Branch data     Line data    Source code

       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #include "error/s2n_errno.h"
      17                 :            : #include "tls/s2n_connection.h"
      18                 :            : #include "tls/s2n_record.h"
      19                 :            : #include "utils/s2n_mem.h"
      20                 :            : #include "utils/s2n_safety.h"
      21                 :            : 
      22                 :            : /* Derive the AAD for an AEAD mode cipher suite from the connection state, per
      23                 :            :  * RFC 5246 section 6.2.3.3 */
      24                 :            : S2N_RESULT s2n_aead_aad_init(const struct s2n_connection *conn, uint8_t *sequence_number, uint8_t content_type, uint16_t record_length, struct s2n_blob *ad)
      25                 :    6565146 : {
      26 [ -  + ][ #  # ]:    6565146 :     RESULT_ENSURE_REF(ad);
      27 [ -  + ][ #  # ]:    6565146 :     RESULT_ENSURE_GTE(ad->size, S2N_TLS_MAX_AAD_LEN);
      28                 :            : 
      29                 :    6565146 :     uint8_t *data = ad->data;
      30         [ -  + ]:    6565146 :     RESULT_GUARD_PTR(data);
      31                 :            : 
      32                 :            :     /* ad = seq_num || record_type || version || length */
      33                 :            : 
      34                 :    6565146 :     size_t idx = 0;
      35         [ +  + ]:   59086314 :     for (; idx < S2N_TLS_SEQUENCE_NUM_LEN; idx++) {
      36                 :   52521168 :         data[idx] = sequence_number[idx];
      37                 :   52521168 :     }
      38                 :            : 
      39                 :    6565146 :     data[idx++] = content_type;
      40                 :    6565146 :     data[idx++] = conn->actual_protocol_version / 10;
      41                 :    6565146 :     data[idx++] = conn->actual_protocol_version % 10;
      42                 :    6565146 :     data[idx++] = record_length >> 8;
      43                 :    6565146 :     data[idx++] = record_length & UINT8_MAX;
      44                 :            : 
      45                 :            :     /* Double check no overflow */
      46 [ -  + ][ #  # ]:    6565146 :     RESULT_ENSURE_LTE(idx, ad->size);
      47                 :    6565146 :     return S2N_RESULT_OK;
      48                 :    6565146 : }
      49                 :            : 
      50                 :            : /* Prepares an AAD (additional authentication data) for a TLS 1.3 AEAD record */
      51                 :            : S2N_RESULT s2n_tls13_aead_aad_init(uint16_t record_length, uint8_t tag_length, struct s2n_blob *additional_data)
      52                 :     175803 : {
      53 [ +  + ][ +  - ]:     175803 :     RESULT_ENSURE_GT(tag_length, 0);
      54 [ +  - ][ +  + ]:     175801 :     RESULT_ENSURE_REF(additional_data);
      55 [ -  + ][ #  # ]:     175800 :     RESULT_ENSURE_GTE(additional_data->size, S2N_TLS13_AAD_LEN);
      56                 :            : 
      57                 :     175800 :     uint8_t *data = additional_data->data;
      58         [ -  + ]:     175800 :     RESULT_GUARD_PTR(data);
      59                 :            : 
      60                 :     175800 :     size_t idx = 0;
      61                 :            : 
      62                 :            :     /**
      63                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-5.2
      64                 :            :      *# opaque_type:  The outer opaque_type field of a TLSCiphertext record
      65                 :            :      *#    is always set to the value 23 (application_data) for outward
      66                 :            :      *#    compatibility with middleboxes accustomed to parsing previous
      67                 :            :      *#    versions of TLS.  The actual content type of the record is found
      68                 :            :      *#    in TLSInnerPlaintext.type after decryption.
      69                 :            :      **/
      70                 :     175800 :     data[idx++] = TLS_APPLICATION_DATA;
      71                 :            : 
      72                 :            :     /**
      73                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-5.2
      74                 :            :      *# legacy_record_version:  The legacy_record_version field is always
      75                 :            :      *#    0x0303.  TLS 1.3 TLSCiphertexts are not generated until after
      76                 :            :      *#    TLS 1.3 has been negotiated, so there are no historical
      77                 :            :      *#    compatibility concerns where other values might be received.  Note
      78                 :            :      *#    that the handshake protocol, including the ClientHello and
      79                 :            :      *#    ServerHello messages, authenticates the protocol version, so this
      80                 :            :      *#    value is redundant.
      81                 :            :      */
      82                 :     175800 :     data[idx++] = 0x03;
      83                 :     175800 :     data[idx++] = 0x03;
      84                 :            : 
      85                 :            :     /**
      86                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-5.2
      87                 :            :      *# length:  The length (in bytes) of the following
      88                 :            :      *#    TLSCiphertext.encrypted_record, which is the sum of the lengths of
      89                 :            :      *#    the content and the padding, plus one for the inner content type,
      90                 :            :      *#    plus any expansion added by the AEAD algorithm.  The length
      91                 :            :      *#    MUST NOT exceed 2^14 + 256 bytes.  An endpoint that receives a
      92                 :            :      *#    record that exceeds this length MUST terminate the connection with
      93                 :            :      *#    a "record_overflow" alert.
      94                 :            :      */
      95                 :     175800 :     uint16_t length = record_length + tag_length;
      96 [ +  + ][ +  - ]:     175800 :     RESULT_ENSURE(length <= (1 << 14) + 256, S2N_ERR_RECORD_LIMIT);
      97                 :     175799 :     data[idx++] = length >> 8;
      98                 :     175799 :     data[idx++] = length & UINT8_MAX;
      99                 :            : 
     100                 :            :     /* Double check no overflow */
     101 [ -  + ][ #  # ]:     175799 :     RESULT_ENSURE_LTE(idx, additional_data->size);
     102                 :     175799 :     return S2N_RESULT_OK;
     103                 :     175799 : }