Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_prf.h"
17 : :
18 : : #include <openssl/hmac.h>
19 : : #include <openssl/md5.h>
20 : : #include <openssl/sha.h>
21 : : #include <string.h>
22 : : #include <sys/param.h>
23 : :
24 : : #include "crypto/s2n_fips.h"
25 : : #include "crypto/s2n_hash.h"
26 : : #include "crypto/s2n_hmac.h"
27 : : #include "crypto/s2n_prf_libcrypto.h"
28 : : #include "error/s2n_errno.h"
29 : : #include "stuffer/s2n_stuffer.h"
30 : : #include "tls/s2n_cipher_suites.h"
31 : : #include "tls/s2n_connection.h"
32 : : #include "tls/s2n_crypto_constants.h"
33 : : #include "tls/s2n_tls.h"
34 : : #include "utils/s2n_blob.h"
35 : : #include "utils/s2n_mem.h"
36 : : #include "utils/s2n_safety.h"
37 : :
38 : : /* The s2n p_hash implementation is abstracted to allow for separate implementations.
39 : : * Currently the only implementation uses s2n-tls's custom HMAC implementation.
40 : : */
41 : : struct s2n_p_hash_hmac {
42 : : int (*alloc)(struct s2n_prf_working_space *ws);
43 : : int (*init)(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret);
44 : : int (*update)(struct s2n_prf_working_space *ws, const void *data, uint32_t size);
45 : : int (*final)(struct s2n_prf_working_space *ws, void *digest, uint32_t size);
46 : : int (*reset)(struct s2n_prf_working_space *ws);
47 : : int (*cleanup)(struct s2n_prf_working_space *ws);
48 : : int (*free)(struct s2n_prf_working_space *ws);
49 : : };
50 : :
51 : : S2N_RESULT s2n_prf_get_digest_for_ems(struct s2n_connection *conn, struct s2n_blob *message,
52 : : s2n_hash_algorithm hash_alg, struct s2n_blob *output);
53 : : S2N_RESULT s2n_prf_tls_extended_master_secret(struct s2n_connection *conn,
54 : : struct s2n_blob *premaster_secret, struct s2n_blob *session_hash, struct s2n_blob *sha1_hash);
55 : :
56 : : S2N_RESULT s2n_key_material_init(struct s2n_key_material *key_material, struct s2n_connection *conn)
57 : 33279 : {
58 [ # # ][ - + ]: 33279 : RESULT_ENSURE_REF(key_material);
59 [ # # ][ - + ]: 33279 : RESULT_ENSURE_REF(conn);
60 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(conn->secure);
61 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(conn->secure->cipher_suite);
62 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(conn->secure->cipher_suite->record_alg);
63 : 33279 : const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
64 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(cipher);
65 : :
66 : 33279 : uint8_t mac_size = 0;
67 : 33279 : uint32_t key_size = 0;
68 : 33279 : uint32_t iv_size = 0;
69 : :
70 : : /* MAC size */
71 [ + + ]: 33279 : if (cipher->type == S2N_COMPOSITE) {
72 : 29509 : mac_size = cipher->io.comp.mac_key_size;
73 : 29509 : } else {
74 [ - + ]: 3770 : RESULT_GUARD_POSIX(s2n_hmac_digest_size(conn->secure->cipher_suite->record_alg->hmac_alg, &mac_size));
75 : 3770 : }
76 : :
77 : : /* KEY size */
78 : 33279 : key_size = cipher->key_material_size;
79 : :
80 : : /* Only AEAD ciphers have implicit IVs for TLS >= 1.1 */
81 [ + + ][ + + ]: 33279 : if (conn->actual_protocol_version <= S2N_TLS10 || cipher->type == S2N_AEAD) {
82 : : /* IV size */
83 : 32417 : switch (cipher->type) {
84 [ + + ]: 3324 : case S2N_AEAD:
85 : 3324 : iv_size = cipher->io.aead.fixed_iv_size;
86 : 3324 : break;
87 [ + + ]: 234 : case S2N_CBC:
88 : 234 : iv_size = cipher->io.cbc.block_size;
89 : 234 : break;
90 [ + + ]: 28859 : case S2N_COMPOSITE:
91 : 28859 : iv_size = cipher->io.comp.block_size;
92 : 28859 : break;
93 : : /* No-op for stream ciphers */
94 [ - + ]: 0 : default:
95 : 0 : break;
96 : 32417 : }
97 : 32417 : }
98 : :
99 : 33279 : struct s2n_stuffer key_material_stuffer = { 0 };
100 : 33279 : struct s2n_blob key_material_blob = { 0 };
101 [ - + ]: 33279 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material_blob, key_material->key_block, sizeof(key_material->key_block)));
102 [ - + ]: 33279 : RESULT_GUARD_POSIX(s2n_stuffer_init_written(&key_material_stuffer, &key_material_blob));
103 : :
104 : : /* initialize key_material blobs; incrementing ptr to point to the next slice of memory */
105 : 33279 : uint8_t *ptr = NULL;
106 : : /* MAC */
107 : 33279 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, mac_size);
108 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(ptr);
109 [ - + ]: 33279 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_mac, ptr, mac_size));
110 : :
111 : 33279 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, mac_size);
112 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(ptr);
113 [ - + ]: 33279 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_mac, ptr, mac_size));
114 : :
115 : : /* KEY */
116 : 33279 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, key_size);
117 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(ptr);
118 [ - + ]: 33279 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_key, ptr, key_size));
119 : :
120 : 33279 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, key_size);
121 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(ptr);
122 [ - + ]: 33279 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_key, ptr, key_size));
123 : :
124 : : /* IV */
125 : 33279 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, iv_size);
126 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(ptr);
127 [ - + ]: 33279 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_iv, ptr, iv_size));
128 : :
129 : 33279 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, iv_size);
130 [ - + ][ # # ]: 33279 : RESULT_ENSURE_REF(ptr);
131 [ - + ]: 33279 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_iv, ptr, iv_size));
132 : :
133 : 33279 : return S2N_RESULT_OK;
134 : 33279 : }
135 : :
136 : : static int s2n_prf_sslv3(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *seed_a,
137 : : struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
138 : 385 : {
139 [ # # ][ - + ]: 385 : POSIX_ENSURE_REF(conn);
140 [ # # ][ - + ]: 385 : POSIX_ENSURE_REF(conn->handshake.hashes);
141 : 385 : struct s2n_hash_state *workspace = &conn->handshake.hashes->hash_workspace;
142 : :
143 : 385 : uint32_t outputlen = out->size;
144 : 385 : uint8_t *output = out->data;
145 : 385 : uint8_t iteration = 1;
146 : :
147 : 385 : uint8_t md5_digest[MD5_DIGEST_LENGTH] = { 0 }, sha_digest[SHA_DIGEST_LENGTH] = { 0 };
148 : :
149 : 385 : uint8_t A = 'A';
150 [ + + ]: 2884 : while (outputlen) {
151 : 2499 : struct s2n_hash_state *sha1 = workspace;
152 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_reset(sha1));
153 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_init(sha1, S2N_HASH_SHA1));
154 : :
155 [ + + ]: 14217 : for (int i = 0; i < iteration; i++) {
156 [ - + ]: 11718 : POSIX_GUARD(s2n_hash_update(sha1, &A, 1));
157 : 11718 : }
158 : :
159 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_update(sha1, secret->data, secret->size));
160 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_update(sha1, seed_a->data, seed_a->size));
161 : :
162 [ + - ]: 2499 : if (seed_b) {
163 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_update(sha1, seed_b->data, seed_b->size));
164 [ - + ]: 2499 : if (seed_c) {
165 [ # # ]: 0 : POSIX_GUARD(s2n_hash_update(sha1, seed_c->data, seed_c->size));
166 : 0 : }
167 : 2499 : }
168 : :
169 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, sizeof(sha_digest)));
170 : :
171 : 2499 : struct s2n_hash_state *md5 = workspace;
172 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_reset(md5));
173 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_init(md5, S2N_HASH_MD5));
174 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_update(md5, secret->data, secret->size));
175 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_update(md5, sha_digest, sizeof(sha_digest)));
176 [ - + ]: 2499 : POSIX_GUARD(s2n_hash_digest(md5, md5_digest, sizeof(md5_digest)));
177 : :
178 : 2499 : uint32_t bytes_to_copy = MIN(outputlen, sizeof(md5_digest));
179 : :
180 [ - + ][ # # ]: 2499 : POSIX_CHECKED_MEMCPY(output, md5_digest, bytes_to_copy);
[ + - ]
181 : :
182 : 2499 : outputlen -= bytes_to_copy;
183 : 2499 : output += bytes_to_copy;
184 : :
185 : : /* Increment the letter */
186 : 2499 : A++;
187 : 2499 : iteration++;
188 : 2499 : }
189 : :
190 : 385 : return 0;
191 : 385 : }
192 : :
193 : : static int s2n_hmac_p_hash_new(struct s2n_prf_working_space *ws)
194 : 125495 : {
195 [ - + ]: 125495 : POSIX_GUARD(s2n_hmac_new(&ws->p_hash.s2n_hmac));
196 : 125495 : return s2n_hmac_init(&ws->p_hash.s2n_hmac, S2N_HMAC_NONE, NULL, 0);
197 : 125495 : }
198 : :
199 : : static int s2n_hmac_p_hash_init(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret)
200 : 15849 : {
201 : 15849 : return s2n_hmac_init(&ws->p_hash.s2n_hmac, alg, secret->data, secret->size);
202 : 15849 : }
203 : :
204 : : static int s2n_hmac_p_hash_update(struct s2n_prf_working_space *ws, const void *data, uint32_t size)
205 : 236594 : {
206 : 236594 : return s2n_hmac_update(&ws->p_hash.s2n_hmac, data, size);
207 : 236594 : }
208 : :
209 : : static int s2n_hmac_p_hash_digest(struct s2n_prf_working_space *ws, void *digest, uint32_t size)
210 : 100181 : {
211 : 100181 : return s2n_hmac_digest(&ws->p_hash.s2n_hmac, digest, size);
212 : 100181 : }
213 : :
214 : : static int s2n_hmac_p_hash_reset(struct s2n_prf_working_space *ws)
215 : 3520768 : {
216 : : /* If we actually initialized s2n_hmac, wipe it.
217 : : * A valid, initialized s2n_hmac_state will have a valid block size.
218 : : */
219 [ + - ]: 3520768 : if (ws->p_hash.s2n_hmac.hash_block_size != 0) {
220 : 3520768 : return s2n_hmac_reset(&ws->p_hash.s2n_hmac);
221 : 3520768 : }
222 : 0 : return S2N_SUCCESS;
223 : 3520768 : }
224 : :
225 : : static int s2n_hmac_p_hash_cleanup(struct s2n_prf_working_space *ws)
226 : 15849 : {
227 : 15849 : return s2n_hmac_p_hash_reset(ws);
228 : 15849 : }
229 : :
230 : : static int s2n_hmac_p_hash_free(struct s2n_prf_working_space *ws)
231 : 125495 : {
232 : 125495 : return s2n_hmac_free(&ws->p_hash.s2n_hmac);
233 : 125495 : }
234 : :
235 : : static const struct s2n_p_hash_hmac s2n_internal_p_hash_hmac = {
236 : : .alloc = &s2n_hmac_p_hash_new,
237 : : .init = &s2n_hmac_p_hash_init,
238 : : .update = &s2n_hmac_p_hash_update,
239 : : .final = &s2n_hmac_p_hash_digest,
240 : : .reset = &s2n_hmac_p_hash_reset,
241 : : .cleanup = &s2n_hmac_p_hash_cleanup,
242 : : .free = &s2n_hmac_p_hash_free,
243 : : };
244 : :
245 : : /*
246 : : * For now, use the internal s2n-tls hmac abstraction.
247 : : * However, that is a custom implementation of hmac built on hashes.
248 : : * Ideally we should stop using our custom implementation here and switch
249 : : * to using a libcrypto implementation. Unfortunately, what each libcrypto
250 : : * can support varies a lot for HMACs.
251 : : *
252 : : * For historical reference, there used to be two other hmac implementations:
253 : : * https://github.com/aws/s2n-tls/blob/711ee0df658cd7c44088cf7a1b20a9f3cf5296d6/tls/s2n_prf.c#L174-L337
254 : : * Both implementations have compatibility issues with one or more libcryptos.
255 : : */
256 : : const struct s2n_p_hash_hmac *s2n_get_hmac_implementation()
257 : 3687426 : {
258 : 3687426 : return &s2n_internal_p_hash_hmac;
259 : 3687426 : }
260 : :
261 : : static int s2n_p_hash(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret, struct s2n_blob *label,
262 : : struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
263 : 15849 : {
264 : 15849 : uint8_t digest_size = 0;
265 [ - + ]: 15849 : POSIX_GUARD(s2n_hmac_digest_size(alg, &digest_size));
266 : :
267 : 15849 : const struct s2n_p_hash_hmac *hmac = s2n_get_hmac_implementation();
268 [ # # ][ - + ]: 15849 : POSIX_ENSURE_REF(hmac);
269 : :
270 : : /* First compute hmac(secret + A(0)) */
271 [ - + ]: 15849 : POSIX_GUARD(hmac->init(ws, alg, secret));
272 [ - + ]: 15849 : POSIX_GUARD(hmac->update(ws, label->data, label->size));
273 [ - + ]: 15849 : POSIX_GUARD(hmac->update(ws, seed_a->data, seed_a->size));
274 : :
275 [ + + ]: 15849 : if (seed_b) {
276 [ - + ]: 6782 : POSIX_GUARD(hmac->update(ws, seed_b->data, seed_b->size));
277 [ + + ]: 6782 : if (seed_c) {
278 [ - + ]: 5 : POSIX_GUARD(hmac->update(ws, seed_c->data, seed_c->size));
279 : 5 : }
280 : 6782 : }
281 [ - + ]: 15849 : POSIX_GUARD(hmac->final(ws, ws->digest0, digest_size));
282 : :
283 : 15849 : uint32_t outputlen = out->size;
284 : 15849 : uint8_t *output = out->data;
285 : :
286 [ + + ]: 58015 : while (outputlen) {
287 : : /* Now compute hmac(secret + A(N - 1) + seed) */
288 [ - + ]: 42166 : POSIX_GUARD(hmac->reset(ws));
289 [ - + ]: 42166 : POSIX_GUARD(hmac->update(ws, ws->digest0, digest_size));
290 : :
291 : : /* Add the label + seed and compute this round's A */
292 [ - + ]: 42166 : POSIX_GUARD(hmac->update(ws, label->data, label->size));
293 [ - + ]: 42166 : POSIX_GUARD(hmac->update(ws, seed_a->data, seed_a->size));
294 [ + + ]: 42166 : if (seed_b) {
295 [ - + ]: 29427 : POSIX_GUARD(hmac->update(ws, seed_b->data, seed_b->size));
296 [ + + ]: 29427 : if (seed_c) {
297 [ - + ]: 18 : POSIX_GUARD(hmac->update(ws, seed_c->data, seed_c->size));
298 : 18 : }
299 : 29427 : }
300 : :
301 [ - + ]: 42166 : POSIX_GUARD(hmac->final(ws, ws->digest1, digest_size));
302 : :
303 : 42166 : uint32_t bytes_to_xor = MIN(outputlen, digest_size);
304 : :
305 [ + + ]: 1089334 : for (size_t i = 0; i < bytes_to_xor; i++) {
306 : 1047168 : *output ^= ws->digest1[i];
307 : 1047168 : output++;
308 : 1047168 : outputlen--;
309 : 1047168 : }
310 : :
311 : : /* Stash a digest of A(N), in A(N), for the next round */
312 [ - + ]: 42166 : POSIX_GUARD(hmac->reset(ws));
313 [ - + ]: 42166 : POSIX_GUARD(hmac->update(ws, ws->digest0, digest_size));
314 [ - + ]: 42166 : POSIX_GUARD(hmac->final(ws, ws->digest0, digest_size));
315 : 42166 : }
316 : :
317 [ - + ]: 15849 : POSIX_GUARD(hmac->cleanup(ws));
318 : :
319 : 15849 : return 0;
320 : 15849 : }
321 : :
322 : : S2N_RESULT s2n_prf_new(struct s2n_connection *conn)
323 : 125496 : {
324 [ + + ][ + - ]: 125496 : RESULT_ENSURE_REF(conn);
325 [ - + ][ # # ]: 125495 : RESULT_ENSURE_EQ(conn->prf_space, NULL);
326 : :
327 : 125495 : DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free);
328 [ - + ]: 125495 : RESULT_GUARD_POSIX(s2n_realloc(&mem, sizeof(struct s2n_prf_working_space)));
329 [ - + ]: 125495 : RESULT_GUARD_POSIX(s2n_blob_zero(&mem));
330 : 125495 : conn->prf_space = (struct s2n_prf_working_space *) (void *) mem.data;
331 : 125495 : ZERO_TO_DISABLE_DEFER_CLEANUP(mem);
332 : :
333 : : /* Allocate the hmac state */
334 : 125495 : const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
335 [ # # ][ - + ]: 125495 : RESULT_ENSURE_REF(hmac_impl);
336 [ - + ]: 125495 : RESULT_GUARD_POSIX(hmac_impl->alloc(conn->prf_space));
337 : 125495 : return S2N_RESULT_OK;
338 : 125495 : }
339 : :
340 : : S2N_RESULT s2n_prf_wipe(struct s2n_connection *conn)
341 : 3420589 : {
342 [ + - ][ + + ]: 3420589 : RESULT_ENSURE_REF(conn);
343 [ + + ][ + - ]: 3420588 : RESULT_ENSURE_REF(conn->prf_space);
344 : :
345 : 3420587 : const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
346 [ # # ][ - + ]: 3420587 : RESULT_ENSURE_REF(hmac_impl);
347 [ - + ]: 3420587 : RESULT_GUARD_POSIX(hmac_impl->reset(conn->prf_space));
348 : :
349 : 3420587 : return S2N_RESULT_OK;
350 : 3420587 : }
351 : :
352 : : S2N_RESULT s2n_prf_free(struct s2n_connection *conn)
353 : 125523 : {
354 [ + + ][ + - ]: 125523 : RESULT_ENSURE_REF(conn);
355 [ + + ]: 125522 : if (conn->prf_space == NULL) {
356 : 27 : return S2N_RESULT_OK;
357 : 27 : }
358 : :
359 : 125495 : const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
360 [ # # ][ - + ]: 125495 : RESULT_ENSURE_REF(hmac_impl);
361 [ - + ]: 125495 : RESULT_GUARD_POSIX(hmac_impl->free(conn->prf_space));
362 : :
363 [ - + ]: 125495 : RESULT_GUARD_POSIX(s2n_free_object((uint8_t **) &conn->prf_space, sizeof(struct s2n_prf_working_space)));
364 : 125495 : return S2N_RESULT_OK;
365 : 125495 : }
366 : :
367 : : S2N_RESULT s2n_prf_custom(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label,
368 : : struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
369 : 14460 : {
370 : : /* We zero the out blob because p_hash works by XOR'ing with the existing
371 : : * buffer. This is a little convoluted but means we can avoid dynamic memory
372 : : * allocation. When we call p_hash once (in the TLS1.2 case) it will produce
373 : : * the right values. When we call it twice in the regular case, the two
374 : : * outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require.
375 : : */
376 [ - + ]: 14460 : RESULT_GUARD_POSIX(s2n_blob_zero(out));
377 : :
378 [ + + ]: 14460 : if (conn->actual_protocol_version == S2N_TLS12) {
379 [ - + ]: 13071 : RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, conn->secure->cipher_suite->prf_alg, secret, label, seed_a,
380 : 13071 : seed_b, seed_c, out));
381 : 13071 : return S2N_RESULT_OK;
382 : 13071 : }
383 : :
384 : 1389 : struct s2n_blob half_secret = { 0 };
385 [ - + ]: 1389 : RESULT_GUARD_POSIX(s2n_blob_init(&half_secret, secret->data, (secret->size + 1) / 2));
386 : :
387 [ - + ]: 1389 : RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out));
388 : 1389 : half_secret.data += secret->size - half_secret.size;
389 [ - + ]: 1389 : RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, seed_c, out));
390 : :
391 : 1389 : return S2N_RESULT_OK;
392 : 1389 : }
393 : :
394 : : int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a,
395 : : struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
396 : 14852 : {
397 [ + - ][ + + ]: 14852 : POSIX_ENSURE_REF(conn);
398 [ - + ][ # # ]: 14851 : POSIX_ENSURE_REF(conn->secure);
399 [ - + ][ # # ]: 14851 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
400 [ + - ][ + + ]: 14851 : POSIX_ENSURE_REF(conn->prf_space);
401 [ + + ][ + - ]: 14850 : POSIX_ENSURE_REF(secret);
402 [ + + ][ + - ]: 14849 : POSIX_ENSURE_REF(label);
403 [ + + ][ + - ]: 14848 : POSIX_ENSURE_REF(out);
404 : :
405 : : /* seed_a is always required, seed_b is optional, if seed_c is provided seed_b must also be provided */
406 [ + - ][ + + ]: 14847 : POSIX_ENSURE(seed_a != NULL, S2N_ERR_PRF_INVALID_SEED);
407 [ + - ][ + + ]: 14846 : POSIX_ENSURE(S2N_IMPLIES(seed_c != NULL, seed_b != NULL), S2N_ERR_PRF_INVALID_SEED);
[ + + ]
408 : :
409 [ + + ]: 14845 : if (conn->actual_protocol_version == S2N_SSLv3) {
410 [ - + ]: 385 : POSIX_GUARD(s2n_prf_sslv3(conn, secret, seed_a, seed_b, seed_c, out));
411 : 385 : return S2N_SUCCESS;
412 : 385 : }
413 : :
414 : : /* By default, s2n-tls uses a custom PRF implementation. When operating in FIPS mode, the
415 : : * FIPS-validated libcrypto implementation is used instead, if an implementation is provided.
416 : : */
417 [ - + ]: 14460 : if (s2n_is_in_fips_mode()) {
418 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_prf_libcrypto(conn, secret, label, seed_a, seed_b, seed_c, out));
419 : 0 : return S2N_SUCCESS;
420 : 0 : }
421 : :
422 [ - + ]: 14460 : POSIX_GUARD_RESULT(s2n_prf_custom(conn, secret, label, seed_a, seed_b, seed_c, out));
423 : :
424 : 14460 : return S2N_SUCCESS;
425 : 14460 : }
426 : :
427 : : int s2n_prf_tls_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
428 : 39 : {
429 [ # # ][ - + ]: 39 : POSIX_ENSURE_REF(conn);
430 : :
431 : 39 : struct s2n_blob client_random = { 0 };
432 [ - + ]: 39 : POSIX_GUARD(s2n_blob_init(&client_random, conn->handshake_params.client_random, sizeof(conn->handshake_params.client_random)));
433 : 39 : struct s2n_blob server_random = { 0 };
434 [ - + ]: 39 : POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
435 : 39 : struct s2n_blob master_secret = { 0 };
436 [ - + ]: 39 : POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
437 : :
438 : 39 : uint8_t master_secret_label[] = "master secret";
439 : 39 : struct s2n_blob label = { 0 };
440 [ - + ]: 39 : POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1));
441 : :
442 : 39 : return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret);
443 : 39 : }
444 : :
445 : : int s2n_prf_hybrid_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
446 : 0 : {
447 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
448 : :
449 : 0 : struct s2n_blob client_random = { 0 };
450 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&client_random, conn->handshake_params.client_random, sizeof(conn->handshake_params.client_random)));
451 : 0 : struct s2n_blob server_random = { 0 };
452 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
453 : 0 : struct s2n_blob master_secret = { 0 };
454 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
455 : :
456 : 0 : uint8_t master_secret_label[] = "hybrid master secret";
457 : 0 : struct s2n_blob label = { 0 };
458 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1));
459 : :
460 : 0 : return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->kex_params.client_key_exchange_message, &master_secret);
461 : 0 : }
462 : :
463 : : int s2n_prf_calculate_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
464 : 4444 : {
465 [ - + ][ # # ]: 4444 : POSIX_ENSURE_REF(conn);
466 [ # # ][ - + ]: 4444 : POSIX_ENSURE_REF(conn->secure);
467 : :
468 [ + + ][ + - ]: 4444 : POSIX_ENSURE_EQ(s2n_conn_get_current_message_type(conn), CLIENT_KEY);
469 : :
470 [ + + ]: 4443 : if (!conn->ems_negotiated) {
471 [ - + ]: 34 : POSIX_GUARD(s2n_prf_tls_master_secret(conn, premaster_secret));
472 : 34 : return S2N_SUCCESS;
473 : 34 : }
474 : :
475 : : /* Only the client writes the Client Key Exchange message */
476 [ + + ]: 4409 : if (conn->mode == S2N_CLIENT) {
477 [ - + ]: 2188 : POSIX_GUARD(s2n_handshake_finish_header(&conn->handshake.io));
478 : 2188 : }
479 : 4409 : struct s2n_stuffer client_key_message = conn->handshake.io;
480 [ - + ]: 4409 : POSIX_GUARD(s2n_stuffer_reread(&client_key_message));
481 : 4409 : uint32_t client_key_message_size = s2n_stuffer_data_available(&client_key_message);
482 : 4409 : struct s2n_blob client_key_blob = { 0 };
483 [ - + ]: 4409 : POSIX_GUARD(s2n_blob_init(&client_key_blob, client_key_message.blob.data, client_key_message_size));
484 : :
485 : 4409 : uint8_t data[S2N_MAX_DIGEST_LEN] = { 0 };
486 : 4409 : struct s2n_blob digest = { 0 };
487 [ - + ]: 4409 : POSIX_GUARD(s2n_blob_init(&digest, data, sizeof(data)));
488 [ + + ]: 4409 : if (conn->actual_protocol_version < S2N_TLS12) {
489 : 537 : uint8_t sha1_data[S2N_MAX_DIGEST_LEN] = { 0 };
490 : 537 : struct s2n_blob sha1_digest = { 0 };
491 [ - + ]: 537 : POSIX_GUARD(s2n_blob_init(&sha1_digest, sha1_data, sizeof(sha1_data)));
492 [ - + ]: 537 : POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, S2N_HASH_MD5, &digest));
493 [ - + ]: 537 : POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, S2N_HASH_SHA1, &sha1_digest));
494 [ - + ]: 537 : POSIX_GUARD_RESULT(s2n_prf_tls_extended_master_secret(conn, premaster_secret, &digest, &sha1_digest));
495 : 3872 : } else {
496 : 3872 : s2n_hmac_algorithm prf_alg = conn->secure->cipher_suite->prf_alg;
497 : 3872 : s2n_hash_algorithm hash_alg = 0;
498 [ - + ]: 3872 : POSIX_GUARD(s2n_hmac_hash_alg(prf_alg, &hash_alg));
499 [ - + ]: 3872 : POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, hash_alg, &digest));
500 [ - + ]: 3872 : POSIX_GUARD_RESULT(s2n_prf_tls_extended_master_secret(conn, premaster_secret, &digest, NULL));
501 : 3872 : }
502 : 4409 : return S2N_SUCCESS;
503 : 4409 : }
504 : :
505 : : /**
506 : : *= https://www.rfc-editor.org/rfc/rfc7627#section-4
507 : : *# When the extended master secret extension is negotiated in a full
508 : : *# handshake, the "master_secret" is computed as
509 : : *#
510 : : *# master_secret = PRF(pre_master_secret, "extended master secret",
511 : : *# session_hash)
512 : : *# [0..47];
513 : : */
514 : : S2N_RESULT s2n_prf_tls_extended_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret, struct s2n_blob *session_hash, struct s2n_blob *sha1_hash)
515 : 4410 : {
516 [ # # ][ - + ]: 4410 : RESULT_ENSURE_REF(conn);
517 : :
518 : 4410 : struct s2n_blob extended_master_secret = { 0 };
519 [ - + ]: 4410 : RESULT_GUARD_POSIX(s2n_blob_init(&extended_master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
520 : :
521 : 4410 : uint8_t extended_master_secret_label[] = "extended master secret";
522 : : /* Subtract one from the label size to remove the "\0" */
523 : 4410 : struct s2n_blob label = { 0 };
524 [ - + ]: 4410 : RESULT_GUARD_POSIX(s2n_blob_init(&label, extended_master_secret_label, sizeof(extended_master_secret_label) - 1));
525 : :
526 [ - + ]: 4410 : RESULT_GUARD_POSIX(s2n_prf(conn, premaster_secret, &label, session_hash, sha1_hash, NULL, &extended_master_secret));
527 : :
528 : 4410 : return S2N_RESULT_OK;
529 : 4410 : }
530 : :
531 : : S2N_RESULT s2n_prf_get_digest_for_ems(struct s2n_connection *conn, struct s2n_blob *message, s2n_hash_algorithm hash_alg, struct s2n_blob *output)
532 : 4947 : {
533 [ - + ][ # # ]: 4947 : RESULT_ENSURE_REF(conn);
534 [ - + ][ # # ]: 4947 : RESULT_ENSURE_REF(conn->handshake.hashes);
535 [ # # ][ - + ]: 4947 : RESULT_ENSURE_REF(message);
536 [ # # ][ - + ]: 4947 : RESULT_ENSURE_REF(output);
537 : :
538 : 4947 : struct s2n_hash_state *hash_state = &conn->handshake.hashes->hash_workspace;
539 [ - + ]: 4947 : RESULT_GUARD(s2n_handshake_copy_hash_state(conn, hash_alg, hash_state));
540 [ - + ]: 4947 : RESULT_GUARD_POSIX(s2n_hash_update(hash_state, message->data, message->size));
541 : :
542 : 4947 : uint8_t digest_size = 0;
543 [ - + ]: 4947 : RESULT_GUARD_POSIX(s2n_hash_digest_size(hash_alg, &digest_size));
544 [ - + ][ # # ]: 4947 : RESULT_ENSURE_GTE(output->size, digest_size);
545 [ - + ]: 4947 : RESULT_GUARD_POSIX(s2n_hash_digest(hash_state, output->data, digest_size));
546 : 4947 : output->size = digest_size;
547 : :
548 : 4947 : return S2N_RESULT_OK;
549 : 4947 : }
550 : :
551 : : static int s2n_prf_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *hash_workspace, uint8_t *out)
552 : 385 : {
553 [ - + ][ # # ]: 385 : POSIX_ENSURE_REF(conn);
554 [ # # ][ - + ]: 385 : POSIX_ENSURE_REF(conn->handshake.hashes);
555 : :
556 : 385 : uint8_t xorpad1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
557 : 385 : 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 };
558 : 385 : uint8_t xorpad2[48] = { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
559 : 385 : 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c };
560 : 385 : uint8_t *md5_digest = out;
561 : 385 : uint8_t *sha_digest = out + MD5_DIGEST_LENGTH;
562 : :
563 [ - + ]: 385 : POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH));
564 : :
565 : 385 : struct s2n_hash_state *md5 = hash_workspace;
566 [ - + ]: 385 : POSIX_GUARD(s2n_hash_copy(md5, &conn->handshake.hashes->md5));
567 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, prefix, 4));
568 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
569 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, xorpad1, 48));
570 [ - + ]: 385 : POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
571 [ - + ]: 385 : POSIX_GUARD(s2n_hash_reset(md5));
572 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
573 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, xorpad2, 48));
574 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH));
575 [ - + ]: 385 : POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
576 [ - + ]: 385 : POSIX_GUARD(s2n_hash_reset(md5));
577 : :
578 : 385 : struct s2n_hash_state *sha1 = hash_workspace;
579 [ - + ]: 385 : POSIX_GUARD(s2n_hash_copy(sha1, &conn->handshake.hashes->sha1));
580 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, prefix, 4));
581 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
582 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, xorpad1, 40));
583 [ - + ]: 385 : POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
584 [ - + ]: 385 : POSIX_GUARD(s2n_hash_reset(sha1));
585 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
586 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, xorpad2, 40));
587 [ - + ]: 385 : POSIX_GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH));
588 [ - + ]: 385 : POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
589 [ - + ]: 385 : POSIX_GUARD(s2n_hash_reset(sha1));
590 : :
591 : 385 : return 0;
592 : 385 : }
593 : :
594 : : static int s2n_prf_sslv3_client_finished(struct s2n_connection *conn)
595 : 192 : {
596 [ # # ][ - + ]: 192 : POSIX_ENSURE_REF(conn);
597 [ # # ][ - + ]: 192 : POSIX_ENSURE_REF(conn->handshake.hashes);
598 : :
599 : 192 : uint8_t prefix[4] = { 0x43, 0x4c, 0x4e, 0x54 };
600 : :
601 : 192 : return s2n_prf_sslv3_finished(conn, prefix, &conn->handshake.hashes->hash_workspace, conn->handshake.client_finished);
602 : 192 : }
603 : :
604 : : static int s2n_prf_sslv3_server_finished(struct s2n_connection *conn)
605 : 193 : {
606 [ # # ][ - + ]: 193 : POSIX_ENSURE_REF(conn);
607 [ - + ][ # # ]: 193 : POSIX_ENSURE_REF(conn->handshake.hashes);
608 : :
609 : 193 : uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 };
610 : :
611 : 193 : return s2n_prf_sslv3_finished(conn, prefix, &conn->handshake.hashes->hash_workspace, conn->handshake.server_finished);
612 : 193 : }
613 : :
614 : : int s2n_prf_client_finished(struct s2n_connection *conn)
615 : 3592 : {
616 [ # # ][ - + ]: 3592 : POSIX_ENSURE_REF(conn);
617 [ - + ][ # # ]: 3592 : POSIX_ENSURE_REF(conn->secure);
618 [ - + ][ # # ]: 3592 : POSIX_ENSURE_REF(conn->handshake.hashes);
619 : :
620 : 3592 : struct s2n_blob master_secret, md5, sha;
621 : 3592 : uint8_t md5_digest[MD5_DIGEST_LENGTH];
622 : 3592 : uint8_t sha_digest[SHA384_DIGEST_LENGTH];
623 : 3592 : uint8_t client_finished_label[] = "client finished";
624 : 3592 : struct s2n_blob client_finished = { 0 };
625 : 3592 : struct s2n_blob label = { 0 };
626 : :
627 [ + + ]: 3592 : if (conn->actual_protocol_version == S2N_SSLv3) {
628 : 192 : return s2n_prf_sslv3_client_finished(conn);
629 : 192 : }
630 : :
631 : 3400 : client_finished.data = conn->handshake.client_finished;
632 : 3400 : client_finished.size = S2N_TLS_FINISHED_LEN;
633 [ + + ]: 3400 : POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, client_finished.size));
634 : 3398 : label.data = client_finished_label;
635 : 3398 : label.size = sizeof(client_finished_label) - 1;
636 : :
637 : 3398 : master_secret.data = conn->secrets.version.tls12.master_secret;
638 : 3398 : master_secret.size = sizeof(conn->secrets.version.tls12.master_secret);
639 [ + + ]: 3398 : if (conn->actual_protocol_version == S2N_TLS12) {
640 : 3054 : switch (conn->secure->cipher_suite->prf_alg) {
641 [ + + ]: 2828 : case S2N_HMAC_SHA256:
642 [ - + ]: 2828 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha256));
643 [ - + ]: 2828 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA256_DIGEST_LENGTH));
644 : 2828 : sha.size = SHA256_DIGEST_LENGTH;
645 : 2828 : break;
646 [ + + ]: 226 : case S2N_HMAC_SHA384:
647 [ - + ]: 226 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha384));
648 [ - + ]: 226 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA384_DIGEST_LENGTH));
649 : 226 : sha.size = SHA384_DIGEST_LENGTH;
650 : 226 : break;
651 [ - + ]: 0 : default:
652 [ # # ]: 0 : POSIX_BAIL(S2N_ERR_PRF_INVALID_ALGORITHM);
653 : 3054 : }
654 : :
655 : 3054 : sha.data = sha_digest;
656 : 3054 : return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &client_finished);
657 : 3054 : }
658 : :
659 [ - + ]: 344 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->md5));
660 [ - + ]: 344 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, md5_digest, MD5_DIGEST_LENGTH));
661 : 344 : md5.data = md5_digest;
662 : 344 : md5.size = MD5_DIGEST_LENGTH;
663 : :
664 [ - + ]: 344 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha1));
665 [ - + ]: 344 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA_DIGEST_LENGTH));
666 : 344 : sha.data = sha_digest;
667 : 344 : sha.size = SHA_DIGEST_LENGTH;
668 : :
669 : 344 : return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &client_finished);
670 : 344 : }
671 : :
672 : : int s2n_prf_server_finished(struct s2n_connection *conn)
673 : 2671 : {
674 [ # # ][ - + ]: 2671 : POSIX_ENSURE_REF(conn);
675 [ - + ][ # # ]: 2671 : POSIX_ENSURE_REF(conn->secure);
676 [ - + ][ # # ]: 2671 : POSIX_ENSURE_REF(conn->handshake.hashes);
677 : :
678 : 2671 : struct s2n_blob master_secret, md5, sha;
679 : 2671 : uint8_t md5_digest[MD5_DIGEST_LENGTH];
680 : 2671 : uint8_t sha_digest[SHA384_DIGEST_LENGTH];
681 : 2671 : uint8_t server_finished_label[] = "server finished";
682 : 2671 : struct s2n_blob server_finished = { 0 };
683 : 2671 : struct s2n_blob label = { 0 };
684 : :
685 [ + + ]: 2671 : if (conn->actual_protocol_version == S2N_SSLv3) {
686 : 193 : return s2n_prf_sslv3_server_finished(conn);
687 : 193 : }
688 : :
689 : 2478 : server_finished.data = conn->handshake.server_finished;
690 : 2478 : server_finished.size = S2N_TLS_FINISHED_LEN;
691 [ - + ]: 2478 : POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, server_finished.size));
692 : 2478 : label.data = server_finished_label;
693 : 2478 : label.size = sizeof(server_finished_label) - 1;
694 : :
695 : 2478 : master_secret.data = conn->secrets.version.tls12.master_secret;
696 : 2478 : master_secret.size = sizeof(conn->secrets.version.tls12.master_secret);
697 [ + + ]: 2478 : if (conn->actual_protocol_version == S2N_TLS12) {
698 : 2134 : switch (conn->secure->cipher_suite->prf_alg) {
699 [ + + ]: 1911 : case S2N_HMAC_SHA256:
700 [ - + ]: 1911 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha256));
701 [ - + ]: 1911 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA256_DIGEST_LENGTH));
702 : 1911 : sha.size = SHA256_DIGEST_LENGTH;
703 : 1911 : break;
704 [ + + ]: 223 : case S2N_HMAC_SHA384:
705 [ - + ]: 223 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha384));
706 [ - + ]: 223 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA384_DIGEST_LENGTH));
707 : 223 : sha.size = SHA384_DIGEST_LENGTH;
708 : 223 : break;
709 [ - + ]: 0 : default:
710 [ # # ]: 0 : POSIX_BAIL(S2N_ERR_PRF_INVALID_ALGORITHM);
711 : 2134 : }
712 : :
713 : 2134 : sha.data = sha_digest;
714 : 2134 : return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &server_finished);
715 : 2134 : }
716 : :
717 [ - + ]: 344 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->md5));
718 [ - + ]: 344 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, md5_digest, MD5_DIGEST_LENGTH));
719 : 344 : md5.data = md5_digest;
720 : 344 : md5.size = MD5_DIGEST_LENGTH;
721 : :
722 [ - + ]: 344 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha1));
723 [ - + ]: 344 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA_DIGEST_LENGTH));
724 : 344 : sha.data = sha_digest;
725 : 344 : sha.size = SHA_DIGEST_LENGTH;
726 : :
727 : 344 : return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &server_finished);
728 : 344 : }
729 : :
730 : : static int s2n_prf_make_client_key(struct s2n_connection *conn, struct s2n_key_material *key_material)
731 : 4490 : {
732 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(conn);
733 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(conn->secure);
734 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
735 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(conn->secure->cipher_suite->record_alg);
736 : 4490 : const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
737 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(cipher);
738 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(cipher->set_encryption_key);
739 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(cipher->set_decryption_key);
740 : :
741 [ + + ]: 4490 : if (conn->mode == S2N_CLIENT) {
742 [ - + ]: 2228 : POSIX_GUARD_RESULT(cipher->set_encryption_key(&conn->secure->client_key, &key_material->client_key));
743 : 2262 : } else {
744 [ - + ]: 2262 : POSIX_GUARD_RESULT(cipher->set_decryption_key(&conn->secure->client_key, &key_material->client_key));
745 : 2262 : }
746 : :
747 : 4490 : return 0;
748 : 4490 : }
749 : :
750 : : static int s2n_prf_make_server_key(struct s2n_connection *conn, struct s2n_key_material *key_material)
751 : 4490 : {
752 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(conn);
753 [ # # ][ - + ]: 4490 : POSIX_ENSURE_REF(conn->secure);
754 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
755 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(conn->secure->cipher_suite->record_alg);
756 : 4490 : const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
757 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(cipher);
758 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(cipher->set_encryption_key);
759 [ # # ][ - + ]: 4490 : POSIX_ENSURE_REF(cipher->set_decryption_key);
760 : :
761 [ + + ]: 4490 : if (conn->mode == S2N_SERVER) {
762 [ - + ]: 2262 : POSIX_GUARD_RESULT(cipher->set_encryption_key(&conn->secure->server_key, &key_material->server_key));
763 : 2262 : } else {
764 [ - + ]: 2228 : POSIX_GUARD_RESULT(cipher->set_decryption_key(&conn->secure->server_key, &key_material->server_key));
765 : 2228 : }
766 : :
767 : 4490 : return 0;
768 : 4490 : }
769 : :
770 : : S2N_RESULT s2n_prf_generate_key_material(struct s2n_connection *conn, struct s2n_key_material *key_material)
771 : 4513 : {
772 [ # # ][ - + ]: 4513 : RESULT_ENSURE_REF(conn);
773 [ - + ][ # # ]: 4513 : RESULT_ENSURE_REF(key_material);
774 : :
775 : 4513 : struct s2n_blob client_random = { 0 };
776 [ - + ]: 4513 : RESULT_GUARD_POSIX(s2n_blob_init(&client_random, conn->handshake_params.client_random, sizeof(conn->handshake_params.client_random)));
777 : 4513 : struct s2n_blob server_random = { 0 };
778 [ - + ]: 4513 : RESULT_GUARD_POSIX(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
779 : 4513 : struct s2n_blob master_secret = { 0 };
780 [ - + ]: 4513 : RESULT_GUARD_POSIX(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
781 : :
782 : 4513 : struct s2n_blob label = { 0 };
783 : 4513 : uint8_t key_expansion_label[] = "key expansion";
784 [ - + ]: 4513 : RESULT_GUARD_POSIX(s2n_blob_init(&label, key_expansion_label, sizeof(key_expansion_label) - 1));
785 : :
786 [ - + ]: 4513 : RESULT_GUARD(s2n_key_material_init(key_material, conn));
787 : 4513 : struct s2n_blob prf_out = { 0 };
788 [ - + ]: 4513 : RESULT_GUARD_POSIX(s2n_blob_init(&prf_out, key_material->key_block, sizeof(key_material->key_block)));
789 [ - + ]: 4513 : RESULT_GUARD_POSIX(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, NULL, &prf_out));
790 : :
791 : 4513 : return S2N_RESULT_OK;
792 : 4513 : }
793 : :
794 : : int s2n_prf_key_expansion(struct s2n_connection *conn)
795 : 4490 : {
796 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(conn);
797 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(conn->secure);
798 : 4490 : struct s2n_cipher_suite *cipher_suite = conn->secure->cipher_suite;
799 [ # # ][ - + ]: 4490 : POSIX_ENSURE_REF(cipher_suite);
800 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(cipher_suite->record_alg);
801 : 4490 : const struct s2n_cipher *cipher = cipher_suite->record_alg->cipher;
802 [ - + ][ # # ]: 4490 : POSIX_ENSURE_REF(cipher);
803 : :
804 : 4490 : struct s2n_key_material key_material = { 0 };
805 [ - + ]: 4490 : POSIX_GUARD_RESULT(s2n_prf_generate_key_material(conn, &key_material));
806 : :
807 [ - + ][ # # ]: 4490 : POSIX_ENSURE(cipher_suite->available, S2N_ERR_PRF_INVALID_ALGORITHM);
808 [ - + ]: 4490 : POSIX_GUARD_RESULT(cipher->init(&conn->secure->client_key));
809 [ - + ]: 4490 : POSIX_GUARD_RESULT(cipher->init(&conn->secure->server_key));
810 : :
811 : : /* Seed the client MAC */
812 [ - + ]: 4490 : POSIX_GUARD(s2n_hmac_reset(&conn->secure->client_record_mac));
813 [ - + ]: 4490 : POSIX_GUARD(s2n_hmac_init(
814 : 4490 : &conn->secure->client_record_mac,
815 : 4490 : cipher_suite->record_alg->hmac_alg,
816 : 4490 : key_material.client_mac.data,
817 : 4490 : key_material.client_mac.size));
818 : :
819 : : /* Seed the server MAC */
820 [ - + ]: 4490 : POSIX_GUARD(s2n_hmac_reset(&conn->secure->server_record_mac));
821 [ - + ]: 4490 : POSIX_GUARD(s2n_hmac_init(
822 : 4490 : &conn->secure->server_record_mac,
823 : 4490 : conn->secure->cipher_suite->record_alg->hmac_alg,
824 : 4490 : key_material.server_mac.data,
825 : 4490 : key_material.server_mac.size));
826 : :
827 : : /* Make the client key */
828 [ - + ]: 4490 : POSIX_GUARD(s2n_prf_make_client_key(conn, &key_material));
829 : :
830 : : /* Make the server key */
831 [ - + ]: 4490 : POSIX_GUARD(s2n_prf_make_server_key(conn, &key_material));
832 : :
833 : : /* Composite CBC does MAC inside the cipher, pass it the MAC key.
834 : : * Must happen after setting encryption/decryption keys.
835 : : */
836 [ + + ]: 4490 : if (cipher->type == S2N_COMPOSITE) {
837 [ - + ]: 765 : POSIX_GUARD(cipher->io.comp.set_mac_write_key(&conn->secure->client_key, key_material.client_mac.data, key_material.client_mac.size));
838 [ - + ]: 765 : POSIX_GUARD(cipher->io.comp.set_mac_write_key(&conn->secure->server_key, key_material.server_mac.data, key_material.server_mac.size));
839 : 765 : }
840 : :
841 : : /* set IV */
842 [ - + ][ # # ]: 4490 : POSIX_ENSURE_EQ(key_material.client_iv.size, key_material.server_iv.size);
843 [ - + ][ # # ]: 4490 : POSIX_ENSURE_LTE(key_material.client_iv.size, S2N_TLS_MAX_IV_LEN);
844 [ - + ][ # # ]: 4490 : POSIX_CHECKED_MEMCPY(conn->secure->client_implicit_iv, key_material.client_iv.data, key_material.client_iv.size);
[ + + ]
845 [ - + ][ # # ]: 4490 : POSIX_CHECKED_MEMCPY(conn->secure->server_implicit_iv, key_material.server_iv.data, key_material.server_iv.size);
[ + + ]
846 : :
847 : 4490 : return 0;
848 : 4490 : }
|
