotiated_curve = NULL;
318 : 5254 : conn->kex_params.client_kem_group_params.kem_params.kem = NULL;
319 : :
320 : : /* If this is a HelloRetryRequest, we won't have a key share. We just have the selected group.
321 : : * Set the server negotiated curve and exit early so a proper keyshare can be generated. */
322 [ + + ]: 5254 : if (s2n_is_hello_retry_message(conn)) {
323 : 671 : return S2N_SUCCESS;
324 : 671 : }
325 : :
326 : : /* Verify key share sent by client */
327 : 4583 : struct s2n_ecc_evp_params *client_ecc_evp_params = &conn->kex_params.client_ecc_evp_params;
328 [ + + ][ + - ]: 4583 : POSIX_ENSURE(client_ecc_evp_params->negotiated_curve == server_ecc_evp_params->negotiated_curve, S2N_ERR_BAD_KEY_SHARE);
329 [ # # ][ - + ]: 4581 : POSIX_ENSURE(client_ecc_evp_params->evp_pkey, S2N_ERR_BAD_KEY_SHARE);
330 : :
331 : 4581 : uint16_t share_size = 0;
332 [ - + ][ # # ]: 4581 : S2N_ERROR_IF(s2n_stuffer_data_available(extension) < sizeof(share_size), S2N_ERR_BAD_KEY_SHARE);
333 [ - + ]: 4581 : POSIX_GUARD(s2n_stuffer_read_uint16(extension, &share_size));
334 [ - + ][ # # ]: 4581 : S2N_ERROR_IF(s2n_stuffer_data_available(extension) < share_size, S2N_ERR_BAD_KEY_SHARE);
335 : :
336 : : /* Proceed to parse share */
337 : 4581 : struct s2n_blob point_blob = { 0 };
338 [ - + ][ # # ]: 4581 : S2N_ERROR_IF(s2n_ecc_evp_read_params_point(extension, share_size, &point_blob) < 0, S2N_ERR_BAD_KEY_SHARE);
339 [ - + ][ # # ]: 4581 : S2N_ERROR_IF(s2n_ecc_evp_parse_params_point(&point_blob, server_ecc_evp_params) < 0, S2N_ERR_BAD_KEY_SHARE);
340 [ - + ][ # # ]: 4581 : S2N_ERROR_IF(server_ecc_evp_params->evp_pkey == NULL, S2N_ERR_BAD_KEY_SHARE);
341 : :
342 : 4581 : return S2N_SUCCESS;
343 : 4581 : }
344 : :
345 : : /*
346 : : * From https://tools.ietf.org/html/rfc8446#section-4.2.8
347 : : *
348 : : * If using (EC)DHE key establishment, servers offer exactly one
349 : : * KeyShareEntry in the ServerHello. This value MUST be in the same
350 : : * group as the KeyShareEntry value offered by the client that the
351 : : * server has selected for the negotiated key exchange.
352 : : */
353 : : static int s2n_server_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
354 : 5258 : {
355 [ - + ][ # # ]: 5258 : POSIX_ENSURE_REF(conn);
356 [ # # ][ - + ]: 5258 : POSIX_ENSURE_REF(extension);
357 : :
358 : 5258 : uint16_t negotiated_named_group_iana = 0;
359 [ - + ][ # # ]: 5258 : S2N_ERROR_IF(s2n_stuffer_data_available(extension) < sizeof(negotiated_named_group_iana), S2N_ERR_BAD_KEY_SHARE);
360 [ - + ]: 5258 : POSIX_GUARD(s2n_stuffer_read_uint16(extension, &negotiated_named_group_iana));
361 : :
362 : 5258 : const struct s2n_kem_preferences *kem_pref = NULL;
363 [ - + ]: 5258 : POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_pref));
364 [ - + ][ # # ]: 5258 : POSIX_ENSURE_REF(kem_pref);
365 : :
366 : 5258 : const struct s2n_ecc_preferences *ecc_pref = NULL;
367 [ - + ]: 5258 : POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
368 [ - + ][ # # ]: 5258 : POSIX_ENSURE_REF(ecc_pref);
369 : :
370 [ + + ]: 5258 : if (s2n_ecc_preferences_includes_curve(ecc_pref, negotiated_named_group_iana)) {
371 [ + + ]: 5255 : POSIX_GUARD(s2n_server_key_share_recv_ecc(conn, negotiated_named_group_iana, extension));
372 [ + + ]: 5255 : } else if (s2n_kem_preferences_includes_tls13_kem_group(kem_pref, negotiated_named_group_iana)) {
373 [ + - ]: 1 : POSIX_GUARD(s2n_server_key_share_recv_pq(conn, negotiated_named_group_iana, extension));
374 : 2 : } else {
375 [ + - ]: 2 : POSIX_BAIL(S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
376 : 2 : }
377 : :
378 : 5252 : return S2N_SUCCESS;
379 : 5258 : }
380 : :
381 : : /* Selects highest priority mutually supported key share, or indicates need for HRR */
382 : : int s2n_extensions_server_key_share_select(struct s2n_connection *conn)
383 : 5293 : {
384 [ - + ][ # # ]: 5293 : POSIX_ENSURE_REF(conn);
385 : :
386 : : /* Our most preferred mutually supported KeyShares that are negotiable in 1-RTT */
387 : 5293 : const struct s2n_ecc_named_curve *client_curve = conn->kex_params.client_ecc_evp_params.negotiated_curve;
388 : 5293 : const struct s2n_kem_group *client_kem_group = conn->kex_params.client_kem_group_params.kem_group;
389 : :
390 : : /* Our most preferred mutually supported KeyShares that negotiable in 1 or 2 round trips (which may or may not have been sent in the KeyShare by the client) */
391 : 5293 : const struct s2n_ecc_named_curve *server_curve = conn->kex_params.server_ecc_evp_params.negotiated_curve;
392 : 5293 : const struct s2n_kem_group *server_kem_group = conn->kex_params.server_kem_group_params.kem_group;
393 : :
394 : : /* Boolean XOR check. When receiving the supported_groups extension, s2n server
395 : : * should (exclusively) set either server_curve or server_kem_group based on the
396 : : * set of mutually supported groups. If both server_curve and server_kem_group
397 : : * are NULL, it is because client and server do not share any mutually supported
398 : : * groups; key negotiation is not possible and the handshake should be aborted
399 : : * without sending HRR. (The case of both being non-NULL should never occur, and
400 : : * is an error.) */
401 [ - + ][ # # ]: 5293 : POSIX_ENSURE((server_curve == NULL) != (server_kem_group == NULL), S2N_ERR_INVALID_SUPPORTED_GROUP_STATE);
402 : :
403 : 5293 : const struct s2n_security_policy *policy = NULL;
404 [ - + ]: 5293 : POSIX_GUARD(s2n_connection_get_security_policy(conn, &policy));
405 [ # # ][ - + ]: 5293 : POSIX_ENSURE_REF(policy);
406 : :
407 : 5293 : const struct s2n_ecc_named_curve *strongly_preferred_curve = NULL;
408 : 5293 : const struct s2n_kem_group *strongly_preferred_kem_group = NULL;
409 : 5293 : bool matched_strongly_preferred_iana = false;
410 : 5293 : bool need_hrr_for_strongly_preferred_group = false;
411 : :
412 : : /* Check if there are any strongly preferred SupportedGroups worth performing a 2-RTT upgrade for. */
413 [ + + ][ + + ]: 5301 : for (size_t i = 0; policy->strongly_preferred_groups != NULL && i < policy->strongly_preferred_groups->count && !matched_strongly_preferred_iana; i++) {
[ + - ]
414 : 8 : uint16_t strongly_preferred_iana = policy->strongly_preferred_groups->iana_ids[i];
415 : :
416 : : /* Strongly preferred groups are not allowed on policies that support PQ, so we don't check KEMs */
417 : :
418 [ + - ][ + + ]: 16 : for (int j = 0; j < S2N_ECC_EVP_SUPPORTED_CURVES_COUNT && !matched_strongly_preferred_iana; j++) {
419 : 8 : const struct s2n_ecc_named_curve *mutually_supported_curve = conn->kex_params.mutually_supported_curves[j];
420 [ - + ]: 8 : if (mutually_supported_curve == NULL) {
421 : 0 : break; /* Reached end of mutually supported ECC curves */
422 : 0 : }
423 [ + - ]: 8 : if (strongly_preferred_iana == mutually_supported_curve->iana_id) {
424 : 8 : matched_strongly_preferred_iana = true;
425 : 8 : strongly_preferred_curve = mutually_supported_curve;
426 : :
427 : : /* Check if we can negotiate our strongly preferred ECC Curve in 1-RTT */
428 [ + - ][ + + ]: 8 : if (client_curve != NULL && (strongly_preferred_iana == client_curve->iana_id)) {
429 : 4 : need_hrr_for_strongly_preferred_group = false;
430 : 4 : } else {
431 : 4 : need_hrr_for_strongly_preferred_group = true;
432 : 4 : }
433 : 8 : }
434 : 8 : }
435 : 8 : }
436 : :
437 : : /* Option 1: Perform a 2-RTT handshake if there is a strongly-preferred SupportedGroup that requires a 2-RTT handshake. */
438 [ + + ][ + + ]: 5293 : if (matched_strongly_preferred_iana && need_hrr_for_strongly_preferred_group) {
439 : : /* Ensure that we chose exactly 1 strongly preferred SupportedGroup */
440 [ # # ][ - + ]: 4 : POSIX_ENSURE((strongly_preferred_curve == NULL) != (strongly_preferred_kem_group == NULL), S2N_ERR_INVALID_SUPPORTED_GROUP_STATE);
441 : :
442 : 4 : conn->kex_params.server_kem_group_params.kem_group = strongly_preferred_kem_group;
443 : 4 : conn->kex_params.server_ecc_evp_params.negotiated_curve = strongly_preferred_curve;
444 [ - + ]: 4 : POSIX_GUARD(s2n_set_hello_retry_required(conn));
445 : 4 : return S2N_SUCCESS;
446 : 4 : }
447 : :
448 : : /* Option 2: Select the best mutually supported PQ KEM Group that can be negotiated in 1-RTT */
449 [ - + ]: 5289 : if (client_kem_group != NULL) {
450 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->kex_params.client_kem_group_params.kem_params.kem);
451 : :
452 : 0 : conn->kex_params.server_kem_group_params.kem_group = conn->kex_params.client_kem_group_params.kem_group;
453 : 0 : conn->kex_params.server_kem_group_params.ecc_params.negotiated_curve = conn->kex_params.client_kem_group_params.ecc_params.negotiated_curve;
454 : 0 : conn->kex_params.server_kem_group_params.kem_params.kem = conn->kex_params.client_kem_group_params.kem_params.kem;
455 : 0 : conn->kex_params.server_ecc_evp_params.negotiated_curve = NULL;
456 : 0 : return S2N_SUCCESS;
457 : 0 : }
458 : :
459 : : /* Option 3: Otherwise, if any PQ Hybrid Groups can be negotiated in 2-RTT's select that one. This ensures that
460 : : * clients who offer PQ (and presumably therefore have concerns about quantum computing impacting the long term
461 : : * confidentiality of their data), have their choice to offer PQ respected, even if they predict the server-side
462 : : * supports a different PQ KeyShare algorithms. This ensures clients with PQ support are never downgraded to non-PQ
463 : : * algorithms. */
464 [ - + ]: 5289 : if (server_kem_group != NULL) {
465 : : /* Null out any available ECC curves so that they won't be sent in the ClientHelloRetry */
466 : 0 : conn->kex_params.server_ecc_evp_params.negotiated_curve = NULL;
467 [ # # ]: 0 : POSIX_GUARD(s2n_set_hello_retry_required(conn));
468 : 0 : return S2N_SUCCESS;
469 : 0 : }
470 : :
471 : : /* Option 4: Otherwise, if there is a mutually supported classical ECDHE-only group can be negotiated in 1-RTT, select that one */
472 [ + + ]: 5289 : if (client_curve) {
473 : 4624 : conn->kex_params.server_ecc_evp_params.negotiated_curve = conn->kex_params.client_ecc_evp_params.negotiated_curve;
474 : 4624 : conn->kex_params.server_kem_group_params.kem_group = NULL;
475 : 4624 : conn->kex_params.server_kem_group_params.ecc_params.negotiated_curve = NULL;
476 : 4624 : conn->kex_params.server_kem_group_params.kem_params.kem = NULL;
477 : 4624 : return S2N_SUCCESS;
478 : 4624 : }
479 : :
480 : : /* Option 5: Server and client have at least 1 mutually supported group, but the client did not send key shares for
481 : : * any of them. Send a HelloRetryRequest indicating the server's preference. */
482 [ - + ]: 665 : POSIX_GUARD(s2n_set_hello_retry_required(conn));
483 : 665 : return S2N_SUCCESS;
484 : 665 : }
485 : :
486 : : /* Old-style extension functions -- remove after extensions refactor is complete */
487 : :
488 : : /*
489 : : * Calculate the data length for Server Key Share extension
490 : : * based on negotiated_curve selected in server_ecc_evp_params.
491 : : *
492 : : * Retry requests have a different key share format,
493 : : * https://tools.ietf.org/html/rfc8446#section-4.2.8
494 : : *
495 : : * This functions does not error, but s2n_extensions_server_key_share_send() would
496 : : */
497 : : int s2n_extensions_server_key_share_send_size(struct s2n_connection *conn)
498 : 11 : {
499 : 11 : const struct s2n_ecc_named_curve *curve = conn->kex_params.server_ecc_evp_params.negotiated_curve;
500 : 11 : int key_share_size = S2N_SIZE_OF_EXTENSION_TYPE
501 : 11 : + S2N_SIZE_OF_EXTENSION_DATA_SIZE
502 : 11 : + S2N_SIZE_OF_NAMED_GROUP;
503 : :
504 : : /* If this is a KeyShareHelloRetryRequest we don't include the share size */
505 [ + + ]: 11 : if (s2n_is_hello_retry_message(conn)) {
506 : 3 : return key_share_size;
507 : 3 : }
508 : :
509 [ + + ]: 8 : if (curve == NULL) {
510 : 2 : return 0;
511 : 2 : }
512 : :
513 : : /* If this is a full KeyShareEntry, include the share size */
514 : 6 : key_share_size += (S2N_SIZE_OF_KEY_SHARE_SIZE + curve->share_size);
515 : :
516 : 6 : return key_share_size;
517 : 8 : }
518 : :
519 : : /*
520 : : * Sends Key Share extension in Server Hello.
521 : : *
522 : : * Expects negotiated_curve to be set and generates a ephemeral key for key sharing
523 : : */
524 : : int s2n_extensions_server_key_share_send(struct s2n_connection *conn, struct s2n_stuffer *out)
525 : 1 : {
526 : 1 : return s2n_extension_send(&s2n_server_key_share_extension, conn, out);
527 : 1 : }
528 : :
529 : : /*
530 : : * Client receives a Server Hello key share.
531 : : *
532 : : * If the curve is supported, conn->kex_params.server_ecc_evp_params will be set.
533 : : */
534 : : int s2n_extensions_server_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
535 : 1 : {
536 : 1 : return s2n_extension_recv(&s2n_server_key_share_extension, conn, extension);
537 : 1 : }
|
