LCOV - code coverage report
Current view: top level - tls - s2n_prf.c (source / functions) Hit Total Coverage
Test: unit_test_coverage.info Lines: 526 551 95.5 %
Date: 2026-07-04 07:27:58 Functions: 29 30 96.7 %
Branches: 324 710 45.6 %

           Branch data     Line data    Source code
       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #include "tls/s2n_prf.h"
      17                 :            : 
      18                 :            : #include <openssl/hmac.h>
      19                 :            : #include <openssl/md5.h>
      20                 :            : #include <openssl/sha.h>
      21                 :            : #include <string.h>
      22                 :            : 
      23                 :            : #include "crypto/s2n_fips.h"
      24                 :            : #include "crypto/s2n_hash.h"
      25                 :            : #include "crypto/s2n_hmac.h"
      26                 :            : #include "crypto/s2n_prf_libcrypto.h"
      27                 :            : #include "error/s2n_errno.h"
      28                 :            : #include "stuffer/s2n_stuffer.h"
      29                 :            : #include "tls/s2n_cipher_suites.h"
      30                 :            : #include "tls/s2n_connection.h"
      31                 :            : #include "tls/s2n_crypto_constants.h"
      32                 :            : #include "tls/s2n_tls.h"
      33                 :            : #include "utils/s2n_blob.h"
      34                 :            : #include "utils/s2n_mem.h"
      35                 :            : #include "utils/s2n_safety.h"
      36                 :            : 
      37                 :            : /* The s2n p_hash implementation is abstracted to allow for separate implementations.
      38                 :            :  * Currently the only implementation uses s2n-tls's custom HMAC implementation.
      39                 :            :  */
      40                 :            : struct s2n_p_hash_hmac {
      41                 :            :     int (*alloc)(struct s2n_prf_working_space *ws);
      42                 :            :     int (*init)(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret);
      43                 :            :     int (*update)(struct s2n_prf_working_space *ws, const void *data, uint32_t size);
      44                 :            :     int (*final)(struct s2n_prf_working_space *ws, void *digest, uint32_t size);
      45                 :            :     int (*reset)(struct s2n_prf_working_space *ws);
      46                 :            :     int (*cleanup)(struct s2n_prf_working_space *ws);
      47                 :            :     int (*free)(struct s2n_prf_working_space *ws);
      48                 :            : };
      49                 :            : 
      50                 :            : S2N_RESULT s2n_prf_get_digest_for_ems(struct s2n_connection *conn, struct s2n_blob *message,
      51                 :            :         s2n_hash_algorithm hash_alg, struct s2n_blob *output);
      52                 :            : S2N_RESULT s2n_prf_tls_extended_master_secret(struct s2n_connection *conn,
      53                 :            :         struct s2n_blob *premaster_secret, struct s2n_blob *session_hash, struct s2n_blob *sha1_hash);
      54                 :            : 
      55                 :            : S2N_RESULT s2n_key_material_init(struct s2n_key_material *key_material, struct s2n_connection *conn)
      56                 :      33374 : {
      57 [ #  # ][ -  + ]:      33374 :     RESULT_ENSURE_REF(key_material);
      58 [ #  # ][ -  + ]:      33374 :     RESULT_ENSURE_REF(conn);
      59 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(conn->secure);
      60 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(conn->secure->cipher_suite);
      61 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(conn->secure->cipher_suite->record_alg);
      62                 :      33374 :     const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
      63 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(cipher);
      64                 :            : 
      65                 :      33374 :     uint8_t mac_size = 0;
      66                 :      33374 :     uint32_t key_size = 0;
      67                 :      33374 :     uint32_t iv_size = 0;
      68                 :            : 
      69                 :            :     /* MAC size */
      70         [ +  + ]:      33374 :     if (cipher->type == S2N_COMPOSITE) {
      71                 :      29514 :         mac_size = cipher->io.comp.mac_key_size;
      72                 :      29514 :     } else {
      73         [ -  + ]:       3860 :         RESULT_GUARD_POSIX(s2n_hmac_digest_size(conn->secure->cipher_suite->record_alg->hmac_alg, &mac_size));
      74                 :       3860 :     }
      75                 :            : 
      76                 :            :     /* KEY size */
      77                 :      33374 :     key_size = cipher->key_material_size;
      78                 :            : 
      79                 :            :     /* Only AEAD ciphers have implicit IVs for TLS >= 1.1 */
      80 [ +  + ][ +  + ]:      33374 :     if (conn->actual_protocol_version <= S2N_TLS10 || cipher->type == S2N_AEAD) {
      81                 :            :         /* IV size */
      82                 :      32504 :         switch (cipher->type) {
      83         [ +  + ]:       3405 :             case S2N_AEAD:
      84                 :       3405 :                 iv_size = cipher->io.aead.fixed_iv_size;
      85                 :       3405 :                 break;
      86         [ +  + ]:        237 :             case S2N_CBC:
      87                 :        237 :                 iv_size = cipher->io.cbc.block_size;
      88                 :        237 :                 break;
      89         [ +  + ]:      28862 :             case S2N_COMPOSITE:
      90                 :      28862 :                 iv_size = cipher->io.comp.block_size;
      91                 :      28862 :                 break;
      92                 :            :             /* No-op for stream ciphers */
      93         [ -  + ]:          0 :             default:
      94                 :          0 :                 break;
      95                 :      32504 :         }
      96                 :      32504 :     }
      97                 :            : 
      98                 :      33374 :     struct s2n_stuffer key_material_stuffer = { 0 };
      99                 :      33374 :     struct s2n_blob key_material_blob = { 0 };
     100         [ -  + ]:      33374 :     RESULT_GUARD_POSIX(s2n_blob_init(&key_material_blob, key_material->key_block, sizeof(key_material->key_block)));
     101         [ -  + ]:      33374 :     RESULT_GUARD_POSIX(s2n_stuffer_init_written(&key_material_stuffer, &key_material_blob));
     102                 :            : 
     103                 :            :     /* initialize key_material blobs; incrementing ptr to point to the next slice of memory */
     104                 :      33374 :     uint8_t *ptr = NULL;
     105                 :            :     /* MAC */
     106                 :      33374 :     ptr = s2n_stuffer_raw_read(&key_material_stuffer, mac_size);
     107 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(ptr);
     108         [ -  + ]:      33374 :     RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_mac, ptr, mac_size));
     109                 :            : 
     110                 :      33374 :     ptr = s2n_stuffer_raw_read(&key_material_stuffer, mac_size);
     111 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(ptr);
     112         [ -  + ]:      33374 :     RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_mac, ptr, mac_size));
     113                 :            : 
     114                 :            :     /* KEY */
     115                 :      33374 :     ptr = s2n_stuffer_raw_read(&key_material_stuffer, key_size);
     116 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(ptr);
     117         [ -  + ]:      33374 :     RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_key, ptr, key_size));
     118                 :            : 
     119                 :      33374 :     ptr = s2n_stuffer_raw_read(&key_material_stuffer, key_size);
     120 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(ptr);
     121         [ -  + ]:      33374 :     RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_key, ptr, key_size));
     122                 :            : 
     123                 :            :     /* IV */
     124                 :      33374 :     ptr = s2n_stuffer_raw_read(&key_material_stuffer, iv_size);
     125 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(ptr);
     126         [ -  + ]:      33374 :     RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_iv, ptr, iv_size));
     127                 :            : 
     128                 :      33374 :     ptr = s2n_stuffer_raw_read(&key_material_stuffer, iv_size);
     129 [ -  + ][ #  # ]:      33374 :     RESULT_ENSURE_REF(ptr);
     130         [ -  + ]:      33374 :     RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_iv, ptr, iv_size));
     131                 :            : 
     132                 :      33374 :     return S2N_RESULT_OK;
     133                 :      33374 : }
     134                 :            : 
     135                 :            : /* SSLv3 PRF uses MD5 and SHA-1 in a custom hash-based construction (not
     136                 :            :  * HMAC). The use of weak hash algorithms is inherent to the SSLv3 protocol
     137                 :            :  * specification. SSLv3 is disabled by default and not recommended.
     138                 :            :  */
     139                 :            : static int s2n_prf_sslv3(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *seed_a,
     140                 :            :         struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
     141                 :        391 : {
     142 [ #  # ][ -  + ]:        391 :     POSIX_ENSURE_REF(conn);
     143 [ #  # ][ -  + ]:        391 :     POSIX_ENSURE_REF(conn->handshake.hashes);
     144                 :        391 :     struct s2n_hash_state *workspace = &conn->handshake.hashes->hash_workspace;
     145                 :            : 
     146                 :        391 :     uint32_t outputlen = out->size;
     147                 :        391 :     uint8_t *output = out->data;
     148                 :        391 :     uint8_t iteration = 1;
     149                 :            : 
     150                 :        391 :     uint8_t md5_digest[MD5_DIGEST_LENGTH] = { 0 }, sha_digest[SHA_DIGEST_LENGTH] = { 0 };
     151                 :            : 
     152                 :        391 :     uint8_t A = 'A';
     153         [ +  + ]:       2936 :     while (outputlen) {
     154                 :       2545 :         struct s2n_hash_state *sha1 = workspace;
     155         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_reset(sha1));
     156         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_init(sha1, S2N_HASH_SHA1));
     157                 :            : 
     158         [ +  + ]:      14495 :         for (int i = 0; i < iteration; i++) {
     159         [ -  + ]:      11950 :             POSIX_GUARD(s2n_hash_update(sha1, &A, 1));
     160                 :      11950 :         }
     161                 :            : 
     162         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_update(sha1, secret->data, secret->size));
     163         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_update(sha1, seed_a->data, seed_a->size));
     164                 :            : 
     165         [ +  - ]:       2545 :         if (seed_b) {
     166         [ -  + ]:       2545 :             POSIX_GUARD(s2n_hash_update(sha1, seed_b->data, seed_b->size));
     167         [ -  + ]:       2545 :             if (seed_c) {
     168         [ #  # ]:          0 :                 POSIX_GUARD(s2n_hash_update(sha1, seed_c->data, seed_c->size));
     169                 :          0 :             }
     170                 :       2545 :         }
     171                 :            : 
     172         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, sizeof(sha_digest)));
     173                 :            : 
     174                 :       2545 :         struct s2n_hash_state *md5 = workspace;
     175         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_reset(md5));
     176         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_init(md5, S2N_HASH_MD5));
     177         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_update(md5, secret->data, secret->size));
     178         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_update(md5, sha_digest, sizeof(sha_digest)));
     179         [ -  + ]:       2545 :         POSIX_GUARD(s2n_hash_digest(md5, md5_digest, sizeof(md5_digest)));
     180                 :            : 
     181         [ -  + ]:       2545 :         uint32_t bytes_to_copy = S2N_MIN(outputlen, sizeof(md5_digest));
     182                 :            : 
     183 [ -  + ][ #  # ]:       2545 :         POSIX_CHECKED_MEMCPY(output, md5_digest, bytes_to_copy);
                 [ +  - ]
     184                 :            : 
     185                 :       2545 :         outputlen -= bytes_to_copy;
     186                 :       2545 :         output += bytes_to_copy;
     187                 :            : 
     188                 :            :         /* Increment the letter */
     189                 :       2545 :         A++;
     190                 :       2545 :         iteration++;
     191                 :       2545 :     }
     192                 :            : 
     193                 :        391 :     return 0;
     194                 :        391 : }
     195                 :            : 
     196                 :            : static int s2n_hmac_p_hash_new(struct s2n_prf_working_space *ws)
     197                 :     126947 : {
     198         [ -  + ]:     126947 :     POSIX_GUARD(s2n_hmac_new(&ws->p_hash.s2n_hmac));
     199                 :     126947 :     return s2n_hmac_init(&ws->p_hash.s2n_hmac, S2N_HMAC_NONE, NULL, 0);
     200                 :     126947 : }
     201                 :            : 
     202                 :            : static int s2n_hmac_p_hash_init(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret)
     203                 :      16181 : {
     204                 :      16181 :     return s2n_hmac_init(&ws->p_hash.s2n_hmac, alg, secret->data, secret->size);
     205                 :      16181 : }
     206                 :            : 
     207                 :            : static int s2n_hmac_p_hash_update(struct s2n_prf_working_space *ws, const void *data, uint32_t size)
     208                 :     241284 : {
     209                 :     241284 :     return s2n_hmac_update(&ws->p_hash.s2n_hmac, data, size);
     210                 :     241284 : }
     211                 :            : 
     212                 :            : static int s2n_hmac_p_hash_digest(struct s2n_prf_working_space *ws, void *digest, uint32_t size)
     213                 :     102201 : {
     214                 :     102201 :     return s2n_hmac_digest(&ws->p_hash.s2n_hmac, digest, size);
     215                 :     102201 : }
     216                 :            : 
     217                 :            : static int s2n_hmac_p_hash_reset(struct s2n_prf_working_space *ws)
     218                 :    3524199 : {
     219                 :            :     /* If we actually initialized s2n_hmac, wipe it.
     220                 :            :      * A valid, initialized s2n_hmac_state will have a valid block size.
     221                 :            :      */
     222         [ +  - ]:    3524199 :     if (ws->p_hash.s2n_hmac.hash_block_size != 0) {
     223                 :    3524199 :         return s2n_hmac_reset(&ws->p_hash.s2n_hmac);
     224                 :    3524199 :     }
     225                 :          0 :     return S2N_SUCCESS;
     226                 :    3524199 : }
     227                 :            : 
     228                 :            : static int s2n_hmac_p_hash_cleanup(struct s2n_prf_working_space *ws)
     229                 :      16181 : {
     230                 :      16181 :     return s2n_hmac_p_hash_reset(ws);
     231                 :      16181 : }
     232                 :            : 
     233                 :            : static int s2n_hmac_p_hash_free(struct s2n_prf_working_space *ws)
     234                 :     126947 : {
     235                 :     126947 :     return s2n_hmac_free(&ws->p_hash.s2n_hmac);
     236                 :     126947 : }
     237                 :            : 
     238                 :            : static const struct s2n_p_hash_hmac s2n_internal_p_hash_hmac = {
     239                 :            :     .alloc = &s2n_hmac_p_hash_new,
     240                 :            :     .init = &s2n_hmac_p_hash_init,
     241                 :            :     .update = &s2n_hmac_p_hash_update,
     242                 :            :     .final = &s2n_hmac_p_hash_digest,
     243                 :            :     .reset = &s2n_hmac_p_hash_reset,
     244                 :            :     .cleanup = &s2n_hmac_p_hash_cleanup,
     245                 :            :     .free = &s2n_hmac_p_hash_free,
     246                 :            : };
     247                 :            : 
     248                 :            : /*
     249                 :            :  * For now, use the internal s2n-tls hmac abstraction.
     250                 :            :  * However, that is a custom implementation of hmac built on hashes.
     251                 :            :  * Ideally we should stop using our custom implementation here and switch
     252                 :            :  * to using a libcrypto implementation. Unfortunately, what each libcrypto
     253                 :            :  * can support varies a lot for HMACs.
     254                 :            :  *
     255                 :            :  * For historical reference, there used to be two other hmac implementations:
     256                 :            :  * https://github.com/aws/s2n-tls/blob/711ee0df658cd7c44088cf7a1b20a9f3cf5296d6/tls/s2n_prf.c#L174-L337
     257                 :            :  * Both implementations have compatibility issues with one or more libcryptos.
     258                 :            :  */
     259                 :            : const struct s2n_p_hash_hmac *s2n_get_hmac_implementation()
     260                 :    3692073 : {
     261                 :    3692073 :     return &s2n_internal_p_hash_hmac;
     262                 :    3692073 : }
     263                 :            : 
     264                 :            : static int s2n_p_hash(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret, struct s2n_blob *label,
     265                 :            :         struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
     266                 :      16181 : {
     267                 :      16181 :     uint8_t digest_size = 0;
     268         [ -  + ]:      16181 :     POSIX_GUARD(s2n_hmac_digest_size(alg, &digest_size));
     269                 :            : 
     270                 :      16181 :     const struct s2n_p_hash_hmac *hmac = s2n_get_hmac_implementation();
     271 [ #  # ][ -  + ]:      16181 :     POSIX_ENSURE_REF(hmac);
     272                 :            : 
     273                 :            :     /* First compute hmac(secret + A(0)) */
     274         [ -  + ]:      16181 :     POSIX_GUARD(hmac->init(ws, alg, secret));
     275         [ -  + ]:      16181 :     POSIX_GUARD(hmac->update(ws, label->data, label->size));
     276         [ -  + ]:      16181 :     POSIX_GUARD(hmac->update(ws, seed_a->data, seed_a->size));
     277                 :            : 
     278         [ +  + ]:      16181 :     if (seed_b) {
     279         [ -  + ]:       6890 :         POSIX_GUARD(hmac->update(ws, seed_b->data, seed_b->size));
     280         [ +  + ]:       6890 :         if (seed_c) {
     281         [ -  + ]:          5 :             POSIX_GUARD(hmac->update(ws, seed_c->data, seed_c->size));
     282                 :          5 :         }
     283                 :       6890 :     }
     284         [ -  + ]:      16181 :     POSIX_GUARD(hmac->final(ws, ws->digest0, digest_size));
     285                 :            : 
     286                 :      16181 :     uint32_t outputlen = out->size;
     287                 :      16181 :     uint8_t *output = out->data;
     288                 :            : 
     289         [ +  + ]:      59191 :     while (outputlen) {
     290                 :            :         /* Now compute hmac(secret + A(N - 1) + seed) */
     291         [ -  + ]:      43010 :         POSIX_GUARD(hmac->reset(ws));
     292         [ -  + ]:      43010 :         POSIX_GUARD(hmac->update(ws, ws->digest0, digest_size));
     293                 :            : 
     294                 :            :         /* Add the label + seed and compute this round's A */
     295         [ -  + ]:      43010 :         POSIX_GUARD(hmac->update(ws, label->data, label->size));
     296         [ -  + ]:      43010 :         POSIX_GUARD(hmac->update(ws, seed_a->data, seed_a->size));
     297         [ +  + ]:      43010 :         if (seed_b) {
     298         [ -  + ]:      29969 :             POSIX_GUARD(hmac->update(ws, seed_b->data, seed_b->size));
     299         [ +  + ]:      29969 :             if (seed_c) {
     300         [ -  + ]:         18 :                 POSIX_GUARD(hmac->update(ws, seed_c->data, seed_c->size));
     301                 :         18 :             }
     302                 :      29969 :         }
     303                 :            : 
     304         [ -  + ]:      43010 :         POSIX_GUARD(hmac->final(ws, ws->digest1, digest_size));
     305                 :            : 
     306         [ +  + ]:      43010 :         uint32_t bytes_to_xor = S2N_MIN(outputlen, digest_size);
     307                 :            : 
     308         [ +  + ]:    1111250 :         for (size_t i = 0; i < bytes_to_xor; i++) {
     309                 :    1068240 :             *output ^= ws->digest1[i];
     310                 :    1068240 :             output++;
     311                 :    1068240 :             outputlen--;
     312                 :    1068240 :         }
     313                 :            : 
     314                 :            :         /* Stash a digest of A(N), in A(N), for the next round */
     315         [ -  + ]:      43010 :         POSIX_GUARD(hmac->reset(ws));
     316         [ -  + ]:      43010 :         POSIX_GUARD(hmac->update(ws, ws->digest0, digest_size));
     317         [ -  + ]:      43010 :         POSIX_GUARD(hmac->final(ws, ws->digest0, digest_size));
     318                 :      43010 :     }
     319                 :            : 
     320         [ -  + ]:      16181 :     POSIX_GUARD(hmac->cleanup(ws));
     321                 :            : 
     322                 :      16181 :     return 0;
     323                 :      16181 : }
     324                 :            : 
     325                 :            : S2N_RESULT s2n_prf_new(struct s2n_connection *conn)
     326                 :     126948 : {
     327 [ +  + ][ +  - ]:     126948 :     RESULT_ENSURE_REF(conn);
     328 [ #  # ][ -  + ]:     126947 :     RESULT_ENSURE_EQ(conn->prf_space, NULL);
     329                 :            : 
     330                 :     126947 :     DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free);
     331         [ -  + ]:     126947 :     RESULT_GUARD_POSIX(s2n_realloc(&mem, sizeof(struct s2n_prf_working_space)));
     332         [ -  + ]:     126947 :     RESULT_GUARD_POSIX(s2n_blob_zero(&mem));
     333                 :     126947 :     conn->prf_space = (struct s2n_prf_working_space *) (void *) mem.data;
     334                 :     126947 :     ZERO_TO_DISABLE_DEFER_CLEANUP(mem);
     335                 :            : 
     336                 :            :     /* Allocate the hmac state */
     337                 :     126947 :     const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
     338 [ #  # ][ -  + ]:     126947 :     RESULT_ENSURE_REF(hmac_impl);
     339         [ -  + ]:     126947 :     RESULT_GUARD_POSIX(hmac_impl->alloc(conn->prf_space));
     340                 :     126947 :     return S2N_RESULT_OK;
     341                 :     126947 : }
     342                 :            : 
     343                 :            : S2N_RESULT s2n_prf_wipe(struct s2n_connection *conn)
     344                 :    3422000 : {
     345 [ +  + ][ +  - ]:    3422000 :     RESULT_ENSURE_REF(conn);
     346 [ +  - ][ +  + ]:    3421999 :     RESULT_ENSURE_REF(conn->prf_space);
     347                 :            : 
     348                 :    3421998 :     const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
     349 [ -  + ][ #  # ]:    3421998 :     RESULT_ENSURE_REF(hmac_impl);
     350         [ -  + ]:    3421998 :     RESULT_GUARD_POSIX(hmac_impl->reset(conn->prf_space));
     351                 :            : 
     352                 :    3421998 :     return S2N_RESULT_OK;
     353                 :    3421998 : }
     354                 :            : 
     355                 :            : S2N_RESULT s2n_prf_free(struct s2n_connection *conn)
     356                 :     126975 : {
     357 [ +  + ][ +  - ]:     126975 :     RESULT_ENSURE_REF(conn);
     358         [ +  + ]:     126974 :     if (conn->prf_space == NULL) {
     359                 :         27 :         return S2N_RESULT_OK;
     360                 :         27 :     }
     361                 :            : 
     362                 :     126947 :     const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
     363 [ #  # ][ -  + ]:     126947 :     RESULT_ENSURE_REF(hmac_impl);
     364         [ -  + ]:     126947 :     RESULT_GUARD_POSIX(hmac_impl->free(conn->prf_space));
     365                 :            : 
     366         [ -  + ]:     126947 :     RESULT_GUARD_POSIX(s2n_free_object((uint8_t **) &conn->prf_space, sizeof(struct s2n_prf_working_space)));
     367                 :     126947 :     return S2N_RESULT_OK;
     368                 :     126947 : }
     369                 :            : 
     370                 :            : S2N_RESULT s2n_prf_custom(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label,
     371                 :            :         struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
     372                 :      14781 : {
     373                 :            :     /* We zero the out blob because p_hash works by XOR'ing with the existing
     374                 :            :      * buffer. This is a little convoluted but means we can avoid dynamic memory
     375                 :            :      * allocation. When we call p_hash once (in the TLS1.2 case) it will produce
     376                 :            :      * the right values. When we call it twice in the regular case, the two
     377                 :            :      * outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require.
     378                 :            :      */
     379         [ -  + ]:      14781 :     RESULT_GUARD_POSIX(s2n_blob_zero(out));
     380                 :            : 
     381         [ +  + ]:      14781 :     if (conn->actual_protocol_version == S2N_TLS12) {
     382         [ -  + ]:      13381 :         RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, conn->secure->cipher_suite->prf_alg, secret, label, seed_a,
     383                 :      13381 :                 seed_b, seed_c, out));
     384                 :      13381 :         return S2N_RESULT_OK;
     385                 :      13381 :     }
     386                 :            : 
     387                 :       1400 :     struct s2n_blob half_secret = { 0 };
     388         [ -  + ]:       1400 :     RESULT_GUARD_POSIX(s2n_blob_init(&half_secret, secret->data, (secret->size + 1) / 2));
     389                 :            : 
     390         [ -  + ]:       1400 :     RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out));
     391                 :       1400 :     half_secret.data += secret->size - half_secret.size;
     392         [ -  + ]:       1400 :     RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, seed_c, out));
     393                 :            : 
     394                 :       1400 :     return S2N_RESULT_OK;
     395                 :       1400 : }
     396                 :            : 
     397                 :            : int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a,
     398                 :            :         struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
     399                 :      15179 : {
     400 [ +  - ][ +  + ]:      15179 :     POSIX_ENSURE_REF(conn);
     401 [ -  + ][ #  # ]:      15178 :     POSIX_ENSURE_REF(conn->secure);
     402 [ -  + ][ #  # ]:      15178 :     POSIX_ENSURE_REF(conn->secure->cipher_suite);
     403 [ +  + ][ +  - ]:      15178 :     POSIX_ENSURE_REF(conn->prf_space);
     404 [ +  - ][ +  + ]:      15177 :     POSIX_ENSURE_REF(secret);
     405 [ +  + ][ +  - ]:      15176 :     POSIX_ENSURE_REF(label);
     406 [ +  + ][ +  - ]:      15175 :     POSIX_ENSURE_REF(out);
     407                 :            : 
     408                 :            :     /* seed_a is always required, seed_b is optional, if seed_c is provided seed_b must also be provided */
     409 [ +  + ][ +  - ]:      15174 :     POSIX_ENSURE(seed_a != NULL, S2N_ERR_PRF_INVALID_SEED);
     410 [ +  - ][ +  + ]:      15173 :     POSIX_ENSURE(S2N_IMPLIES(seed_c != NULL, seed_b != NULL), S2N_ERR_PRF_INVALID_SEED);
                 [ +  + ]
     411                 :            : 
     412         [ +  + ]:      15172 :     if (conn->actual_protocol_version == S2N_SSLv3) {
     413         [ -  + ]:        391 :         POSIX_GUARD(s2n_prf_sslv3(conn, secret, seed_a, seed_b, seed_c, out));
     414                 :        391 :         return S2N_SUCCESS;
     415                 :        391 :     }
     416                 :            : 
     417                 :            :     /* By default, s2n-tls uses a custom PRF implementation. When operating in FIPS mode, the
     418                 :            :      * FIPS-validated libcrypto implementation is used instead, if an implementation is provided.
     419                 :            :      */
     420         [ -  + ]:      14781 :     if (s2n_is_in_fips_mode()) {
     421         [ #  # ]:          0 :         POSIX_GUARD_RESULT(s2n_prf_libcrypto(conn, secret, label, seed_a, seed_b, seed_c, out));
     422                 :          0 :         return S2N_SUCCESS;
     423                 :          0 :     }
     424                 :            : 
     425         [ -  + ]:      14781 :     POSIX_GUARD_RESULT(s2n_prf_custom(conn, secret, label, seed_a, seed_b, seed_c, out));
     426                 :            : 
     427                 :      14781 :     return S2N_SUCCESS;
     428                 :      14781 : }
     429                 :            : 
     430                 :            : int s2n_prf_tls_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
     431                 :         39 : {
     432 [ -  + ][ #  # ]:         39 :     POSIX_ENSURE_REF(conn);
     433                 :            : 
     434                 :         39 :     struct s2n_blob client_random = { 0 };
     435         [ -  + ]:         39 :     POSIX_GUARD(s2n_blob_init(&client_random, conn->client_hello.random, sizeof(conn->client_hello.random)));
     436                 :         39 :     struct s2n_blob server_random = { 0 };
     437         [ -  + ]:         39 :     POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
     438                 :         39 :     struct s2n_blob master_secret = { 0 };
     439         [ -  + ]:         39 :     POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
     440                 :            : 
     441                 :         39 :     uint8_t master_secret_label[] = "master secret";
     442                 :         39 :     struct s2n_blob label = { 0 };
     443         [ -  + ]:         39 :     POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1));
     444                 :            : 
     445                 :         39 :     return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret);
     446                 :         39 : }
     447                 :            : 
     448                 :            : int s2n_prf_hybrid_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
     449                 :          0 : {
     450 [ #  # ][ #  # ]:          0 :     POSIX_ENSURE_REF(conn);
     451                 :            : 
     452                 :          0 :     struct s2n_blob client_random = { 0 };
     453         [ #  # ]:          0 :     POSIX_GUARD(s2n_blob_init(&client_random, conn->client_hello.random, sizeof(conn->client_hello.random)));
     454                 :          0 :     struct s2n_blob server_random = { 0 };
     455         [ #  # ]:          0 :     POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
     456                 :          0 :     struct s2n_blob master_secret = { 0 };
     457         [ #  # ]:          0 :     POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
     458                 :            : 
     459                 :          0 :     uint8_t master_secret_label[] = "hybrid master secret";
     460                 :          0 :     struct s2n_blob label = { 0 };
     461         [ #  # ]:          0 :     POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1));
     462                 :            : 
     463                 :          0 :     return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->kex_params.client_key_exchange_message, &master_secret);
     464                 :          0 : }
     465                 :            : 
     466                 :            : int s2n_prf_calculate_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
     467                 :       4524 : {
     468 [ -  + ][ #  # ]:       4524 :     POSIX_ENSURE_REF(conn);
     469 [ -  + ][ #  # ]:       4524 :     POSIX_ENSURE_REF(conn->secure);
     470                 :            : 
     471 [ +  + ][ +  - ]:       4524 :     POSIX_ENSURE_EQ(s2n_conn_get_current_message_type(conn), CLIENT_KEY);
     472                 :            : 
     473         [ +  + ]:       4523 :     if (!conn->ems_negotiated) {
     474         [ -  + ]:         34 :         POSIX_GUARD(s2n_prf_tls_master_secret(conn, premaster_secret));
     475                 :         34 :         return S2N_SUCCESS;
     476                 :         34 :     }
     477                 :            : 
     478                 :            :     /* Only the client writes the Client Key Exchange message */
     479         [ +  + ]:       4489 :     if (conn->mode == S2N_CLIENT) {
     480         [ -  + ]:       2230 :         POSIX_GUARD(s2n_handshake_finish_header(&conn->handshake.io));
     481                 :       2230 :     }
     482                 :       4489 :     struct s2n_stuffer client_key_message = conn->handshake.io;
     483         [ -  + ]:       4489 :     POSIX_GUARD(s2n_stuffer_reread(&client_key_message));
     484                 :       4489 :     uint32_t client_key_message_size = s2n_stuffer_data_available(&client_key_message);
     485                 :       4489 :     struct s2n_blob client_key_blob = { 0 };
     486         [ -  + ]:       4489 :     POSIX_GUARD(s2n_blob_init(&client_key_blob, client_key_message.blob.data, client_key_message_size));
     487                 :            : 
     488                 :       4489 :     uint8_t data[S2N_MAX_DIGEST_LEN] = { 0 };
     489                 :       4489 :     struct s2n_blob digest = { 0 };
     490         [ -  + ]:       4489 :     POSIX_GUARD(s2n_blob_init(&digest, data, sizeof(data)));
     491         [ +  + ]:       4489 :     if (conn->actual_protocol_version < S2N_TLS12) {
     492                 :        541 :         uint8_t sha1_data[S2N_MAX_DIGEST_LEN] = { 0 };
     493                 :        541 :         struct s2n_blob sha1_digest = { 0 };
     494         [ -  + ]:        541 :         POSIX_GUARD(s2n_blob_init(&sha1_digest, sha1_data, sizeof(sha1_data)));
     495         [ -  + ]:        541 :         POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, S2N_HASH_MD5, &digest));
     496         [ -  + ]:        541 :         POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, S2N_HASH_SHA1, &sha1_digest));
     497         [ -  + ]:        541 :         POSIX_GUARD_RESULT(s2n_prf_tls_extended_master_secret(conn, premaster_secret, &digest, &sha1_digest));
     498                 :       3948 :     } else {
     499                 :       3948 :         s2n_hmac_algorithm prf_alg = conn->secure->cipher_suite->prf_alg;
     500                 :       3948 :         s2n_hash_algorithm hash_alg = 0;
     501         [ -  + ]:       3948 :         POSIX_GUARD(s2n_hmac_hash_alg(prf_alg, &hash_alg));
     502         [ -  + ]:       3948 :         POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, hash_alg, &digest));
     503         [ -  + ]:       3948 :         POSIX_GUARD_RESULT(s2n_prf_tls_extended_master_secret(conn, premaster_secret, &digest, NULL));
     504                 :       3948 :     }
     505                 :       4489 :     return S2N_SUCCESS;
     506                 :       4489 : }
     507                 :            : 
     508                 :            : /**
     509                 :            :  *= https://www.rfc-editor.org/rfc/rfc7627#section-4
     510                 :            :  *# When the extended master secret extension is negotiated in a full
     511                 :            :  *# handshake, the "master_secret" is computed as
     512                 :            :  *#
     513                 :            :  *# master_secret = PRF(pre_master_secret, "extended master secret",
     514                 :            :  *#                    session_hash)
     515                 :            :  *#                    [0..47];
     516                 :            :  */
     517                 :            : S2N_RESULT s2n_prf_tls_extended_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret, struct s2n_blob *session_hash, struct s2n_blob *sha1_hash)
     518                 :       4490 : {
     519 [ -  + ][ #  # ]:       4490 :     RESULT_ENSURE_REF(conn);
     520                 :            : 
     521                 :       4490 :     struct s2n_blob extended_master_secret = { 0 };
     522         [ -  + ]:       4490 :     RESULT_GUARD_POSIX(s2n_blob_init(&extended_master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
     523                 :            : 
     524                 :       4490 :     uint8_t extended_master_secret_label[] = "extended master secret";
     525                 :            :     /* Subtract one from the label size to remove the "\0" */
     526                 :       4490 :     struct s2n_blob label = { 0 };
     527         [ -  + ]:       4490 :     RESULT_GUARD_POSIX(s2n_blob_init(&label, extended_master_secret_label, sizeof(extended_master_secret_label) - 1));
     528                 :            : 
     529         [ -  + ]:       4490 :     RESULT_GUARD_POSIX(s2n_prf(conn, premaster_secret, &label, session_hash, sha1_hash, NULL, &extended_master_secret));
     530                 :            : 
     531                 :       4490 :     return S2N_RESULT_OK;
     532                 :       4490 : }
     533                 :            : 
     534                 :            : S2N_RESULT s2n_prf_get_digest_for_ems(struct s2n_connection *conn, struct s2n_blob *message, s2n_hash_algorithm hash_alg, struct s2n_blob *output)
     535                 :       5031 : {
     536 [ #  # ][ -  + ]:       5031 :     RESULT_ENSURE_REF(conn);
     537 [ #  # ][ -  + ]:       5031 :     RESULT_ENSURE_REF(conn->handshake.hashes);
     538 [ -  + ][ #  # ]:       5031 :     RESULT_ENSURE_REF(message);
     539 [ -  + ][ #  # ]:       5031 :     RESULT_ENSURE_REF(output);
     540                 :            : 
     541                 :       5031 :     struct s2n_hash_state *hash_state = &conn->handshake.hashes->hash_workspace;
     542         [ -  + ]:       5031 :     RESULT_GUARD(s2n_handshake_copy_hash_state(conn, hash_alg, hash_state));
     543         [ -  + ]:       5031 :     RESULT_GUARD_POSIX(s2n_hash_update(hash_state, message->data, message->size));
     544                 :            : 
     545                 :       5031 :     uint8_t digest_size = 0;
     546         [ -  + ]:       5031 :     RESULT_GUARD_POSIX(s2n_hash_digest_size(hash_alg, &digest_size));
     547 [ -  + ][ #  # ]:       5031 :     RESULT_ENSURE_GTE(output->size, digest_size);
     548         [ -  + ]:       5031 :     RESULT_GUARD_POSIX(s2n_hash_digest(hash_state, output->data, digest_size));
     549                 :       5031 :     output->size = digest_size;
     550                 :            : 
     551                 :       5031 :     return S2N_RESULT_OK;
     552                 :       5031 : }
     553                 :            : 
     554                 :            : static int s2n_prf_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *hash_workspace, uint8_t *out)
     555                 :        389 : {
     556 [ -  + ][ #  # ]:        389 :     POSIX_ENSURE_REF(conn);
     557 [ -  + ][ #  # ]:        389 :     POSIX_ENSURE_REF(conn->handshake.hashes);
     558                 :            : 
     559                 :        389 :     uint8_t xorpad1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
     560                 :        389 :         0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 };
     561                 :        389 :     uint8_t xorpad2[48] = { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
     562                 :        389 :         0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c };
     563                 :        389 :     uint8_t *md5_digest = out;
     564                 :        389 :     uint8_t *sha_digest = out + MD5_DIGEST_LENGTH;
     565                 :            : 
     566         [ -  + ]:        389 :     POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH));
     567                 :            : 
     568                 :        389 :     struct s2n_hash_state *md5 = hash_workspace;
     569         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_copy(md5, &conn->handshake.hashes->md5));
     570         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(md5, prefix, 4));
     571         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
     572         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(md5, xorpad1, 48));
     573         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
     574         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_reset(md5));
     575         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
     576         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(md5, xorpad2, 48));
     577         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH));
     578         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
     579         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_reset(md5));
     580                 :            : 
     581                 :        389 :     struct s2n_hash_state *sha1 = hash_workspace;
     582         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_copy(sha1, &conn->handshake.hashes->sha1));
     583         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(sha1, prefix, 4));
     584         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
     585         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(sha1, xorpad1, 40));
     586         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
     587         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_reset(sha1));
     588         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
     589         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(sha1, xorpad2, 40));
     590         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH));
     591         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
     592         [ -  + ]:        389 :     POSIX_GUARD(s2n_hash_reset(sha1));
     593                 :            : 
     594                 :        389 :     return 0;
     595                 :        389 : }
     596                 :            : 
     597                 :            : static int s2n_prf_sslv3_client_finished(struct s2n_connection *conn)
     598                 :        194 : {
     599 [ #  # ][ -  + ]:        194 :     POSIX_ENSURE_REF(conn);
     600 [ -  + ][ #  # ]:        194 :     POSIX_ENSURE_REF(conn->handshake.hashes);
     601                 :            : 
     602                 :        194 :     uint8_t prefix[4] = { 0x43, 0x4c, 0x4e, 0x54 };
     603                 :            : 
     604                 :        194 :     return s2n_prf_sslv3_finished(conn, prefix, &conn->handshake.hashes->hash_workspace, conn->handshake.client_finished);
     605                 :        194 : }
     606                 :            : 
     607                 :            : static int s2n_prf_sslv3_server_finished(struct s2n_connection *conn)
     608                 :        195 : {
     609 [ -  + ][ #  # ]:        195 :     POSIX_ENSURE_REF(conn);
     610 [ -  + ][ #  # ]:        195 :     POSIX_ENSURE_REF(conn->handshake.hashes);
     611                 :            : 
     612                 :        195 :     uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 };
     613                 :            : 
     614                 :        195 :     return s2n_prf_sslv3_finished(conn, prefix, &conn->handshake.hashes->hash_workspace, conn->handshake.server_finished);
     615                 :        195 : }
     616                 :            : 
     617                 :            : int s2n_prf_client_finished(struct s2n_connection *conn)
     618                 :       3670 : {
     619 [ -  + ][ #  # ]:       3670 :     POSIX_ENSURE_REF(conn);
     620 [ #  # ][ -  + ]:       3670 :     POSIX_ENSURE_REF(conn->secure);
     621 [ -  + ][ #  # ]:       3670 :     POSIX_ENSURE_REF(conn->handshake.hashes);
     622                 :            : 
     623                 :       3670 :     struct s2n_blob master_secret, md5, sha;
     624                 :       3670 :     uint8_t md5_digest[MD5_DIGEST_LENGTH];
     625                 :       3670 :     uint8_t sha_digest[SHA384_DIGEST_LENGTH];
     626                 :       3670 :     uint8_t client_finished_label[] = "client finished";
     627                 :       3670 :     struct s2n_blob client_finished = { 0 };
     628                 :       3670 :     struct s2n_blob label = { 0 };
     629                 :            : 
     630         [ +  + ]:       3670 :     if (conn->actual_protocol_version == S2N_SSLv3) {
     631                 :        194 :         return s2n_prf_sslv3_client_finished(conn);
     632                 :        194 :     }
     633                 :            : 
     634                 :       3476 :     client_finished.data = conn->handshake.client_finished;
     635                 :       3476 :     client_finished.size = S2N_TLS_FINISHED_LEN;
     636         [ +  + ]:       3476 :     POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, client_finished.size));
     637                 :       3474 :     label.data = client_finished_label;
     638                 :       3474 :     label.size = sizeof(client_finished_label) - 1;
     639                 :            : 
     640                 :       3474 :     master_secret.data = conn->secrets.version.tls12.master_secret;
     641                 :       3474 :     master_secret.size = sizeof(conn->secrets.version.tls12.master_secret);
     642         [ +  + ]:       3474 :     if (conn->actual_protocol_version == S2N_TLS12) {
     643                 :       3128 :         switch (conn->secure->cipher_suite->prf_alg) {
     644         [ +  + ]:       2906 :             case S2N_HMAC_SHA256:
     645         [ -  + ]:       2906 :                 POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha256));
     646         [ -  + ]:       2906 :                 POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA256_DIGEST_LENGTH));
     647                 :       2906 :                 sha.size = SHA256_DIGEST_LENGTH;
     648                 :       2906 :                 break;
     649         [ +  + ]:        222 :             case S2N_HMAC_SHA384:
     650         [ -  + ]:        222 :                 POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha384));
     651         [ -  + ]:        222 :                 POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA384_DIGEST_LENGTH));
     652                 :        222 :                 sha.size = SHA384_DIGEST_LENGTH;
     653                 :        222 :                 break;
     654         [ -  + ]:          0 :             default:
     655         [ #  # ]:          0 :                 POSIX_BAIL(S2N_ERR_PRF_INVALID_ALGORITHM);
     656                 :       3128 :         }
     657                 :            : 
     658                 :       3128 :         sha.data = sha_digest;
     659                 :       3128 :         return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &client_finished);
     660                 :       3128 :     }
     661                 :            : 
     662         [ -  + ]:        346 :     POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->md5));
     663         [ -  + ]:        346 :     POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, md5_digest, MD5_DIGEST_LENGTH));
     664                 :        346 :     md5.data = md5_digest;
     665                 :        346 :     md5.size = MD5_DIGEST_LENGTH;
     666                 :            : 
     667         [ -  + ]:        346 :     POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha1));
     668         [ -  + ]:        346 :     POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA_DIGEST_LENGTH));
     669                 :        346 :     sha.data = sha_digest;
     670                 :        346 :     sha.size = SHA_DIGEST_LENGTH;
     671                 :            : 
     672                 :        346 :     return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &client_finished);
     673                 :        346 : }
     674                 :            : 
     675                 :            : int s2n_prf_server_finished(struct s2n_connection *conn)
     676                 :       2749 : {
     677 [ #  # ][ -  + ]:       2749 :     POSIX_ENSURE_REF(conn);
     678 [ -  + ][ #  # ]:       2749 :     POSIX_ENSURE_REF(conn->secure);
     679 [ #  # ][ -  + ]:       2749 :     POSIX_ENSURE_REF(conn->handshake.hashes);
     680                 :            : 
     681                 :       2749 :     struct s2n_blob master_secret, md5, sha;
     682                 :       2749 :     uint8_t md5_digest[MD5_DIGEST_LENGTH];
     683                 :       2749 :     uint8_t sha_digest[SHA384_DIGEST_LENGTH];
     684                 :       2749 :     uint8_t server_finished_label[] = "server finished";
     685                 :       2749 :     struct s2n_blob server_finished = { 0 };
     686                 :       2749 :     struct s2n_blob label = { 0 };
     687                 :            : 
     688         [ +  + ]:       2749 :     if (conn->actual_protocol_version == S2N_SSLv3) {
     689                 :        195 :         return s2n_prf_sslv3_server_finished(conn);
     690                 :        195 :     }
     691                 :            : 
     692                 :       2554 :     server_finished.data = conn->handshake.server_finished;
     693                 :       2554 :     server_finished.size = S2N_TLS_FINISHED_LEN;
     694         [ -  + ]:       2554 :     POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, server_finished.size));
     695                 :       2554 :     label.data = server_finished_label;
     696                 :       2554 :     label.size = sizeof(server_finished_label) - 1;
     697                 :            : 
     698                 :       2554 :     master_secret.data = conn->secrets.version.tls12.master_secret;
     699                 :       2554 :     master_secret.size = sizeof(conn->secrets.version.tls12.master_secret);
     700         [ +  + ]:       2554 :     if (conn->actual_protocol_version == S2N_TLS12) {
     701                 :       2208 :         switch (conn->secure->cipher_suite->prf_alg) {
     702         [ +  + ]:       1989 :             case S2N_HMAC_SHA256:
     703         [ -  + ]:       1989 :                 POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha256));
     704         [ -  + ]:       1989 :                 POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA256_DIGEST_LENGTH));
     705                 :       1989 :                 sha.size = SHA256_DIGEST_LENGTH;
     706                 :       1989 :                 break;
     707         [ +  + ]:        219 :             case S2N_HMAC_SHA384:
     708         [ -  + ]:        219 :                 POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha384));
     709         [ -  + ]:        219 :                 POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA384_DIGEST_LENGTH));
     710                 :        219 :                 sha.size = SHA384_DIGEST_LENGTH;
     711                 :        219 :                 break;
     712         [ -  + ]:          0 :             default:
     713         [ #  # ]:          0 :                 POSIX_BAIL(S2N_ERR_PRF_INVALID_ALGORITHM);
     714                 :       2208 :         }
     715                 :            : 
     716                 :       2208 :         sha.data = sha_digest;
     717                 :       2208 :         return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &server_finished);
     718                 :       2208 :     }
     719                 :            : 
     720         [ -  + ]:        346 :     POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->md5));
     721         [ -  + ]:        346 :     POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, md5_digest, MD5_DIGEST_LENGTH));
     722                 :        346 :     md5.data = md5_digest;
     723                 :        346 :     md5.size = MD5_DIGEST_LENGTH;
     724                 :            : 
     725         [ -  + ]:        346 :     POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha1));
     726         [ -  + ]:        346 :     POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA_DIGEST_LENGTH));
     727                 :        346 :     sha.data = sha_digest;
     728                 :        346 :     sha.size = SHA_DIGEST_LENGTH;
     729                 :            : 
     730                 :        346 :     return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &server_finished);
     731                 :        346 : }
     732                 :            : 
     733                 :            : static int s2n_prf_make_client_key(struct s2n_connection *conn, struct s2n_key_material *key_material)
     734                 :       4585 : {
     735 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(conn);
     736 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(conn->secure);
     737 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(conn->secure->cipher_suite);
     738 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(conn->secure->cipher_suite->record_alg);
     739                 :       4585 :     const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
     740 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(cipher);
     741 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(cipher->set_encryption_key);
     742 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(cipher->set_decryption_key);
     743                 :            : 
     744         [ +  + ]:       4585 :     if (conn->mode == S2N_CLIENT) {
     745         [ -  + ]:       2270 :         POSIX_GUARD_RESULT(cipher->set_encryption_key(&conn->secure->client_key, &key_material->client_key));
     746                 :       2315 :     } else {
     747         [ -  + ]:       2315 :         POSIX_GUARD_RESULT(cipher->set_decryption_key(&conn->secure->client_key, &key_material->client_key));
     748                 :       2315 :     }
     749                 :            : 
     750                 :       4585 :     return 0;
     751                 :       4585 : }
     752                 :            : 
     753                 :            : static int s2n_prf_make_server_key(struct s2n_connection *conn, struct s2n_key_material *key_material)
     754                 :       4585 : {
     755 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(conn);
     756 [ #  # ][ -  + ]:       4585 :     POSIX_ENSURE_REF(conn->secure);
     757 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(conn->secure->cipher_suite);
     758 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(conn->secure->cipher_suite->record_alg);
     759                 :       4585 :     const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
     760 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(cipher);
     761 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(cipher->set_encryption_key);
     762 [ #  # ][ -  + ]:       4585 :     POSIX_ENSURE_REF(cipher->set_decryption_key);
     763                 :            : 
     764         [ +  + ]:       4585 :     if (conn->mode == S2N_SERVER) {
     765         [ -  + ]:       2315 :         POSIX_GUARD_RESULT(cipher->set_encryption_key(&conn->secure->server_key, &key_material->server_key));
     766                 :       2315 :     } else {
     767         [ -  + ]:       2270 :         POSIX_GUARD_RESULT(cipher->set_decryption_key(&conn->secure->server_key, &key_material->server_key));
     768                 :       2270 :     }
     769                 :            : 
     770                 :       4585 :     return 0;
     771                 :       4585 : }
     772                 :            : 
     773                 :            : S2N_RESULT s2n_prf_generate_key_material(struct s2n_connection *conn, struct s2n_key_material *key_material)
     774                 :       4608 : {
     775 [ #  # ][ -  + ]:       4608 :     RESULT_ENSURE_REF(conn);
     776 [ -  + ][ #  # ]:       4608 :     RESULT_ENSURE_REF(key_material);
     777                 :            : 
     778                 :       4608 :     struct s2n_blob client_random = { 0 };
     779         [ -  + ]:       4608 :     RESULT_GUARD_POSIX(s2n_blob_init(&client_random, conn->client_hello.random, sizeof(conn->client_hello.random)));
     780                 :       4608 :     struct s2n_blob server_random = { 0 };
     781         [ -  + ]:       4608 :     RESULT_GUARD_POSIX(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
     782                 :       4608 :     struct s2n_blob master_secret = { 0 };
     783         [ -  + ]:       4608 :     RESULT_GUARD_POSIX(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
     784                 :            : 
     785                 :       4608 :     struct s2n_blob label = { 0 };
     786                 :       4608 :     uint8_t key_expansion_label[] = "key expansion";
     787         [ -  + ]:       4608 :     RESULT_GUARD_POSIX(s2n_blob_init(&label, key_expansion_label, sizeof(key_expansion_label) - 1));
     788                 :            : 
     789         [ -  + ]:       4608 :     RESULT_GUARD(s2n_key_material_init(key_material, conn));
     790                 :       4608 :     struct s2n_blob prf_out = { 0 };
     791         [ -  + ]:       4608 :     RESULT_GUARD_POSIX(s2n_blob_init(&prf_out, key_material->key_block, sizeof(key_material->key_block)));
     792         [ -  + ]:       4608 :     RESULT_GUARD_POSIX(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, NULL, &prf_out));
     793                 :            : 
     794                 :       4608 :     return S2N_RESULT_OK;
     795                 :       4608 : }
     796                 :            : 
     797                 :            : int s2n_prf_key_expansion(struct s2n_connection *conn)
     798                 :       4585 : {
     799 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(conn);
     800 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(conn->secure);
     801                 :       4585 :     struct s2n_cipher_suite *cipher_suite = conn->secure->cipher_suite;
     802 [ #  # ][ -  + ]:       4585 :     POSIX_ENSURE_REF(cipher_suite);
     803 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(cipher_suite->record_alg);
     804                 :       4585 :     const struct s2n_cipher *cipher = cipher_suite->record_alg->cipher;
     805 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_REF(cipher);
     806                 :            : 
     807                 :       4585 :     struct s2n_key_material key_material = { 0 };
     808         [ -  + ]:       4585 :     POSIX_GUARD_RESULT(s2n_prf_generate_key_material(conn, &key_material));
     809                 :            : 
     810 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE(cipher_suite->available, S2N_ERR_PRF_INVALID_ALGORITHM);
     811         [ -  + ]:       4585 :     POSIX_GUARD_RESULT(cipher->init(&conn->secure->client_key));
     812         [ -  + ]:       4585 :     POSIX_GUARD_RESULT(cipher->init(&conn->secure->server_key));
     813                 :            : 
     814                 :            :     /* Seed the client MAC */
     815         [ -  + ]:       4585 :     POSIX_GUARD(s2n_hmac_reset(&conn->secure->client_record_mac));
     816         [ -  + ]:       4585 :     POSIX_GUARD(s2n_hmac_init(
     817                 :       4585 :             &conn->secure->client_record_mac,
     818                 :       4585 :             cipher_suite->record_alg->hmac_alg,
     819                 :       4585 :             key_material.client_mac.data,
     820                 :       4585 :             key_material.client_mac.size));
     821                 :            : 
     822                 :            :     /* Seed the server MAC */
     823         [ -  + ]:       4585 :     POSIX_GUARD(s2n_hmac_reset(&conn->secure->server_record_mac));
     824         [ -  + ]:       4585 :     POSIX_GUARD(s2n_hmac_init(
     825                 :       4585 :             &conn->secure->server_record_mac,
     826                 :       4585 :             conn->secure->cipher_suite->record_alg->hmac_alg,
     827                 :       4585 :             key_material.server_mac.data,
     828                 :       4585 :             key_material.server_mac.size));
     829                 :            : 
     830                 :            :     /* Make the client key */
     831         [ -  + ]:       4585 :     POSIX_GUARD(s2n_prf_make_client_key(conn, &key_material));
     832                 :            : 
     833                 :            :     /* Make the server key */
     834         [ -  + ]:       4585 :     POSIX_GUARD(s2n_prf_make_server_key(conn, &key_material));
     835                 :            : 
     836                 :            :     /* Composite CBC does MAC inside the cipher, pass it the MAC key.
     837                 :            :      * Must happen after setting encryption/decryption keys.
     838                 :            :      */
     839         [ +  + ]:       4585 :     if (cipher->type == S2N_COMPOSITE) {
     840         [ -  + ]:        770 :         POSIX_GUARD(cipher->io.comp.set_mac_write_key(&conn->secure->client_key, key_material.client_mac.data, key_material.client_mac.size));
     841         [ -  + ]:        770 :         POSIX_GUARD(cipher->io.comp.set_mac_write_key(&conn->secure->server_key, key_material.server_mac.data, key_material.server_mac.size));
     842                 :        770 :     }
     843                 :            : 
     844                 :            :     /* set IV */
     845 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_EQ(key_material.client_iv.size, key_material.server_iv.size);
     846 [ -  + ][ #  # ]:       4585 :     POSIX_ENSURE_LTE(key_material.client_iv.size, S2N_TLS_MAX_IV_LEN);
     847 [ -  + ][ #  # ]:       4585 :     POSIX_CHECKED_MEMCPY(conn->secure->client_implicit_iv, key_material.client_iv.data, key_material.client_iv.size);
                 [ +  + ]
     848 [ -  + ][ #  # ]:       4585 :     POSIX_CHECKED_MEMCPY(conn->secure->server_implicit_iv, key_material.server_iv.data, key_material.server_iv.size);
                 [ +  + ]
     849                 :            : 
     850                 :       4585 :     return 0;
     851                 :       4585 : }

Generated by: LCOV version 1.14