LCOV - code coverage report
Current view: top level - tls - s2n_change_cipher_spec.c (source / functions) Hit Total Coverage
Test: unit_test_coverage.info Lines: 33 33 100.0 %
Date: 2025-08-15 07:28:39 Functions: 4 4 100.0 %
Branches: 20 42 47.6 % 

           Branch data     Line data    Source code
       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #include <stdint.h>
      17                 :            : 
      18                 :            : #include "error/s2n_errno.h"
      19                 :            : #include "stuffer/s2n_stuffer.h"
      20                 :            : #include "tls/s2n_cipher_suites.h"
      21                 :            : #include "tls/s2n_connection.h"
      22                 :            : #include "tls/s2n_tls.h"
      23                 :            : #include "utils/s2n_safety.h"
      24                 :            : 
      25                 :            : /* From RFC5246 7.1: https://tools.ietf.org/html/rfc5246#section-7.1 */
      26                 :            : #define CHANGE_CIPHER_SPEC_TYPE 1
      27                 :            : 
      28                 :            : int s2n_basic_ccs_recv(struct s2n_connection *conn)
      29                 :      10427 : {
      30                 :      10427 :     uint8_t type = 0;
      31                 :            : 
      32         [ -  + ]:      10427 :     POSIX_GUARD(s2n_stuffer_read_uint8(&conn->handshake.io, &type));
      33 [ +  + ][ +  - ]:      10427 :     S2N_ERROR_IF(type != CHANGE_CIPHER_SPEC_TYPE, S2N_ERR_BAD_MESSAGE);
      34                 :            : 
      35                 :      10424 :     return 0;
      36                 :      10427 : }
      37                 :            : 
      38                 :            : int s2n_client_ccs_recv(struct s2n_connection *conn)
      39                 :       2260 : {
      40 [ -  + ][ #  # ]:       2260 :     POSIX_ENSURE_REF(conn);
      41 [ #  # ][ -  + ]:       2260 :     POSIX_ENSURE_REF(conn->secure);
      42                 :            : 
      43         [ +  + ]:       2260 :     POSIX_GUARD(s2n_basic_ccs_recv(conn));
      44                 :            : 
      45                 :            :     /* Zero the sequence number */
      46                 :       2259 :     struct s2n_blob seq = { 0 };
      47         [ -  + ]:       2259 :     POSIX_GUARD(s2n_blob_init(&seq, conn->secure->client_sequence_number, sizeof(conn->secure->client_sequence_number)));
      48         [ -  + ]:       2259 :     POSIX_GUARD(s2n_blob_zero(&seq));
      49                 :            : 
      50                 :            :     /* Update the client to use the cipher-suite */
      51                 :       2259 :     conn->client = conn->secure;
      52                 :            : 
      53                 :            :     /* Flush any partial alert messages that were pending.
      54                 :            :      * If we don't do this, an attacker can inject a 1-byte alert message into the handshake
      55                 :            :      * and cause later, valid alerts to be processed incorrectly. */
      56         [ -  + ]:       2259 :     POSIX_GUARD(s2n_stuffer_wipe(&conn->alert_in));
      57                 :            : 
      58                 :       2259 :     return 0;
      59                 :       2259 : }
      60                 :            : 
      61                 :            : int s2n_server_ccs_recv(struct s2n_connection *conn)
      62                 :       1306 : {
      63 [ #  # ][ -  + ]:       1306 :     POSIX_ENSURE_REF(conn);
      64 [ -  + ][ #  # ]:       1306 :     POSIX_ENSURE_REF(conn->secure);
      65                 :            : 
      66         [ +  + ]:       1306 :     POSIX_GUARD(s2n_basic_ccs_recv(conn));
      67                 :            : 
      68                 :            :     /* Zero the sequence number */
      69                 :       1305 :     struct s2n_blob seq = { 0 };
      70         [ -  + ]:       1305 :     POSIX_GUARD(s2n_blob_init(&seq, conn->secure->server_sequence_number, sizeof(conn->secure->server_sequence_number)));
      71         [ -  + ]:       1305 :     POSIX_GUARD(s2n_blob_zero(&seq));
      72                 :            : 
      73                 :            :     /* Compute the finished message */
      74         [ -  + ]:       1305 :     POSIX_GUARD(s2n_prf_server_finished(conn));
      75                 :            : 
      76                 :            :     /* Update the secure state to active, and point the client at the active state */
      77                 :       1305 :     conn->server = conn->secure;
      78                 :            : 
      79                 :            :     /* Flush any partial alert messages that were pending.
      80                 :            :      * If we don't do this, an attacker can inject a 1-byte alert message into the handshake
      81                 :            :      * and cause later, valid alerts to be processed incorrectly. */
      82         [ -  + ]:       1305 :     POSIX_GUARD(s2n_stuffer_wipe(&conn->alert_in));
      83                 :            : 
      84                 :       1305 :     return 0;
      85                 :       1305 : }
      86                 :            : 
      87                 :            : int s2n_ccs_send(struct s2n_connection *conn)
      88                 :      10504 : {
      89         [ -  + ]:      10504 :     POSIX_GUARD(s2n_stuffer_write_uint8(&conn->handshake.io, CHANGE_CIPHER_SPEC_TYPE));
      90                 :            : 
      91                 :      10504 :     return 0;
      92                 :      10504 : }

Generated by: LCOV version 1.14