Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #pragma once
17 : :
18 : : #include <stdint.h>
19 : :
20 : : #include "api/s2n.h"
21 : : #include "crypto/s2n_certificate.h"
22 : : #include "crypto/s2n_hash.h"
23 : : #include "stuffer/s2n_stuffer.h"
24 : : #include "tls/s2n_crypto.h"
25 : : #include "tls/s2n_handshake_hashes.h"
26 : : #include "tls/s2n_handshake_type.h"
27 : : #include "tls/s2n_signature_algorithms.h"
28 : : #include "tls/s2n_tls_parameters.h"
29 : :
30 : : /* From RFC 8446: https://tools.ietf.org/html/rfc8446#appendix-B.3 */
31 : 41170 : #define TLS_HELLO_REQUEST 0
32 : : #define TLS_CLIENT_HELLO 1
33 : : #define TLS_SERVER_HELLO 2
34 : 460 : #define TLS_SERVER_NEW_SESSION_TICKET 4
35 : : #define TLS_END_OF_EARLY_DATA 5
36 : : #define TLS_ENCRYPTED_EXTENSIONS 8
37 : : #define TLS_CERTIFICATE 11
38 : : #define TLS_SERVER_KEY 12
39 : 67083 : #define TLS_CERT_REQ 13
40 : : #define TLS_SERVER_HELLO_DONE 14
41 : : #define TLS_CERT_VERIFY 15
42 : : #define TLS_CLIENT_KEY 16
43 : : #define TLS_FINISHED 20
44 : 53056 : #define TLS_SERVER_CERT_STATUS 22
45 : : #define TLS_SERVER_SESSION_LOOKUP 23
46 : 889 : #define TLS_KEY_UPDATE 24
47 : : #define TLS_NPN 67
48 : 1340 : #define TLS_MESSAGE_HASH 254
49 : :
50 : : /* Maximum number of messages in a handshake */
51 : : #define S2N_MAX_HANDSHAKE_LENGTH 32
52 : :
53 : : /* This is the list of message types that we support */
54 : : typedef enum {
55 : : CLIENT_HELLO = 0,
56 : : SERVER_HELLO,
57 : : SERVER_CERT,
58 : : SERVER_NEW_SESSION_TICKET,
59 : : SERVER_CERT_STATUS,
60 : : SERVER_KEY,
61 : : SERVER_CERT_REQ,
62 : : SERVER_HELLO_DONE,
63 : : CLIENT_CERT,
64 : : CLIENT_KEY,
65 : : CLIENT_CERT_VERIFY,
66 : : CLIENT_CHANGE_CIPHER_SPEC,
67 : : /* Not a standardized message. Defined: https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-04 */
68 : : CLIENT_NPN,
69 : : CLIENT_FINISHED,
70 : : SERVER_CHANGE_CIPHER_SPEC,
71 : : SERVER_FINISHED,
72 : :
73 : : /* TLS1.3 message types. Defined: https://tools.ietf.org/html/rfc8446#appendix-B.3 */
74 : : ENCRYPTED_EXTENSIONS,
75 : : SERVER_CERT_VERIFY,
76 : : HELLO_RETRY_MSG,
77 : : END_OF_EARLY_DATA,
78 : :
79 : : APPLICATION_DATA,
80 : : } message_type_t;
81 : :
82 : : typedef enum {
83 : : S2N_ASYNC_NOT_INVOKED = 0,
84 : : S2N_ASYNC_INVOKED,
85 : : S2N_ASYNC_COMPLETE,
86 : : } s2n_async_state;
87 : :
88 : : /* Indicates which state machine is being used. The handshake
89 : : * starts off on the initial enum, which indicates we're using
90 : : * the TLS12 state machine. Once the handshake version is determined
91 : : * the enum is set to either the TLS12 or TLS13 state machine.
92 : : * This works because the initial entries in both the TLS12 and
93 : : * TLS13 state machines are the same. */
94 : : typedef enum {
95 : : S2N_STATE_MACHINE_INITIAL = 0,
96 : : S2N_STATE_MACHINE_TLS12,
97 : : S2N_STATE_MACHINE_TLS13,
98 : : } s2n_state_machine;
99 : :
100 : : struct s2n_handshake_parameters {
101 : : /* Public keys for server / client */
102 : : struct s2n_pkey server_public_key;
103 : : struct s2n_pkey client_public_key;
104 : : struct s2n_blob client_cert_chain;
105 : : s2n_pkey_type client_cert_pkey_type;
106 : :
107 : : /* Signature/hash algorithm pairs offered by the peer.
108 : : *
109 : : * In the case of server connections, this list contains the client's supported signature
110 : : * schemes offered in the ClientHello. In the case of client connections, this list contains
111 : : * the server's supported signature schemes offered in the CertificateRequest.
112 : : */
113 : : struct s2n_sig_scheme_list peer_sig_scheme_list;
114 : : /* Signature scheme chosen by the server */
115 : : const struct s2n_signature_scheme *server_cert_sig_scheme;
116 : : /* Signature scheme chosen by the client */
117 : : const struct s2n_signature_scheme *client_cert_sig_scheme;
118 : :
119 : : /* The cert chain we will send the peer. */
120 : : struct s2n_cert_chain_and_key *our_chain_and_key;
121 : :
122 : : /* The subset of certificates that match the server_name presented in the ClientHello.
123 : : * In the case of multiple certificates matching a server_name, s2n will prefer certificates
124 : : * in FIFO order based on calls to s2n_config_add_cert_chain_and_key_to_store
125 : : *
126 : : * Note that in addition to domain matching, the key type for the certificate must also be
127 : : * suitable for a negotiation in order to be selected. The set of matching certs here are indexed
128 : : * by s2n_authentication_method.
129 : : *
130 : : * Example:
131 : : * - Assume certA is added to s2n_config via s2n_config_add_cert_chain_and_key_to_store
132 : : * - Next certB is added.
133 : : * - if certA matches www.foo.com and certB matches www.foo.com, s2n will prefer certA
134 : : *
135 : : * Note that in addition to domain matching, the key type for the certificate must also be
136 : : * suitable for a negotiation in order to be selected.
137 : : *
138 : : * Example:
139 : : * - Assume certA and certB match server_name www.foo.com
140 : : * - certA is ECDSA and certB is RSA.
141 : : * - Client only supports RSA ciphers
142 : : * - certB will be selected.
143 : : */
144 : : struct s2n_cert_chain_and_key *exact_sni_matches[S2N_CERT_TYPE_COUNT];
145 : : struct s2n_cert_chain_and_key *wc_sni_matches[S2N_CERT_TYPE_COUNT];
146 : : uint8_t exact_sni_match_exists;
147 : : uint8_t wc_sni_match_exists;
148 : :
149 : : uint8_t server_random[S2N_TLS_RANDOM_DATA_LEN];
150 : : };
151 : :
152 : : struct s2n_handshake {
153 : : struct s2n_stuffer io;
154 : :
155 : : struct s2n_handshake_hashes *hashes;
156 : :
157 : : /* Hash algorithms required for this handshake. The set of required hashes can be reduced as session parameters are
158 : : * negotiated, i.e. cipher suite and protocol version.
159 : : */
160 : : uint8_t required_hash_algs[S2N_HASH_ALGS_COUNT];
161 : :
162 : : /*
163 : : * Data required by the Finished messages.
164 : : * In TLS1.2 and earlier, the data is the verify_data.
165 : : * In TLS1.3, the data is the finished_key used to calculate the verify_data.
166 : : *
167 : : * The data will be different for the client and server.
168 : : * The length of the data will be the same for the client and server.
169 : : * The length of the data depends on protocol version and cipher suite.
170 : : */
171 : : uint8_t server_finished[S2N_TLS_SECRET_LEN];
172 : : uint8_t client_finished[S2N_TLS_SECRET_LEN];
173 : : uint8_t finished_len;
174 : :
175 : : /* Which message-order affecting features are enabled */
176 : : uint32_t handshake_type;
177 : :
178 : : /* Which handshake message number are we processing */
179 : : int message_number;
180 : :
181 : : /* Last message in the handshake. Unless using early data or testing,
182 : : * should always be APPLICATION_DATA. */
183 : : message_type_t end_of_messages;
184 : :
185 : : /* State of the async pkey operation during handshake */
186 : : s2n_async_state async_state;
187 : :
188 : : /* State of the async early data callback.
189 : : * If not initialized, then the callback has not been triggered yet. */
190 : : struct s2n_offered_early_data early_data_async_state;
191 : :
192 : : /* Indicates the CLIENT_HELLO message has been completely received */
193 : : unsigned client_hello_received : 1;
194 : :
195 : : /* Indicates the handshake blocked while trying to read or write data, and has been paused */
196 : : unsigned paused : 1;
197 : :
198 : : /* Set to 1 if the RSA verification failed */
199 : : unsigned rsa_failed : 1;
200 : :
201 : : /* Indicates that this is a renegotiation handshake */
202 : : unsigned renegotiation : 1;
203 : :
204 : : s2n_state_machine state_machine;
205 : : };
206 : :
207 : : /* Only used in our test cases. */
208 : : message_type_t s2n_conn_get_current_message_type(const struct s2n_connection *conn);
209 : :
210 : : /* s2n_handshake */
211 : : int s2n_handshake_require_all_hashes(struct s2n_handshake *handshake);
212 : : uint8_t s2n_handshake_is_hash_required(struct s2n_handshake *handshake, s2n_hash_algorithm hash_alg);
213 : : int s2n_conn_update_required_handshake_hashes(struct s2n_connection *conn);
214 : : S2N_RESULT s2n_handshake_copy_hash_state(struct s2n_connection *conn, s2n_hash_algorithm hash_alg, struct s2n_hash_state *hash_state);
215 : : S2N_RESULT s2n_handshake_reset_hash_state(struct s2n_connection *conn, s2n_hash_algorithm hash_alg);
216 : : int s2n_conn_find_name_matching_certs(struct s2n_connection *conn);
217 : : int s2n_create_wildcard_hostname(struct s2n_stuffer *hostname, struct s2n_stuffer *output);
218 : : struct s2n_cert_chain_and_key *s2n_get_compatible_cert_chain_and_key(struct s2n_connection *conn, const s2n_pkey_type cert_type);
219 : : S2N_RESULT s2n_negotiate_until_message(struct s2n_connection *conn, s2n_blocked_status *blocked, message_type_t end_message);
220 : : S2N_RESULT s2n_handshake_validate(const struct s2n_handshake *s2n_handshake);
221 : : S2N_RESULT s2n_handshake_set_finished_len(struct s2n_connection *conn, uint8_t len);
222 : : bool s2n_handshake_is_renegotiation(struct s2n_connection *conn);
223 : : S2N_RESULT s2n_handshake_message_send(struct s2n_connection *conn, uint8_t content_type, s2n_blocked_status *blocked);
224 : :
225 : : /* s2n_handshake_io */
226 : : int s2n_conn_set_handshake_type(struct s2n_connection *conn);
227 : : int s2n_conn_set_handshake_no_client_cert(struct s2n_connection *conn);
228 : : S2N_RESULT s2n_conn_choose_state_machine(struct s2n_connection *conn, uint8_t protocol_version);
229 : : bool s2n_handshake_is_complete(struct s2n_connection *conn);
230 : :
231 : : /* s2n_handshake_transcript */
232 : : S2N_RESULT s2n_handshake_transcript_update(struct s2n_connection *conn);
233 : : int s2n_conn_update_handshake_hashes(struct s2n_connection *conn, struct s2n_blob *data);
234 : :
235 : : /* s2n_quic_support */
236 : : S2N_RESULT s2n_quic_read_handshake_message(struct s2n_connection *conn, uint8_t *message_type);
237 : : S2N_RESULT s2n_quic_write_handshake_message(struct s2n_connection *conn);
|
