Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_prf.h"
17 : :
18 : : #include <openssl/hmac.h>
19 : : #include <openssl/md5.h>
20 : : #include <openssl/sha.h>
21 : : #include <string.h>
22 : : #include <sys/param.h>
23 : :
24 : : #include "crypto/s2n_fips.h"
25 : : #include "crypto/s2n_hash.h"
26 : : #include "crypto/s2n_hmac.h"
27 : : #include "crypto/s2n_prf_libcrypto.h"
28 : : #include "error/s2n_errno.h"
29 : : #include "stuffer/s2n_stuffer.h"
30 : : #include "tls/s2n_cipher_suites.h"
31 : : #include "tls/s2n_connection.h"
32 : : #include "tls/s2n_crypto_constants.h"
33 : : #include "tls/s2n_tls.h"
34 : : #include "utils/s2n_blob.h"
35 : : #include "utils/s2n_mem.h"
36 : : #include "utils/s2n_safety.h"
37 : :
38 : : /* The s2n p_hash implementation is abstracted to allow for separate implementations.
39 : : * Currently the only implementation uses s2n-tls's custom HMAC implementation.
40 : : */
41 : : struct s2n_p_hash_hmac {
42 : : int (*alloc)(struct s2n_prf_working_space *ws);
43 : : int (*init)(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret);
44 : : int (*update)(struct s2n_prf_working_space *ws, const void *data, uint32_t size);
45 : : int (*final)(struct s2n_prf_working_space *ws, void *digest, uint32_t size);
46 : : int (*reset)(struct s2n_prf_working_space *ws);
47 : : int (*cleanup)(struct s2n_prf_working_space *ws);
48 : : int (*free)(struct s2n_prf_working_space *ws);
49 : : };
50 : :
51 : : S2N_RESULT s2n_prf_get_digest_for_ems(struct s2n_connection *conn, struct s2n_blob *message,
52 : : s2n_hash_algorithm hash_alg, struct s2n_blob *output);
53 : : S2N_RESULT s2n_prf_tls_extended_master_secret(struct s2n_connection *conn,
54 : : struct s2n_blob *premaster_secret, struct s2n_blob *session_hash, struct s2n_blob *sha1_hash);
55 : :
56 : : S2N_RESULT s2n_key_material_init(struct s2n_key_material *key_material, struct s2n_connection *conn)
57 : 33366 : {
58 [ # # ][ - + ]: 33366 : RESULT_ENSURE_REF(key_material);
59 [ # # ][ - + ]: 33366 : RESULT_ENSURE_REF(conn);
60 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(conn->secure);
61 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(conn->secure->cipher_suite);
62 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(conn->secure->cipher_suite->record_alg);
63 : 33366 : const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
64 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(cipher);
65 : :
66 : 33366 : uint8_t mac_size = 0;
67 : 33366 : uint32_t key_size = 0;
68 : 33366 : uint32_t iv_size = 0;
69 : :
70 : : /* MAC size */
71 [ + + ]: 33366 : if (cipher->type == S2N_COMPOSITE) {
72 : 29511 : mac_size = cipher->io.comp.mac_key_size;
73 : 29511 : } else {
74 [ - + ]: 3855 : RESULT_GUARD_POSIX(s2n_hmac_digest_size(conn->secure->cipher_suite->record_alg->hmac_alg, &mac_size));
75 : 3855 : }
76 : :
77 : : /* KEY size */
78 : 33366 : key_size = cipher->key_material_size;
79 : :
80 : : /* Only AEAD ciphers have implicit IVs for TLS >= 1.1 */
81 [ + + ][ + + ]: 33366 : if (conn->actual_protocol_version <= S2N_TLS10 || cipher->type == S2N_AEAD) {
82 : : /* IV size */
83 : 32500 : switch (cipher->type) {
84 [ + + ]: 3407 : case S2N_AEAD:
85 : 3407 : iv_size = cipher->io.aead.fixed_iv_size;
86 : 3407 : break;
87 [ + + ]: 234 : case S2N_CBC:
88 : 234 : iv_size = cipher->io.cbc.block_size;
89 : 234 : break;
90 [ + + ]: 28859 : case S2N_COMPOSITE:
91 : 28859 : iv_size = cipher->io.comp.block_size;
92 : 28859 : break;
93 : : /* No-op for stream ciphers */
94 [ - + ]: 0 : default:
95 : 0 : break;
96 : 32500 : }
97 : 32500 : }
98 : :
99 : 33366 : struct s2n_stuffer key_material_stuffer = { 0 };
100 : 33366 : struct s2n_blob key_material_blob = { 0 };
101 [ - + ]: 33366 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material_blob, key_material->key_block, sizeof(key_material->key_block)));
102 [ - + ]: 33366 : RESULT_GUARD_POSIX(s2n_stuffer_init_written(&key_material_stuffer, &key_material_blob));
103 : :
104 : : /* initialize key_material blobs; incrementing ptr to point to the next slice of memory */
105 : 33366 : uint8_t *ptr = NULL;
106 : : /* MAC */
107 : 33366 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, mac_size);
108 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(ptr);
109 [ - + ]: 33366 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_mac, ptr, mac_size));
110 : :
111 : 33366 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, mac_size);
112 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(ptr);
113 [ - + ]: 33366 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_mac, ptr, mac_size));
114 : :
115 : : /* KEY */
116 : 33366 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, key_size);
117 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(ptr);
118 [ - + ]: 33366 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_key, ptr, key_size));
119 : :
120 : 33366 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, key_size);
121 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(ptr);
122 [ - + ]: 33366 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_key, ptr, key_size));
123 : :
124 : : /* IV */
125 : 33366 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, iv_size);
126 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(ptr);
127 [ - + ]: 33366 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_iv, ptr, iv_size));
128 : :
129 : 33366 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, iv_size);
130 [ - + ][ # # ]: 33366 : RESULT_ENSURE_REF(ptr);
131 [ - + ]: 33366 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_iv, ptr, iv_size));
132 : :
133 : 33366 : return S2N_RESULT_OK;
134 : 33366 : }
135 : :
136 : : /* SSLv3 PRF uses MD5 and SHA-1 in a custom hash-based construction (not
137 : : * HMAC). The use of weak hash algorithms is inherent to the SSLv3 protocol
138 : : * specification. SSLv3 is disabled by default and not recommended.
139 : : */
140 : : static int s2n_prf_sslv3(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *seed_a,
141 : : struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
142 : 386 : {
143 [ # # ][ - + ]: 386 : POSIX_ENSURE_REF(conn);
144 [ # # ][ - + ]: 386 : POSIX_ENSURE_REF(conn->handshake.hashes);
145 : 386 : struct s2n_hash_state *workspace = &conn->handshake.hashes->hash_workspace;
146 : :
147 : 386 : uint32_t outputlen = out->size;
148 : 386 : uint8_t *output = out->data;
149 : 386 : uint8_t iteration = 1;
150 : :
151 : 386 : uint8_t md5_digest[MD5_DIGEST_LENGTH] = { 0 }, sha_digest[SHA_DIGEST_LENGTH] = { 0 };
152 : :
153 : 386 : uint8_t A = 'A';
154 [ + + ]: 2895 : while (outputlen) {
155 : 2509 : struct s2n_hash_state *sha1 = workspace;
156 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_reset(sha1));
157 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_init(sha1, S2N_HASH_SHA1));
158 : :
159 [ + + ]: 14282 : for (int i = 0; i < iteration; i++) {
160 [ - + ]: 11773 : POSIX_GUARD(s2n_hash_update(sha1, &A, 1));
161 : 11773 : }
162 : :
163 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_update(sha1, secret->data, secret->size));
164 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_update(sha1, seed_a->data, seed_a->size));
165 : :
166 [ + - ]: 2509 : if (seed_b) {
167 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_update(sha1, seed_b->data, seed_b->size));
168 [ - + ]: 2509 : if (seed_c) {
169 [ # # ]: 0 : POSIX_GUARD(s2n_hash_update(sha1, seed_c->data, seed_c->size));
170 : 0 : }
171 : 2509 : }
172 : :
173 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, sizeof(sha_digest)));
174 : :
175 : 2509 : struct s2n_hash_state *md5 = workspace;
176 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_reset(md5));
177 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_init(md5, S2N_HASH_MD5));
178 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_update(md5, secret->data, secret->size));
179 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_update(md5, sha_digest, sizeof(sha_digest)));
180 [ - + ]: 2509 : POSIX_GUARD(s2n_hash_digest(md5, md5_digest, sizeof(md5_digest)));
181 : :
182 : 2509 : uint32_t bytes_to_copy = MIN(outputlen, sizeof(md5_digest));
183 : :
184 [ - + ][ # # ]: 2509 : POSIX_CHECKED_MEMCPY(output, md5_digest, bytes_to_copy);
[ + - ]
185 : :
186 : 2509 : outputlen -= bytes_to_copy;
187 : 2509 : output += bytes_to_copy;
188 : :
189 : : /* Increment the letter */
190 : 2509 : A++;
191 : 2509 : iteration++;
192 : 2509 : }
193 : :
194 : 386 : return 0;
195 : 386 : }
196 : :
197 : : static int s2n_hmac_p_hash_new(struct s2n_prf_working_space *ws)
198 : 126924 : {
199 [ - + ]: 126924 : POSIX_GUARD(s2n_hmac_new(&ws->p_hash.s2n_hmac));
200 : 126924 : return s2n_hmac_init(&ws->p_hash.s2n_hmac, S2N_HMAC_NONE, NULL, 0);
201 : 126924 : }
202 : :
203 : : static int s2n_hmac_p_hash_init(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret)
204 : 16155 : {
205 : 16155 : return s2n_hmac_init(&ws->p_hash.s2n_hmac, alg, secret->data, secret->size);
206 : 16155 : }
207 : :
208 : : static int s2n_hmac_p_hash_update(struct s2n_prf_working_space *ws, const void *data, uint32_t size)
209 : 240748 : {
210 : 240748 : return s2n_hmac_update(&ws->p_hash.s2n_hmac, data, size);
211 : 240748 : }
212 : :
213 : : static int s2n_hmac_p_hash_digest(struct s2n_prf_working_space *ws, void *digest, uint32_t size)
214 : 101991 : {
215 : 101991 : return s2n_hmac_digest(&ws->p_hash.s2n_hmac, digest, size);
216 : 101991 : }
217 : :
218 : : static int s2n_hmac_p_hash_reset(struct s2n_prf_working_space *ws)
219 : 3524007 : {
220 : : /* If we actually initialized s2n_hmac, wipe it.
221 : : * A valid, initialized s2n_hmac_state will have a valid block size.
222 : : */
223 [ + - ]: 3524007 : if (ws->p_hash.s2n_hmac.hash_block_size != 0) {
224 : 3524007 : return s2n_hmac_reset(&ws->p_hash.s2n_hmac);
225 : 3524007 : }
226 : 0 : return S2N_SUCCESS;
227 : 3524007 : }
228 : :
229 : : static int s2n_hmac_p_hash_cleanup(struct s2n_prf_working_space *ws)
230 : 16155 : {
231 : 16155 : return s2n_hmac_p_hash_reset(ws);
232 : 16155 : }
233 : :
234 : : static int s2n_hmac_p_hash_free(struct s2n_prf_working_space *ws)
235 : 126924 : {
236 : 126924 : return s2n_hmac_free(&ws->p_hash.s2n_hmac);
237 : 126924 : }
238 : :
239 : : static const struct s2n_p_hash_hmac s2n_internal_p_hash_hmac = {
240 : : .alloc = &s2n_hmac_p_hash_new,
241 : : .init = &s2n_hmac_p_hash_init,
242 : : .update = &s2n_hmac_p_hash_update,
243 : : .final = &s2n_hmac_p_hash_digest,
244 : : .reset = &s2n_hmac_p_hash_reset,
245 : : .cleanup = &s2n_hmac_p_hash_cleanup,
246 : : .free = &s2n_hmac_p_hash_free,
247 : : };
248 : :
249 : : /*
250 : : * For now, use the internal s2n-tls hmac abstraction.
251 : : * However, that is a custom implementation of hmac built on hashes.
252 : : * Ideally we should stop using our custom implementation here and switch
253 : : * to using a libcrypto implementation. Unfortunately, what each libcrypto
254 : : * can support varies a lot for HMACs.
255 : : *
256 : : * For historical reference, there used to be two other hmac implementations:
257 : : * https://github.com/aws/s2n-tls/blob/711ee0df658cd7c44088cf7a1b20a9f3cf5296d6/tls/s2n_prf.c#L174-L337
258 : : * Both implementations have compatibility issues with one or more libcryptos.
259 : : */
260 : : const struct s2n_p_hash_hmac *s2n_get_hmac_implementation()
261 : 3692019 : {
262 : 3692019 : return &s2n_internal_p_hash_hmac;
263 : 3692019 : }
264 : :
265 : : static int s2n_p_hash(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret, struct s2n_blob *label,
266 : : struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
267 : 16155 : {
268 : 16155 : uint8_t digest_size = 0;
269 [ - + ]: 16155 : POSIX_GUARD(s2n_hmac_digest_size(alg, &digest_size));
270 : :
271 : 16155 : const struct s2n_p_hash_hmac *hmac = s2n_get_hmac_implementation();
272 [ # # ][ - + ]: 16155 : POSIX_ENSURE_REF(hmac);
273 : :
274 : : /* First compute hmac(secret + A(0)) */
275 [ - + ]: 16155 : POSIX_GUARD(hmac->init(ws, alg, secret));
276 [ - + ]: 16155 : POSIX_GUARD(hmac->update(ws, label->data, label->size));
277 [ - + ]: 16155 : POSIX_GUARD(hmac->update(ws, seed_a->data, seed_a->size));
278 : :
279 [ + + ]: 16155 : if (seed_b) {
280 [ - + ]: 6866 : POSIX_GUARD(hmac->update(ws, seed_b->data, seed_b->size));
281 [ + + ]: 6866 : if (seed_c) {
282 [ - + ]: 5 : POSIX_GUARD(hmac->update(ws, seed_c->data, seed_c->size));
283 : 5 : }
284 : 6866 : }
285 [ - + ]: 16155 : POSIX_GUARD(hmac->final(ws, ws->digest0, digest_size));
286 : :
287 : 16155 : uint32_t outputlen = out->size;
288 : 16155 : uint8_t *output = out->data;
289 : :
290 [ + + ]: 59073 : while (outputlen) {
291 : : /* Now compute hmac(secret + A(N - 1) + seed) */
292 [ - + ]: 42918 : POSIX_GUARD(hmac->reset(ws));
293 [ - + ]: 42918 : POSIX_GUARD(hmac->update(ws, ws->digest0, digest_size));
294 : :
295 : : /* Add the label + seed and compute this round's A */
296 [ - + ]: 42918 : POSIX_GUARD(hmac->update(ws, label->data, label->size));
297 [ - + ]: 42918 : POSIX_GUARD(hmac->update(ws, seed_a->data, seed_a->size));
298 [ + + ]: 42918 : if (seed_b) {
299 [ - + ]: 29877 : POSIX_GUARD(hmac->update(ws, seed_b->data, seed_b->size));
300 [ + + ]: 29877 : if (seed_c) {
301 [ - + ]: 18 : POSIX_GUARD(hmac->update(ws, seed_c->data, seed_c->size));
302 : 18 : }
303 : 29877 : }
304 : :
305 [ - + ]: 42918 : POSIX_GUARD(hmac->final(ws, ws->digest1, digest_size));
306 : :
307 : 42918 : uint32_t bytes_to_xor = MIN(outputlen, digest_size);
308 : :
309 [ + + ]: 1109446 : for (size_t i = 0; i < bytes_to_xor; i++) {
310 : 1066528 : *output ^= ws->digest1[i];
311 : 1066528 : output++;
312 : 1066528 : outputlen--;
313 : 1066528 : }
314 : :
315 : : /* Stash a digest of A(N), in A(N), for the next round */
316 [ - + ]: 42918 : POSIX_GUARD(hmac->reset(ws));
317 [ - + ]: 42918 : POSIX_GUARD(hmac->update(ws, ws->digest0, digest_size));
318 [ - + ]: 42918 : POSIX_GUARD(hmac->final(ws, ws->digest0, digest_size));
319 : 42918 : }
320 : :
321 [ - + ]: 16155 : POSIX_GUARD(hmac->cleanup(ws));
322 : :
323 : 16155 : return 0;
324 : 16155 : }
325 : :
326 : : S2N_RESULT s2n_prf_new(struct s2n_connection *conn)
327 : 126925 : {
328 [ + + ][ + - ]: 126925 : RESULT_ENSURE_REF(conn);
329 [ - + ][ # # ]: 126924 : RESULT_ENSURE_EQ(conn->prf_space, NULL);
330 : :
331 : 126924 : DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free);
332 [ - + ]: 126924 : RESULT_GUARD_POSIX(s2n_realloc(&mem, sizeof(struct s2n_prf_working_space)));
333 [ - + ]: 126924 : RESULT_GUARD_POSIX(s2n_blob_zero(&mem));
334 : 126924 : conn->prf_space = (struct s2n_prf_working_space *) (void *) mem.data;
335 : 126924 : ZERO_TO_DISABLE_DEFER_CLEANUP(mem);
336 : :
337 : : /* Allocate the hmac state */
338 : 126924 : const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
339 [ # # ][ - + ]: 126924 : RESULT_ENSURE_REF(hmac_impl);
340 [ - + ]: 126924 : RESULT_GUARD_POSIX(hmac_impl->alloc(conn->prf_space));
341 : 126924 : return S2N_RESULT_OK;
342 : 126924 : }
343 : :
344 : : S2N_RESULT s2n_prf_wipe(struct s2n_connection *conn)
345 : 3422018 : {
346 [ + - ][ + + ]: 3422018 : RESULT_ENSURE_REF(conn);
347 [ + + ][ + - ]: 3422017 : RESULT_ENSURE_REF(conn->prf_space);
348 : :
349 : 3422016 : const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
350 [ # # ][ - + ]: 3422016 : RESULT_ENSURE_REF(hmac_impl);
351 [ - + ]: 3422016 : RESULT_GUARD_POSIX(hmac_impl->reset(conn->prf_space));
352 : :
353 : 3422016 : return S2N_RESULT_OK;
354 : 3422016 : }
355 : :
356 : : S2N_RESULT s2n_prf_free(struct s2n_connection *conn)
357 : 126952 : {
358 [ + + ][ + - ]: 126952 : RESULT_ENSURE_REF(conn);
359 [ + + ]: 126951 : if (conn->prf_space == NULL) {
360 : 27 : return S2N_RESULT_OK;
361 : 27 : }
362 : :
363 : 126924 : const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
364 [ # # ][ - + ]: 126924 : RESULT_ENSURE_REF(hmac_impl);
365 [ - + ]: 126924 : RESULT_GUARD_POSIX(hmac_impl->free(conn->prf_space));
366 : :
367 [ - + ]: 126924 : RESULT_GUARD_POSIX(s2n_free_object((uint8_t **) &conn->prf_space, sizeof(struct s2n_prf_working_space)));
368 : 126924 : return S2N_RESULT_OK;
369 : 126924 : }
370 : :
371 : : S2N_RESULT s2n_prf_custom(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label,
372 : : struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
373 : 14764 : {
374 : : /* We zero the out blob because p_hash works by XOR'ing with the existing
375 : : * buffer. This is a little convoluted but means we can avoid dynamic memory
376 : : * allocation. When we call p_hash once (in the TLS1.2 case) it will produce
377 : : * the right values. When we call it twice in the regular case, the two
378 : : * outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require.
379 : : */
380 [ - + ]: 14764 : RESULT_GUARD_POSIX(s2n_blob_zero(out));
381 : :
382 [ + + ]: 14764 : if (conn->actual_protocol_version == S2N_TLS12) {
383 [ - + ]: 13373 : RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, conn->secure->cipher_suite->prf_alg, secret, label, seed_a,
384 : 13373 : seed_b, seed_c, out));
385 : 13373 : return S2N_RESULT_OK;
386 : 13373 : }
387 : :
388 : 1391 : struct s2n_blob half_secret = { 0 };
389 [ - + ]: 1391 : RESULT_GUARD_POSIX(s2n_blob_init(&half_secret, secret->data, (secret->size + 1) / 2));
390 : :
391 [ - + ]: 1391 : RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out));
392 : 1391 : half_secret.data += secret->size - half_secret.size;
393 [ - + ]: 1391 : RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, seed_c, out));
394 : :
395 : 1391 : return S2N_RESULT_OK;
396 : 1391 : }
397 : :
398 : : int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a,
399 : : struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
400 : 15157 : {
401 [ + - ][ + + ]: 15157 : POSIX_ENSURE_REF(conn);
402 [ - + ][ # # ]: 15156 : POSIX_ENSURE_REF(conn->secure);
403 [ - + ][ # # ]: 15156 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
404 [ + - ][ + + ]: 15156 : POSIX_ENSURE_REF(conn->prf_space);
405 [ + + ][ + - ]: 15155 : POSIX_ENSURE_REF(secret);
406 [ + + ][ + - ]: 15154 : POSIX_ENSURE_REF(label);
407 [ + + ][ + - ]: 15153 : POSIX_ENSURE_REF(out);
408 : :
409 : : /* seed_a is always required, seed_b is optional, if seed_c is provided seed_b must also be provided */
410 [ + - ][ + + ]: 15152 : POSIX_ENSURE(seed_a != NULL, S2N_ERR_PRF_INVALID_SEED);
411 [ + - ][ + + ]: 15151 : POSIX_ENSURE(S2N_IMPLIES(seed_c != NULL, seed_b != NULL), S2N_ERR_PRF_INVALID_SEED);
[ + + ]
412 : :
413 [ + + ]: 15150 : if (conn->actual_protocol_version == S2N_SSLv3) {
414 [ - + ]: 386 : POSIX_GUARD(s2n_prf_sslv3(conn, secret, seed_a, seed_b, seed_c, out));
415 : 386 : return S2N_SUCCESS;
416 : 386 : }
417 : :
418 : : /* By default, s2n-tls uses a custom PRF implementation. When operating in FIPS mode, the
419 : : * FIPS-validated libcrypto implementation is used instead, if an implementation is provided.
420 : : */
421 [ - + ]: 14764 : if (s2n_is_in_fips_mode()) {
422 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_prf_libcrypto(conn, secret, label, seed_a, seed_b, seed_c, out));
423 : 0 : return S2N_SUCCESS;
424 : 0 : }
425 : :
426 [ - + ]: 14764 : POSIX_GUARD_RESULT(s2n_prf_custom(conn, secret, label, seed_a, seed_b, seed_c, out));
427 : :
428 : 14764 : return S2N_SUCCESS;
429 : 14764 : }
430 : :
431 : : int s2n_prf_tls_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
432 : 35 : {
433 [ # # ][ - + ]: 35 : POSIX_ENSURE_REF(conn);
434 : :
435 : 35 : struct s2n_blob client_random = { 0 };
436 [ - + ]: 35 : POSIX_GUARD(s2n_blob_init(&client_random, conn->client_hello.random, sizeof(conn->client_hello.random)));
437 : 35 : struct s2n_blob server_random = { 0 };
438 [ - + ]: 35 : POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
439 : 35 : struct s2n_blob master_secret = { 0 };
440 [ - + ]: 35 : POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
441 : :
442 : 35 : uint8_t master_secret_label[] = "master secret";
443 : 35 : struct s2n_blob label = { 0 };
444 [ - + ]: 35 : POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1));
445 : :
446 : 35 : return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret);
447 : 35 : }
448 : :
449 : : int s2n_prf_hybrid_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
450 : 0 : {
451 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
452 : :
453 : 0 : struct s2n_blob client_random = { 0 };
454 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&client_random, conn->client_hello.random, sizeof(conn->client_hello.random)));
455 : 0 : struct s2n_blob server_random = { 0 };
456 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
457 : 0 : struct s2n_blob master_secret = { 0 };
458 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
459 : :
460 : 0 : uint8_t master_secret_label[] = "hybrid master secret";
461 : 0 : struct s2n_blob label = { 0 };
462 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1));
463 : :
464 : 0 : return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->kex_params.client_key_exchange_message, &master_secret);
465 : 0 : }
466 : :
467 : : int s2n_prf_calculate_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
468 : 4518 : {
469 [ - + ][ # # ]: 4518 : POSIX_ENSURE_REF(conn);
470 [ # # ][ - + ]: 4518 : POSIX_ENSURE_REF(conn->secure);
471 : :
472 [ + + ][ + - ]: 4518 : POSIX_ENSURE_EQ(s2n_conn_get_current_message_type(conn), CLIENT_KEY);
473 : :
474 [ + + ]: 4517 : if (!conn->ems_negotiated) {
475 [ - + ]: 30 : POSIX_GUARD(s2n_prf_tls_master_secret(conn, premaster_secret));
476 : 30 : return S2N_SUCCESS;
477 : 30 : }
478 : :
479 : : /* Only the client writes the Client Key Exchange message */
480 [ + + ]: 4487 : if (conn->mode == S2N_CLIENT) {
481 [ - + ]: 2227 : POSIX_GUARD(s2n_handshake_finish_header(&conn->handshake.io));
482 : 2227 : }
483 : 4487 : struct s2n_stuffer client_key_message = conn->handshake.io;
484 [ - + ]: 4487 : POSIX_GUARD(s2n_stuffer_reread(&client_key_message));
485 : 4487 : uint32_t client_key_message_size = s2n_stuffer_data_available(&client_key_message);
486 : 4487 : struct s2n_blob client_key_blob = { 0 };
487 [ - + ]: 4487 : POSIX_GUARD(s2n_blob_init(&client_key_blob, client_key_message.blob.data, client_key_message_size));
488 : :
489 : 4487 : uint8_t data[S2N_MAX_DIGEST_LEN] = { 0 };
490 : 4487 : struct s2n_blob digest = { 0 };
491 [ - + ]: 4487 : POSIX_GUARD(s2n_blob_init(&digest, data, sizeof(data)));
492 [ + + ]: 4487 : if (conn->actual_protocol_version < S2N_TLS12) {
493 : 537 : uint8_t sha1_data[S2N_MAX_DIGEST_LEN] = { 0 };
494 : 537 : struct s2n_blob sha1_digest = { 0 };
495 [ - + ]: 537 : POSIX_GUARD(s2n_blob_init(&sha1_digest, sha1_data, sizeof(sha1_data)));
496 [ - + ]: 537 : POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, S2N_HASH_MD5, &digest));
497 [ - + ]: 537 : POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, S2N_HASH_SHA1, &sha1_digest));
498 [ - + ]: 537 : POSIX_GUARD_RESULT(s2n_prf_tls_extended_master_secret(conn, premaster_secret, &digest, &sha1_digest));
499 : 3950 : } else {
500 : 3950 : s2n_hmac_algorithm prf_alg = conn->secure->cipher_suite->prf_alg;
501 : 3950 : s2n_hash_algorithm hash_alg = 0;
502 [ - + ]: 3950 : POSIX_GUARD(s2n_hmac_hash_alg(prf_alg, &hash_alg));
503 [ - + ]: 3950 : POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, hash_alg, &digest));
504 [ - + ]: 3950 : POSIX_GUARD_RESULT(s2n_prf_tls_extended_master_secret(conn, premaster_secret, &digest, NULL));
505 : 3950 : }
506 : 4487 : return S2N_SUCCESS;
507 : 4487 : }
508 : :
509 : : /**
510 : : *= https://www.rfc-editor.org/rfc/rfc7627#section-4
511 : : *# When the extended master secret extension is negotiated in a full
512 : : *# handshake, the "master_secret" is computed as
513 : : *#
514 : : *# master_secret = PRF(pre_master_secret, "extended master secret",
515 : : *# session_hash)
516 : : *# [0..47];
517 : : */
518 : : S2N_RESULT s2n_prf_tls_extended_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret, struct s2n_blob *session_hash, struct s2n_blob *sha1_hash)
519 : 4488 : {
520 [ # # ][ - + ]: 4488 : RESULT_ENSURE_REF(conn);
521 : :
522 : 4488 : struct s2n_blob extended_master_secret = { 0 };
523 [ - + ]: 4488 : RESULT_GUARD_POSIX(s2n_blob_init(&extended_master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
524 : :
525 : 4488 : uint8_t extended_master_secret_label[] = "extended master secret";
526 : : /* Subtract one from the label size to remove the "\0" */
527 : 4488 : struct s2n_blob label = { 0 };
528 [ - + ]: 4488 : RESULT_GUARD_POSIX(s2n_blob_init(&label, extended_master_secret_label, sizeof(extended_master_secret_label) - 1));
529 : :
530 [ - + ]: 4488 : RESULT_GUARD_POSIX(s2n_prf(conn, premaster_secret, &label, session_hash, sha1_hash, NULL, &extended_master_secret));
531 : :
532 : 4488 : return S2N_RESULT_OK;
533 : 4488 : }
534 : :
535 : : S2N_RESULT s2n_prf_get_digest_for_ems(struct s2n_connection *conn, struct s2n_blob *message, s2n_hash_algorithm hash_alg, struct s2n_blob *output)
536 : 5025 : {
537 [ - + ][ # # ]: 5025 : RESULT_ENSURE_REF(conn);
538 [ - + ][ # # ]: 5025 : RESULT_ENSURE_REF(conn->handshake.hashes);
539 [ # # ][ - + ]: 5025 : RESULT_ENSURE_REF(message);
540 [ # # ][ - + ]: 5025 : RESULT_ENSURE_REF(output);
541 : :
542 : 5025 : struct s2n_hash_state *hash_state = &conn->handshake.hashes->hash_workspace;
543 [ - + ]: 5025 : RESULT_GUARD(s2n_handshake_copy_hash_state(conn, hash_alg, hash_state));
544 [ - + ]: 5025 : RESULT_GUARD_POSIX(s2n_hash_update(hash_state, message->data, message->size));
545 : :
546 : 5025 : uint8_t digest_size = 0;
547 [ - + ]: 5025 : RESULT_GUARD_POSIX(s2n_hash_digest_size(hash_alg, &digest_size));
548 [ - + ][ # # ]: 5025 : RESULT_ENSURE_GTE(output->size, digest_size);
549 [ - + ]: 5025 : RESULT_GUARD_POSIX(s2n_hash_digest(hash_state, output->data, digest_size));
550 : 5025 : output->size = digest_size;
551 : :
552 : 5025 : return S2N_RESULT_OK;
553 : 5025 : }
554 : :
555 : : static int s2n_prf_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *hash_workspace, uint8_t *out)
556 : 385 : {
557 [ - + ][ # # ]: 385 : POSIX_ENSURE_REF(conn);
558 [ # # ][ - + ]: 385 : POSIX_ENSURE_REF(conn->handshake.hashes);
559 : :
560 : 385 : uint8_t xorpad1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
561 : 385 : 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 };
562 : 385 : uint8_t xorpad2[48] = { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
563 : 385 : 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c };
564 : 385 : uint8_t *md5_digest = out;
565 : 385 : uint8_t *sha_digest = out + MD5_DIGEST_LENGTH;
566 : :
567 [ - + ]: 385 : POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH));
568 : :
569 : 385 : struct s2n_hash_state *md5 = hash_workspace;
570 [ - + ]: 385 : POSIX_GUARD(s2n_hash_copy(md5, &conn->handshake.hashes->md5));
571 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, prefix, 4));
572 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
573 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, xorpad1, 48));
574 [ - + ]: 385 : POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
575 [ - + ]: 385 : POSIX_GUARD(s2n_hash_reset(md5));
576 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
577 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, xorpad2, 48));
578 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH));
579 [ - + ]: 385 : POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
580 [ - + ]: 385 : POSIX_GUARD(s2n_hash_reset(md5));
581 : :
582 : 385 : struct s2n_hash_state *sha1 = hash_workspace;
583 [ - + ]: 385 : POSIX_GUARD(s2n_hash_copy(sha1, &conn->handshake.hashes->sha1));
584 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, prefix, 4));
585 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
586 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, xorpad1, 40));
587 [ - + ]: 385 : POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
588 [ - + ]: 385 : POSIX_GUARD(s2n_hash_reset(sha1));
589 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
590 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, xorpad2, 40));
591 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH));
592 [ - + ]: 385 : POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
593 [ - + ]: 385 : POSIX_GUARD(s2n_hash_reset(sha1));
594 : :
595 : 385 : return 0;
596 : 385 : }
597 : :
598 : : static int s2n_prf_sslv3_client_finished(struct s2n_connection *conn)
599 : 192 : {
600 [ # # ][ - + ]: 192 : POSIX_ENSURE_REF(conn);
601 [ # # ][ - + ]: 192 : POSIX_ENSURE_REF(conn->handshake.hashes);
602 : :
603 : 192 : uint8_t prefix[4] = { 0x43, 0x4c, 0x4e, 0x54 };
604 : :
605 : 192 : return s2n_prf_sslv3_finished(conn, prefix, &conn->handshake.hashes->hash_workspace, conn->handshake.client_finished);
606 : 192 : }
607 : :
608 : : static int s2n_prf_sslv3_server_finished(struct s2n_connection *conn)
609 : 193 : {
610 [ # # ][ - + ]: 193 : POSIX_ENSURE_REF(conn);
611 [ - + ][ # # ]: 193 : POSIX_ENSURE_REF(conn->handshake.hashes);
612 : :
613 : 193 : uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 };
614 : :
615 : 193 : return s2n_prf_sslv3_finished(conn, prefix, &conn->handshake.hashes->hash_workspace, conn->handshake.server_finished);
616 : 193 : }
617 : :
618 : : int s2n_prf_client_finished(struct s2n_connection *conn)
619 : 3664 : {
620 [ # # ][ - + ]: 3664 : POSIX_ENSURE_REF(conn);
621 [ - + ][ # # ]: 3664 : POSIX_ENSURE_REF(conn->secure);
622 [ - + ][ # # ]: 3664 : POSIX_ENSURE_REF(conn->handshake.hashes);
623 : :
624 : 3664 : struct s2n_blob master_secret, md5, sha;
625 : 3664 : uint8_t md5_digest[MD5_DIGEST_LENGTH];
626 : 3664 : uint8_t sha_digest[SHA384_DIGEST_LENGTH];
627 : 3664 : uint8_t client_finished_label[] = "client finished";
628 : 3664 : struct s2n_blob client_finished = { 0 };
629 : 3664 : struct s2n_blob label = { 0 };
630 : :
631 [ + + ]: 3664 : if (conn->actual_protocol_version == S2N_SSLv3) {
632 : 192 : return s2n_prf_sslv3_client_finished(conn);
633 : 192 : }
634 : :
635 : 3472 : client_finished.data = conn->handshake.client_finished;
636 : 3472 : client_finished.size = S2N_TLS_FINISHED_LEN;
637 [ + + ]: 3472 : POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, client_finished.size));
638 : 3470 : label.data = client_finished_label;
639 : 3470 : label.size = sizeof(client_finished_label) - 1;
640 : :
641 : 3470 : master_secret.data = conn->secrets.version.tls12.master_secret;
642 : 3470 : master_secret.size = sizeof(conn->secrets.version.tls12.master_secret);
643 [ + + ]: 3470 : if (conn->actual_protocol_version == S2N_TLS12) {
644 : 3126 : switch (conn->secure->cipher_suite->prf_alg) {
645 [ + + ]: 2904 : case S2N_HMAC_SHA256:
646 [ - + ]: 2904 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha256));
647 [ - + ]: 2904 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA256_DIGEST_LENGTH));
648 : 2904 : sha.size = SHA256_DIGEST_LENGTH;
649 : 2904 : break;
650 [ + + ]: 222 : case S2N_HMAC_SHA384:
651 [ - + ]: 222 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha384));
652 [ - + ]: 222 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA384_DIGEST_LENGTH));
653 : 222 : sha.size = SHA384_DIGEST_LENGTH;
654 : 222 : break;
655 [ - + ]: 0 : default:
656 [ # # ]: 0 : POSIX_BAIL(S2N_ERR_PRF_INVALID_ALGORITHM);
657 : 3126 : }
658 : :
659 : 3126 : sha.data = sha_digest;
660 : 3126 : return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &client_finished);
661 : 3126 : }
662 : :
663 [ - + ]: 344 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->md5));
664 [ - + ]: 344 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, md5_digest, MD5_DIGEST_LENGTH));
665 : 344 : md5.data = md5_digest;
666 : 344 : md5.size = MD5_DIGEST_LENGTH;
667 : :
668 [ - + ]: 344 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha1));
669 [ - + ]: 344 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA_DIGEST_LENGTH));
670 : 344 : sha.data = sha_digest;
671 : 344 : sha.size = SHA_DIGEST_LENGTH;
672 : :
673 : 344 : return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &client_finished);
674 : 344 : }
675 : :
676 : : int s2n_prf_server_finished(struct s2n_connection *conn)
677 : 2743 : {
678 [ # # ][ - + ]: 2743 : POSIX_ENSURE_REF(conn);
679 [ - + ][ # # ]: 2743 : POSIX_ENSURE_REF(conn->secure);
680 [ - + ][ # # ]: 2743 : POSIX_ENSURE_REF(conn->handshake.hashes);
681 : :
682 : 2743 : struct s2n_blob master_secret, md5, sha;
683 : 2743 : uint8_t md5_digest[MD5_DIGEST_LENGTH];
684 : 2743 : uint8_t sha_digest[SHA384_DIGEST_LENGTH];
685 : 2743 : uint8_t server_finished_label[] = "server finished";
686 : 2743 : struct s2n_blob server_finished = { 0 };
687 : 2743 : struct s2n_blob label = { 0 };
688 : :
689 [ + + ]: 2743 : if (conn->actual_protocol_version == S2N_SSLv3) {
690 : 193 : return s2n_prf_sslv3_server_finished(conn);
691 : 193 : }
692 : :
693 : 2550 : server_finished.data = conn->handshake.server_finished;
694 : 2550 : server_finished.size = S2N_TLS_FINISHED_LEN;
695 [ - + ]: 2550 : POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, server_finished.size));
696 : 2550 : label.data = server_finished_label;
697 : 2550 : label.size = sizeof(server_finished_label) - 1;
698 : :
699 : 2550 : master_secret.data = conn->secrets.version.tls12.master_secret;
700 : 2550 : master_secret.size = sizeof(conn->secrets.version.tls12.master_secret);
701 [ + + ]: 2550 : if (conn->actual_protocol_version == S2N_TLS12) {
702 : 2206 : switch (conn->secure->cipher_suite->prf_alg) {
703 [ + + ]: 1987 : case S2N_HMAC_SHA256:
704 [ - + ]: 1987 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha256));
705 [ - + ]: 1987 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA256_DIGEST_LENGTH));
706 : 1987 : sha.size = SHA256_DIGEST_LENGTH;
707 : 1987 : break;
708 [ + + ]: 219 : case S2N_HMAC_SHA384:
709 [ - + ]: 219 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha384));
710 [ - + ]: 219 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA384_DIGEST_LENGTH));
711 : 219 : sha.size = SHA384_DIGEST_LENGTH;
712 : 219 : break;
713 [ - + ]: 0 : default:
714 [ # # ]: 0 : POSIX_BAIL(S2N_ERR_PRF_INVALID_ALGORITHM);
715 : 2206 : }
716 : :
717 : 2206 : sha.data = sha_digest;
718 : 2206 : return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &server_finished);
719 : 2206 : }
720 : :
721 [ - + ]: 344 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->md5));
722 [ - + ]: 344 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, md5_digest, MD5_DIGEST_LENGTH));
723 : 344 : md5.data = md5_digest;
724 : 344 : md5.size = MD5_DIGEST_LENGTH;
725 : :
726 [ - + ]: 344 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha1));
727 [ - + ]: 344 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA_DIGEST_LENGTH));
728 : 344 : sha.data = sha_digest;
729 : 344 : sha.size = SHA_DIGEST_LENGTH;
730 : :
731 : 344 : return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &server_finished);
732 : 344 : }
733 : :
734 : : static int s2n_prf_make_client_key(struct s2n_connection *conn, struct s2n_key_material *key_material)
735 : 4577 : {
736 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(conn);
737 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(conn->secure);
738 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
739 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(conn->secure->cipher_suite->record_alg);
740 : 4577 : const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
741 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(cipher);
742 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(cipher->set_encryption_key);
743 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(cipher->set_decryption_key);
744 : :
745 [ + + ]: 4577 : if (conn->mode == S2N_CLIENT) {
746 [ - + ]: 2265 : POSIX_GUARD_RESULT(cipher->set_encryption_key(&conn->secure->client_key, &key_material->client_key));
747 : 2312 : } else {
748 [ - + ]: 2312 : POSIX_GUARD_RESULT(cipher->set_decryption_key(&conn->secure->client_key, &key_material->client_key));
749 : 2312 : }
750 : :
751 : 4577 : return 0;
752 : 4577 : }
753 : :
754 : : static int s2n_prf_make_server_key(struct s2n_connection *conn, struct s2n_key_material *key_material)
755 : 4577 : {
756 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(conn);
757 [ # # ][ - + ]: 4577 : POSIX_ENSURE_REF(conn->secure);
758 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
759 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(conn->secure->cipher_suite->record_alg);
760 : 4577 : const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
761 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(cipher);
762 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(cipher->set_encryption_key);
763 [ # # ][ - + ]: 4577 : POSIX_ENSURE_REF(cipher->set_decryption_key);
764 : :
765 [ + + ]: 4577 : if (conn->mode == S2N_SERVER) {
766 [ - + ]: 2312 : POSIX_GUARD_RESULT(cipher->set_encryption_key(&conn->secure->server_key, &key_material->server_key));
767 : 2312 : } else {
768 [ - + ]: 2265 : POSIX_GUARD_RESULT(cipher->set_decryption_key(&conn->secure->server_key, &key_material->server_key));
769 : 2265 : }
770 : :
771 : 4577 : return 0;
772 : 4577 : }
773 : :
774 : : S2N_RESULT s2n_prf_generate_key_material(struct s2n_connection *conn, struct s2n_key_material *key_material)
775 : 4600 : {
776 [ # # ][ - + ]: 4600 : RESULT_ENSURE_REF(conn);
777 [ - + ][ # # ]: 4600 : RESULT_ENSURE_REF(key_material);
778 : :
779 : 4600 : struct s2n_blob client_random = { 0 };
780 [ - + ]: 4600 : RESULT_GUARD_POSIX(s2n_blob_init(&client_random, conn->client_hello.random, sizeof(conn->client_hello.random)));
781 : 4600 : struct s2n_blob server_random = { 0 };
782 [ - + ]: 4600 : RESULT_GUARD_POSIX(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
783 : 4600 : struct s2n_blob master_secret = { 0 };
784 [ - + ]: 4600 : RESULT_GUARD_POSIX(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
785 : :
786 : 4600 : struct s2n_blob label = { 0 };
787 : 4600 : uint8_t key_expansion_label[] = "key expansion";
788 [ - + ]: 4600 : RESULT_GUARD_POSIX(s2n_blob_init(&label, key_expansion_label, sizeof(key_expansion_label) - 1));
789 : :
790 [ - + ]: 4600 : RESULT_GUARD(s2n_key_material_init(key_material, conn));
791 : 4600 : struct s2n_blob prf_out = { 0 };
792 [ - + ]: 4600 : RESULT_GUARD_POSIX(s2n_blob_init(&prf_out, key_material->key_block, sizeof(key_material->key_block)));
793 [ - + ]: 4600 : RESULT_GUARD_POSIX(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, NULL, &prf_out));
794 : :
795 : 4600 : return S2N_RESULT_OK;
796 : 4600 : }
797 : :
798 : : int s2n_prf_key_expansion(struct s2n_connection *conn)
799 : 4577 : {
800 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(conn);
801 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(conn->secure);
802 : 4577 : struct s2n_cipher_suite *cipher_suite = conn->secure->cipher_suite;
803 [ # # ][ - + ]: 4577 : POSIX_ENSURE_REF(cipher_suite);
804 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(cipher_suite->record_alg);
805 : 4577 : const struct s2n_cipher *cipher = cipher_suite->record_alg->cipher;
806 [ - + ][ # # ]: 4577 : POSIX_ENSURE_REF(cipher);
807 : :
808 : 4577 : struct s2n_key_material key_material = { 0 };
809 [ - + ]: 4577 : POSIX_GUARD_RESULT(s2n_prf_generate_key_material(conn, &key_material));
810 : :
811 [ - + ][ # # ]: 4577 : POSIX_ENSURE(cipher_suite->available, S2N_ERR_PRF_INVALID_ALGORITHM);
812 [ - + ]: 4577 : POSIX_GUARD_RESULT(cipher->init(&conn->secure->client_key));
813 [ - + ]: 4577 : POSIX_GUARD_RESULT(cipher->init(&conn->secure->server_key));
814 : :
815 : : /* Seed the client MAC */
816 [ - + ]: 4577 : POSIX_GUARD(s2n_hmac_reset(&conn->secure->client_record_mac));
817 [ - + ]: 4577 : POSIX_GUARD(s2n_hmac_init(
818 : 4577 : &conn->secure->client_record_mac,
819 : 4577 : cipher_suite->record_alg->hmac_alg,
820 : 4577 : key_material.client_mac.data,
821 : 4577 : key_material.client_mac.size));
822 : :
823 : : /* Seed the server MAC */
824 [ - + ]: 4577 : POSIX_GUARD(s2n_hmac_reset(&conn->secure->server_record_mac));
825 [ - + ]: 4577 : POSIX_GUARD(s2n_hmac_init(
826 : 4577 : &conn->secure->server_record_mac,
827 : 4577 : conn->secure->cipher_suite->record_alg->hmac_alg,
828 : 4577 : key_material.server_mac.data,
829 : 4577 : key_material.server_mac.size));
830 : :
831 : : /* Make the client key */
832 [ - + ]: 4577 : POSIX_GUARD(s2n_prf_make_client_key(conn, &key_material));
833 : :
834 : : /* Make the server key */
835 [ - + ]: 4577 : POSIX_GUARD(s2n_prf_make_server_key(conn, &key_material));
836 : :
837 : : /* Composite CBC does MAC inside the cipher, pass it the MAC key.
838 : : * Must happen after setting encryption/decryption keys.
839 : : */
840 [ + + ]: 4577 : if (cipher->type == S2N_COMPOSITE) {
841 [ - + ]: 767 : POSIX_GUARD(cipher->io.comp.set_mac_write_key(&conn->secure->client_key, key_material.client_mac.data, key_material.client_mac.size));
842 [ - + ]: 767 : POSIX_GUARD(cipher->io.comp.set_mac_write_key(&conn->secure->server_key, key_material.server_mac.data, key_material.server_mac.size));
843 : 767 : }
844 : :
845 : : /* set IV */
846 [ - + ][ # # ]: 4577 : POSIX_ENSURE_EQ(key_material.client_iv.size, key_material.server_iv.size);
847 [ - + ][ # # ]: 4577 : POSIX_ENSURE_LTE(key_material.client_iv.size, S2N_TLS_MAX_IV_LEN);
848 [ - + ][ # # ]: 4577 : POSIX_CHECKED_MEMCPY(conn->secure->client_implicit_iv, key_material.client_iv.data, key_material.client_iv.size);
[ + + ]
849 [ - + ][ # # ]: 4577 : POSIX_CHECKED_MEMCPY(conn->secure->server_implicit_iv, key_material.server_iv.data, key_material.server_iv.size);
[ + + ]
850 : :
851 : 4577 : return 0;
852 : 4577 : }
|
