Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #pragma once
17 : :
18 : : #include <stdint.h>
19 : :
20 : : #include "api/s2n.h"
21 : : #include "crypto/s2n_certificate.h"
22 : : #include "crypto/s2n_hash.h"
23 : : #include "stuffer/s2n_stuffer.h"
24 : : #include "tls/s2n_crypto.h"
25 : : #include "tls/s2n_handshake_hashes.h"
26 : : #include "tls/s2n_handshake_type.h"
27 : : #include "tls/s2n_signature_algorithms.h"
28 : : #include "tls/s2n_tls_parameters.h"
29 : :
30 : : /* From RFC 8446: https://tools.ietf.org/html/rfc8446#appendix-B.3 */
31 : 38170 : #define TLS_HELLO_REQUEST 0
32 : : #define TLS_CLIENT_HELLO 1
33 : : #define TLS_SERVER_HELLO 2
34 : 460 : #define TLS_SERVER_NEW_SESSION_TICKET 4
35 : : #define TLS_END_OF_EARLY_DATA 5
36 : : #define TLS_ENCRYPTED_EXTENSIONS 8
37 : : #define TLS_CERTIFICATE 11
38 : : #define TLS_SERVER_KEY 12
39 : 62204 : #define TLS_CERT_REQ 13
40 : : #define TLS_SERVER_HELLO_DONE 14
41 : : #define TLS_CERT_VERIFY 15
42 : : #define TLS_CLIENT_KEY 16
43 : : #define TLS_FINISHED 20
44 : 48984 : #define TLS_SERVER_CERT_STATUS 22
45 : : #define TLS_SERVER_SESSION_LOOKUP 23
46 : 894 : #define TLS_KEY_UPDATE 24
47 : : #define TLS_NPN 67
48 : 1300 : #define TLS_MESSAGE_HASH 254
49 : :
50 : : /* Maximum number of messages in a handshake */
51 : : #define S2N_MAX_HANDSHAKE_LENGTH 32
52 : :
53 : : /* This is the list of message types that we support */
54 : : typedef enum {
55 : : CLIENT_HELLO = 0,
56 : : SERVER_HELLO,
57 : : SERVER_CERT,
58 : : SERVER_NEW_SESSION_TICKET,
59 : : SERVER_CERT_STATUS,
60 : : SERVER_KEY,
61 : : SERVER_CERT_REQ,
62 : : SERVER_HELLO_DONE,
63 : : CLIENT_CERT,
64 : : CLIENT_KEY,
65 : : CLIENT_CERT_VERIFY,
66 : : CLIENT_CHANGE_CIPHER_SPEC,
67 : : /* Not a standardized message. Defined: https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-04 */
68 : : CLIENT_NPN,
69 : : CLIENT_FINISHED,
70 : : SERVER_CHANGE_CIPHER_SPEC,
71 : : SERVER_FINISHED,
72 : :
73 : : /* TLS1.3 message types. Defined: https://tools.ietf.org/html/rfc8446#appendix-B.3 */
74 : : ENCRYPTED_EXTENSIONS,
75 : : SERVER_CERT_VERIFY,
76 : : HELLO_RETRY_MSG,
77 : : END_OF_EARLY_DATA,
78 : :
79 : : APPLICATION_DATA,
80 : : } message_type_t;
81 : :
82 : : typedef enum {
83 : : S2N_ASYNC_NOT_INVOKED = 0,
84 : : S2N_ASYNC_INVOKED,
85 : : S2N_ASYNC_COMPLETE,
86 : : } s2n_async_state;
87 : :
88 : : /* Indicates which state machine is being used. The handshake
89 : : * starts off on the initial enum, which indicates we're using
90 : : * the TLS12 state machine. Once the handshake version is determined
91 : : * the enum is set to either the TLS12 or TLS13 state machine.
92 : : * This works because the initial entries in both the TLS12 and
93 : : * TLS13 state machines are the same. */
94 : : typedef enum {
95 : : S2N_STATE_MACHINE_INITIAL = 0,
96 : : S2N_STATE_MACHINE_TLS12,
97 : : S2N_STATE_MACHINE_TLS13,
98 : : } s2n_state_machine;
99 : :
100 : : struct s2n_handshake_parameters {
101 : : /* Public keys for server / client */
102 : : struct s2n_pkey server_public_key;
103 : : struct s2n_pkey client_public_key;
104 : : struct s2n_blob client_cert_chain;
105 : : s2n_pkey_type client_cert_pkey_type;
106 : :
107 : : /* Signature/hash algorithm pairs offered by the peer.
108 : : *
109 : : * In the case of server connections, this list contains the client's supported signature
110 : : * schemes offered in the ClientHello. In the case of client connections, this list contains
111 : : * the server's supported signature schemes offered in the CertificateRequest.
112 : : */
113 : : struct s2n_sig_scheme_list peer_sig_scheme_list;
114 : : /* Signature scheme chosen by the server */
115 : : const struct s2n_signature_scheme *server_cert_sig_scheme;
116 : : /* Signature scheme chosen by the client */
117 : : const struct s2n_signature_scheme *client_cert_sig_scheme;
118 : :
119 : : /* The cert chain we will send the peer. */
120 : : struct s2n_cert_chain_and_key *our_chain_and_key;
121 : :
122 : : /* The subset of certificates that match the server_name presented in the ClientHello.
123 : : * In the case of multiple certificates matching a server_name, s2n will prefer certificates
124 : : * in FIFO order based on calls to s2n_config_add_cert_chain_and_key_to_store
125 : : *
126 : : * Note that in addition to domain matching, the key type for the certificate must also be
127 : : * suitable for a negotiation in order to be selected. The set of matching certs here are indexed
128 : : * by s2n_authentication_method.
129 : : *
130 : : * Example:
131 : : * - Assume certA is added to s2n_config via s2n_config_add_cert_chain_and_key_to_store
132 : : * - Next certB is added.
133 : : * - if certA matches www.foo.com and certB matches www.foo.com, s2n will prefer certA
134 : : *
135 : : * Note that in addition to domain matching, the key type for the certificate must also be
136 : : * suitable for a negotiation in order to be selected.
137 : : *
138 : : * Example:
139 : : * - Assume certA and certB match server_name www.foo.com
140 : : * - certA is ECDSA and certB is RSA.
141 : : * - Client only supports RSA ciphers
142 : : * - certB will be selected.
143 : : */
144 : : struct s2n_cert_chain_and_key *exact_sni_matches[S2N_CERT_TYPE_COUNT];
145 : : struct s2n_cert_chain_and_key *wc_sni_matches[S2N_CERT_TYPE_COUNT];
146 : : uint8_t exact_sni_match_exists;
147 : : uint8_t wc_sni_match_exists;
148 : :
149 : : uint8_t client_random[S2N_TLS_RANDOM_DATA_LEN];
150 : : uint8_t server_random[S2N_TLS_RANDOM_DATA_LEN];
151 : : };
152 : :
153 : : struct s2n_handshake {
154 : : struct s2n_stuffer io;
155 : :
156 : : struct s2n_handshake_hashes *hashes;
157 : :
158 : : /* Hash algorithms required for this handshake. The set of required hashes can be reduced as session parameters are
159 : : * negotiated, i.e. cipher suite and protocol version.
160 : : */
161 : : uint8_t required_hash_algs[S2N_HASH_ALGS_COUNT];
162 : :
163 : : /*
164 : : * Data required by the Finished messages.
165 : : * In TLS1.2 and earlier, the data is the verify_data.
166 : : * In TLS1.3, the data is the finished_key used to calculate the verify_data.
167 : : *
168 : : * The data will be different for the client and server.
169 : : * The length of the data will be the same for the client and server.
170 : : * The length of the data depends on protocol version and cipher suite.
171 : : */
172 : : uint8_t server_finished[S2N_TLS_SECRET_LEN];
173 : : uint8_t client_finished[S2N_TLS_SECRET_LEN];
174 : : uint8_t finished_len;
175 : :
176 : : /* Which message-order affecting features are enabled */
177 : : uint32_t handshake_type;
178 : :
179 : : /* Which handshake message number are we processing */
180 : : int message_number;
181 : :
182 : : /* Last message in the handshake. Unless using early data or testing,
183 : : * should always be APPLICATION_DATA. */
184 : : message_type_t end_of_messages;
185 : :
186 : : /* State of the async pkey operation during handshake */
187 : : s2n_async_state async_state;
188 : :
189 : : /* State of the async early data callback.
190 : : * If not initialized, then the callback has not been triggered yet. */
191 : : struct s2n_offered_early_data early_data_async_state;
192 : :
193 : : /* Indicates the CLIENT_HELLO message has been completely received */
194 : : unsigned client_hello_received : 1;
195 : :
196 : : /* Indicates the handshake blocked while trying to read or write data, and has been paused */
197 : : unsigned paused : 1;
198 : :
199 : : /* Set to 1 if the RSA verification failed */
200 : : unsigned rsa_failed : 1;
201 : :
202 : : /* Indicates that this is a renegotiation handshake */
203 : : unsigned renegotiation : 1;
204 : :
205 : : s2n_state_machine state_machine;
206 : : };
207 : :
208 : : /* Only used in our test cases. */
209 : : message_type_t s2n_conn_get_current_message_type(const struct s2n_connection *conn);
210 : :
211 : : /* s2n_handshake */
212 : : int s2n_handshake_require_all_hashes(struct s2n_handshake *handshake);
213 : : uint8_t s2n_handshake_is_hash_required(struct s2n_handshake *handshake, s2n_hash_algorithm hash_alg);
214 : : int s2n_conn_update_required_handshake_hashes(struct s2n_connection *conn);
215 : : S2N_RESULT s2n_handshake_copy_hash_state(struct s2n_connection *conn, s2n_hash_algorithm hash_alg, struct s2n_hash_state *hash_state);
216 : : S2N_RESULT s2n_handshake_reset_hash_state(struct s2n_connection *conn, s2n_hash_algorithm hash_alg);
217 : : int s2n_conn_find_name_matching_certs(struct s2n_connection *conn);
218 : : int s2n_create_wildcard_hostname(struct s2n_stuffer *hostname, struct s2n_stuffer *output);
219 : : struct s2n_cert_chain_and_key *s2n_get_compatible_cert_chain_and_key(struct s2n_connection *conn, const s2n_pkey_type cert_type);
220 : : S2N_RESULT s2n_negotiate_until_message(struct s2n_connection *conn, s2n_blocked_status *blocked, message_type_t end_message);
221 : : S2N_RESULT s2n_handshake_validate(const struct s2n_handshake *s2n_handshake);
222 : : S2N_RESULT s2n_handshake_set_finished_len(struct s2n_connection *conn, uint8_t len);
223 : : bool s2n_handshake_is_renegotiation(struct s2n_connection *conn);
224 : : S2N_RESULT s2n_handshake_message_send(struct s2n_connection *conn, uint8_t content_type, s2n_blocked_status *blocked);
225 : :
226 : : /* s2n_handshake_io */
227 : : int s2n_conn_set_handshake_type(struct s2n_connection *conn);
228 : : int s2n_conn_set_handshake_no_client_cert(struct s2n_connection *conn);
229 : : S2N_RESULT s2n_conn_choose_state_machine(struct s2n_connection *conn, uint8_t protocol_version);
230 : : bool s2n_handshake_is_complete(struct s2n_connection *conn);
231 : :
232 : : /* s2n_handshake_transcript */
233 : : S2N_RESULT s2n_handshake_transcript_update(struct s2n_connection *conn);
234 : : int s2n_conn_update_handshake_hashes(struct s2n_connection *conn, struct s2n_blob *data);
235 : :
236 : : /* s2n_quic_support */
237 : : S2N_RESULT s2n_quic_read_handshake_message(struct s2n_connection *conn, uint8_t *message_type);
238 : : S2N_RESULT s2n_quic_write_handshake_message(struct s2n_connection *conn);
|
