Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_prf.h"
17 : :
18 : : #include <openssl/hmac.h>
19 : : #include <openssl/md5.h>
20 : : #include <openssl/sha.h>
21 : : #include <string.h>
22 : :
23 : : #include "crypto/s2n_fips.h"
24 : : #include "crypto/s2n_hash.h"
25 : : #include "crypto/s2n_hmac.h"
26 : : #include "crypto/s2n_prf_libcrypto.h"
27 : : #include "error/s2n_errno.h"
28 : : #include "stuffer/s2n_stuffer.h"
29 : : #include "tls/s2n_cipher_suites.h"
30 : : #include "tls/s2n_connection.h"
31 : : #include "tls/s2n_crypto_constants.h"
32 : : #include "tls/s2n_tls.h"
33 : : #include "utils/s2n_blob.h"
34 : : #include "utils/s2n_mem.h"
35 : : #include "utils/s2n_safety.h"
36 : :
37 : : /* The s2n p_hash implementation is abstracted to allow for separate implementations.
38 : : * Currently the only implementation uses s2n-tls's custom HMAC implementation.
39 : : */
40 : : struct s2n_p_hash_hmac {
41 : : int (*alloc)(struct s2n_prf_working_space *ws);
42 : : int (*init)(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret);
43 : : int (*update)(struct s2n_prf_working_space *ws, const void *data, uint32_t size);
44 : : int (*final)(struct s2n_prf_working_space *ws, void *digest, uint32_t size);
45 : : int (*reset)(struct s2n_prf_working_space *ws);
46 : : int (*cleanup)(struct s2n_prf_working_space *ws);
47 : : int (*free)(struct s2n_prf_working_space *ws);
48 : : };
49 : :
50 : : S2N_RESULT s2n_prf_get_digest_for_ems(struct s2n_connection *conn, struct s2n_blob *message,
51 : : s2n_hash_algorithm hash_alg, struct s2n_blob *output);
52 : : S2N_RESULT s2n_prf_tls_extended_master_secret(struct s2n_connection *conn,
53 : : struct s2n_blob *premaster_secret, struct s2n_blob *session_hash, struct s2n_blob *sha1_hash);
54 : :
55 : : S2N_RESULT s2n_key_material_init(struct s2n_key_material *key_material, struct s2n_connection *conn)
56 : 33374 : {
57 [ # # ][ - + ]: 33374 : RESULT_ENSURE_REF(key_material);
58 [ # # ][ - + ]: 33374 : RESULT_ENSURE_REF(conn);
59 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(conn->secure);
60 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(conn->secure->cipher_suite);
61 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(conn->secure->cipher_suite->record_alg);
62 : 33374 : const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
63 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(cipher);
64 : :
65 : 33374 : uint8_t mac_size = 0;
66 : 33374 : uint32_t key_size = 0;
67 : 33374 : uint32_t iv_size = 0;
68 : :
69 : : /* MAC size */
70 [ + + ]: 33374 : if (cipher->type == S2N_COMPOSITE) {
71 : 29514 : mac_size = cipher->io.comp.mac_key_size;
72 : 29514 : } else {
73 [ - + ]: 3860 : RESULT_GUARD_POSIX(s2n_hmac_digest_size(conn->secure->cipher_suite->record_alg->hmac_alg, &mac_size));
74 : 3860 : }
75 : :
76 : : /* KEY size */
77 : 33374 : key_size = cipher->key_material_size;
78 : :
79 : : /* Only AEAD ciphers have implicit IVs for TLS >= 1.1 */
80 [ + + ][ + + ]: 33374 : if (conn->actual_protocol_version <= S2N_TLS10 || cipher->type == S2N_AEAD) {
81 : : /* IV size */
82 : 32504 : switch (cipher->type) {
83 [ + + ]: 3405 : case S2N_AEAD:
84 : 3405 : iv_size = cipher->io.aead.fixed_iv_size;
85 : 3405 : break;
86 [ + + ]: 237 : case S2N_CBC:
87 : 237 : iv_size = cipher->io.cbc.block_size;
88 : 237 : break;
89 [ + + ]: 28862 : case S2N_COMPOSITE:
90 : 28862 : iv_size = cipher->io.comp.block_size;
91 : 28862 : break;
92 : : /* No-op for stream ciphers */
93 [ - + ]: 0 : default:
94 : 0 : break;
95 : 32504 : }
96 : 32504 : }
97 : :
98 : 33374 : struct s2n_stuffer key_material_stuffer = { 0 };
99 : 33374 : struct s2n_blob key_material_blob = { 0 };
100 [ - + ]: 33374 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material_blob, key_material->key_block, sizeof(key_material->key_block)));
101 [ - + ]: 33374 : RESULT_GUARD_POSIX(s2n_stuffer_init_written(&key_material_stuffer, &key_material_blob));
102 : :
103 : : /* initialize key_material blobs; incrementing ptr to point to the next slice of memory */
104 : 33374 : uint8_t *ptr = NULL;
105 : : /* MAC */
106 : 33374 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, mac_size);
107 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(ptr);
108 [ - + ]: 33374 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_mac, ptr, mac_size));
109 : :
110 : 33374 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, mac_size);
111 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(ptr);
112 [ - + ]: 33374 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_mac, ptr, mac_size));
113 : :
114 : : /* KEY */
115 : 33374 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, key_size);
116 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(ptr);
117 [ - + ]: 33374 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_key, ptr, key_size));
118 : :
119 : 33374 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, key_size);
120 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(ptr);
121 [ - + ]: 33374 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_key, ptr, key_size));
122 : :
123 : : /* IV */
124 : 33374 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, iv_size);
125 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(ptr);
126 [ - + ]: 33374 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->client_iv, ptr, iv_size));
127 : :
128 : 33374 : ptr = s2n_stuffer_raw_read(&key_material_stuffer, iv_size);
129 [ - + ][ # # ]: 33374 : RESULT_ENSURE_REF(ptr);
130 [ - + ]: 33374 : RESULT_GUARD_POSIX(s2n_blob_init(&key_material->server_iv, ptr, iv_size));
131 : :
132 : 33374 : return S2N_RESULT_OK;
133 : 33374 : }
134 : :
135 : : /* SSLv3 PRF uses MD5 and SHA-1 in a custom hash-based construction (not
136 : : * HMAC). The use of weak hash algorithms is inherent to the SSLv3 protocol
137 : : * specification. SSLv3 is disabled by default and not recommended.
138 : : */
139 : : static int s2n_prf_sslv3(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *seed_a,
140 : : struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
141 : 391 : {
142 [ # # ][ - + ]: 391 : POSIX_ENSURE_REF(conn);
143 [ # # ][ - + ]: 391 : POSIX_ENSURE_REF(conn->handshake.hashes);
144 : 391 : struct s2n_hash_state *workspace = &conn->handshake.hashes->hash_workspace;
145 : :
146 : 391 : uint32_t outputlen = out->size;
147 : 391 : uint8_t *output = out->data;
148 : 391 : uint8_t iteration = 1;
149 : :
150 : 391 : uint8_t md5_digest[MD5_DIGEST_LENGTH] = { 0 }, sha_digest[SHA_DIGEST_LENGTH] = { 0 };
151 : :
152 : 391 : uint8_t A = 'A';
153 [ + + ]: 2936 : while (outputlen) {
154 : 2545 : struct s2n_hash_state *sha1 = workspace;
155 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_reset(sha1));
156 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_init(sha1, S2N_HASH_SHA1));
157 : :
158 [ + + ]: 14495 : for (int i = 0; i < iteration; i++) {
159 [ - + ]: 11950 : POSIX_GUARD(s2n_hash_update(sha1, &A, 1));
160 : 11950 : }
161 : :
162 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_update(sha1, secret->data, secret->size));
163 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_update(sha1, seed_a->data, seed_a->size));
164 : :
165 [ + - ]: 2545 : if (seed_b) {
166 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_update(sha1, seed_b->data, seed_b->size));
167 [ - + ]: 2545 : if (seed_c) {
168 [ # # ]: 0 : POSIX_GUARD(s2n_hash_update(sha1, seed_c->data, seed_c->size));
169 : 0 : }
170 : 2545 : }
171 : :
172 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, sizeof(sha_digest)));
173 : :
174 : 2545 : struct s2n_hash_state *md5 = workspace;
175 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_reset(md5));
176 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_init(md5, S2N_HASH_MD5));
177 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_update(md5, secret->data, secret->size));
178 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_update(md5, sha_digest, sizeof(sha_digest)));
179 [ - + ]: 2545 : POSIX_GUARD(s2n_hash_digest(md5, md5_digest, sizeof(md5_digest)));
180 : :
181 [ - + ]: 2545 : uint32_t bytes_to_copy = S2N_MIN(outputlen, sizeof(md5_digest));
182 : :
183 [ - + ][ # # ]: 2545 : POSIX_CHECKED_MEMCPY(output, md5_digest, bytes_to_copy);
[ + - ]
184 : :
185 : 2545 : outputlen -= bytes_to_copy;
186 : 2545 : output += bytes_to_copy;
187 : :
188 : : /* Increment the letter */
189 : 2545 : A++;
190 : 2545 : iteration++;
191 : 2545 : }
192 : :
193 : 391 : return 0;
194 : 391 : }
195 : :
196 : : static int s2n_hmac_p_hash_new(struct s2n_prf_working_space *ws)
197 : 126947 : {
198 [ - + ]: 126947 : POSIX_GUARD(s2n_hmac_new(&ws->p_hash.s2n_hmac));
199 : 126947 : return s2n_hmac_init(&ws->p_hash.s2n_hmac, S2N_HMAC_NONE, NULL, 0);
200 : 126947 : }
201 : :
202 : : static int s2n_hmac_p_hash_init(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret)
203 : 16181 : {
204 : 16181 : return s2n_hmac_init(&ws->p_hash.s2n_hmac, alg, secret->data, secret->size);
205 : 16181 : }
206 : :
207 : : static int s2n_hmac_p_hash_update(struct s2n_prf_working_space *ws, const void *data, uint32_t size)
208 : 241284 : {
209 : 241284 : return s2n_hmac_update(&ws->p_hash.s2n_hmac, data, size);
210 : 241284 : }
211 : :
212 : : static int s2n_hmac_p_hash_digest(struct s2n_prf_working_space *ws, void *digest, uint32_t size)
213 : 102201 : {
214 : 102201 : return s2n_hmac_digest(&ws->p_hash.s2n_hmac, digest, size);
215 : 102201 : }
216 : :
217 : : static int s2n_hmac_p_hash_reset(struct s2n_prf_working_space *ws)
218 : 3524199 : {
219 : : /* If we actually initialized s2n_hmac, wipe it.
220 : : * A valid, initialized s2n_hmac_state will have a valid block size.
221 : : */
222 [ + - ]: 3524199 : if (ws->p_hash.s2n_hmac.hash_block_size != 0) {
223 : 3524199 : return s2n_hmac_reset(&ws->p_hash.s2n_hmac);
224 : 3524199 : }
225 : 0 : return S2N_SUCCESS;
226 : 3524199 : }
227 : :
228 : : static int s2n_hmac_p_hash_cleanup(struct s2n_prf_working_space *ws)
229 : 16181 : {
230 : 16181 : return s2n_hmac_p_hash_reset(ws);
231 : 16181 : }
232 : :
233 : : static int s2n_hmac_p_hash_free(struct s2n_prf_working_space *ws)
234 : 126947 : {
235 : 126947 : return s2n_hmac_free(&ws->p_hash.s2n_hmac);
236 : 126947 : }
237 : :
238 : : static const struct s2n_p_hash_hmac s2n_internal_p_hash_hmac = {
239 : : .alloc = &s2n_hmac_p_hash_new,
240 : : .init = &s2n_hmac_p_hash_init,
241 : : .update = &s2n_hmac_p_hash_update,
242 : : .final = &s2n_hmac_p_hash_digest,
243 : : .reset = &s2n_hmac_p_hash_reset,
244 : : .cleanup = &s2n_hmac_p_hash_cleanup,
245 : : .free = &s2n_hmac_p_hash_free,
246 : : };
247 : :
248 : : /*
249 : : * For now, use the internal s2n-tls hmac abstraction.
250 : : * However, that is a custom implementation of hmac built on hashes.
251 : : * Ideally we should stop using our custom implementation here and switch
252 : : * to using a libcrypto implementation. Unfortunately, what each libcrypto
253 : : * can support varies a lot for HMACs.
254 : : *
255 : : * For historical reference, there used to be two other hmac implementations:
256 : : * https://github.com/aws/s2n-tls/blob/711ee0df658cd7c44088cf7a1b20a9f3cf5296d6/tls/s2n_prf.c#L174-L337
257 : : * Both implementations have compatibility issues with one or more libcryptos.
258 : : */
259 : : const struct s2n_p_hash_hmac *s2n_get_hmac_implementation()
260 : 3692073 : {
261 : 3692073 : return &s2n_internal_p_hash_hmac;
262 : 3692073 : }
263 : :
264 : : static int s2n_p_hash(struct s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret, struct s2n_blob *label,
265 : : struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
266 : 16181 : {
267 : 16181 : uint8_t digest_size = 0;
268 [ - + ]: 16181 : POSIX_GUARD(s2n_hmac_digest_size(alg, &digest_size));
269 : :
270 : 16181 : const struct s2n_p_hash_hmac *hmac = s2n_get_hmac_implementation();
271 [ # # ][ - + ]: 16181 : POSIX_ENSURE_REF(hmac);
272 : :
273 : : /* First compute hmac(secret + A(0)) */
274 [ - + ]: 16181 : POSIX_GUARD(hmac->init(ws, alg, secret));
275 [ - + ]: 16181 : POSIX_GUARD(hmac->update(ws, label->data, label->size));
276 [ - + ]: 16181 : POSIX_GUARD(hmac->update(ws, seed_a->data, seed_a->size));
277 : :
278 [ + + ]: 16181 : if (seed_b) {
279 [ - + ]: 6890 : POSIX_GUARD(hmac->update(ws, seed_b->data, seed_b->size));
280 [ + + ]: 6890 : if (seed_c) {
281 [ - + ]: 5 : POSIX_GUARD(hmac->update(ws, seed_c->data, seed_c->size));
282 : 5 : }
283 : 6890 : }
284 [ - + ]: 16181 : POSIX_GUARD(hmac->final(ws, ws->digest0, digest_size));
285 : :
286 : 16181 : uint32_t outputlen = out->size;
287 : 16181 : uint8_t *output = out->data;
288 : :
289 [ + + ]: 59191 : while (outputlen) {
290 : : /* Now compute hmac(secret + A(N - 1) + seed) */
291 [ - + ]: 43010 : POSIX_GUARD(hmac->reset(ws));
292 [ - + ]: 43010 : POSIX_GUARD(hmac->update(ws, ws->digest0, digest_size));
293 : :
294 : : /* Add the label + seed and compute this round's A */
295 [ - + ]: 43010 : POSIX_GUARD(hmac->update(ws, label->data, label->size));
296 [ - + ]: 43010 : POSIX_GUARD(hmac->update(ws, seed_a->data, seed_a->size));
297 [ + + ]: 43010 : if (seed_b) {
298 [ - + ]: 29969 : POSIX_GUARD(hmac->update(ws, seed_b->data, seed_b->size));
299 [ + + ]: 29969 : if (seed_c) {
300 [ - + ]: 18 : POSIX_GUARD(hmac->update(ws, seed_c->data, seed_c->size));
301 : 18 : }
302 : 29969 : }
303 : :
304 [ - + ]: 43010 : POSIX_GUARD(hmac->final(ws, ws->digest1, digest_size));
305 : :
306 [ + + ]: 43010 : uint32_t bytes_to_xor = S2N_MIN(outputlen, digest_size);
307 : :
308 [ + + ]: 1111250 : for (size_t i = 0; i < bytes_to_xor; i++) {
309 : 1068240 : *output ^= ws->digest1[i];
310 : 1068240 : output++;
311 : 1068240 : outputlen--;
312 : 1068240 : }
313 : :
314 : : /* Stash a digest of A(N), in A(N), for the next round */
315 [ - + ]: 43010 : POSIX_GUARD(hmac->reset(ws));
316 [ - + ]: 43010 : POSIX_GUARD(hmac->update(ws, ws->digest0, digest_size));
317 [ - + ]: 43010 : POSIX_GUARD(hmac->final(ws, ws->digest0, digest_size));
318 : 43010 : }
319 : :
320 [ - + ]: 16181 : POSIX_GUARD(hmac->cleanup(ws));
321 : :
322 : 16181 : return 0;
323 : 16181 : }
324 : :
325 : : S2N_RESULT s2n_prf_new(struct s2n_connection *conn)
326 : 126948 : {
327 [ + + ][ + - ]: 126948 : RESULT_ENSURE_REF(conn);
328 [ # # ][ - + ]: 126947 : RESULT_ENSURE_EQ(conn->prf_space, NULL);
329 : :
330 : 126947 : DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free);
331 [ - + ]: 126947 : RESULT_GUARD_POSIX(s2n_realloc(&mem, sizeof(struct s2n_prf_working_space)));
332 [ - + ]: 126947 : RESULT_GUARD_POSIX(s2n_blob_zero(&mem));
333 : 126947 : conn->prf_space = (struct s2n_prf_working_space *) (void *) mem.data;
334 : 126947 : ZERO_TO_DISABLE_DEFER_CLEANUP(mem);
335 : :
336 : : /* Allocate the hmac state */
337 : 126947 : const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
338 [ # # ][ - + ]: 126947 : RESULT_ENSURE_REF(hmac_impl);
339 [ - + ]: 126947 : RESULT_GUARD_POSIX(hmac_impl->alloc(conn->prf_space));
340 : 126947 : return S2N_RESULT_OK;
341 : 126947 : }
342 : :
343 : : S2N_RESULT s2n_prf_wipe(struct s2n_connection *conn)
344 : 3422000 : {
345 [ + + ][ + - ]: 3422000 : RESULT_ENSURE_REF(conn);
346 [ + - ][ + + ]: 3421999 : RESULT_ENSURE_REF(conn->prf_space);
347 : :
348 : 3421998 : const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
349 [ - + ][ # # ]: 3421998 : RESULT_ENSURE_REF(hmac_impl);
350 [ - + ]: 3421998 : RESULT_GUARD_POSIX(hmac_impl->reset(conn->prf_space));
351 : :
352 : 3421998 : return S2N_RESULT_OK;
353 : 3421998 : }
354 : :
355 : : S2N_RESULT s2n_prf_free(struct s2n_connection *conn)
356 : 126975 : {
357 [ + + ][ + - ]: 126975 : RESULT_ENSURE_REF(conn);
358 [ + + ]: 126974 : if (conn->prf_space == NULL) {
359 : 27 : return S2N_RESULT_OK;
360 : 27 : }
361 : :
362 : 126947 : const struct s2n_p_hash_hmac *hmac_impl = s2n_get_hmac_implementation();
363 [ # # ][ - + ]: 126947 : RESULT_ENSURE_REF(hmac_impl);
364 [ - + ]: 126947 : RESULT_GUARD_POSIX(hmac_impl->free(conn->prf_space));
365 : :
366 [ - + ]: 126947 : RESULT_GUARD_POSIX(s2n_free_object((uint8_t **) &conn->prf_space, sizeof(struct s2n_prf_working_space)));
367 : 126947 : return S2N_RESULT_OK;
368 : 126947 : }
369 : :
370 : : S2N_RESULT s2n_prf_custom(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label,
371 : : struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
372 : 14781 : {
373 : : /* We zero the out blob because p_hash works by XOR'ing with the existing
374 : : * buffer. This is a little convoluted but means we can avoid dynamic memory
375 : : * allocation. When we call p_hash once (in the TLS1.2 case) it will produce
376 : : * the right values. When we call it twice in the regular case, the two
377 : : * outputs will be XORd just ass the TLS 1.0 and 1.1 RFCs require.
378 : : */
379 [ - + ]: 14781 : RESULT_GUARD_POSIX(s2n_blob_zero(out));
380 : :
381 [ + + ]: 14781 : if (conn->actual_protocol_version == S2N_TLS12) {
382 [ - + ]: 13381 : RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, conn->secure->cipher_suite->prf_alg, secret, label, seed_a,
383 : 13381 : seed_b, seed_c, out));
384 : 13381 : return S2N_RESULT_OK;
385 : 13381 : }
386 : :
387 : 1400 : struct s2n_blob half_secret = { 0 };
388 [ - + ]: 1400 : RESULT_GUARD_POSIX(s2n_blob_init(&half_secret, secret->data, (secret->size + 1) / 2));
389 : :
390 [ - + ]: 1400 : RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, S2N_HMAC_MD5, &half_secret, label, seed_a, seed_b, seed_c, out));
391 : 1400 : half_secret.data += secret->size - half_secret.size;
392 [ - + ]: 1400 : RESULT_GUARD_POSIX(s2n_p_hash(conn->prf_space, S2N_HMAC_SHA1, &half_secret, label, seed_a, seed_b, seed_c, out));
393 : :
394 : 1400 : return S2N_RESULT_OK;
395 : 1400 : }
396 : :
397 : : int s2n_prf(struct s2n_connection *conn, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a,
398 : : struct s2n_blob *seed_b, struct s2n_blob *seed_c, struct s2n_blob *out)
399 : 15179 : {
400 [ + - ][ + + ]: 15179 : POSIX_ENSURE_REF(conn);
401 [ - + ][ # # ]: 15178 : POSIX_ENSURE_REF(conn->secure);
402 [ - + ][ # # ]: 15178 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
403 [ + + ][ + - ]: 15178 : POSIX_ENSURE_REF(conn->prf_space);
404 [ + - ][ + + ]: 15177 : POSIX_ENSURE_REF(secret);
405 [ + + ][ + - ]: 15176 : POSIX_ENSURE_REF(label);
406 [ + + ][ + - ]: 15175 : POSIX_ENSURE_REF(out);
407 : :
408 : : /* seed_a is always required, seed_b is optional, if seed_c is provided seed_b must also be provided */
409 [ + + ][ + - ]: 15174 : POSIX_ENSURE(seed_a != NULL, S2N_ERR_PRF_INVALID_SEED);
410 [ + - ][ + + ]: 15173 : POSIX_ENSURE(S2N_IMPLIES(seed_c != NULL, seed_b != NULL), S2N_ERR_PRF_INVALID_SEED);
[ + + ]
411 : :
412 [ + + ]: 15172 : if (conn->actual_protocol_version == S2N_SSLv3) {
413 [ - + ]: 391 : POSIX_GUARD(s2n_prf_sslv3(conn, secret, seed_a, seed_b, seed_c, out));
414 : 391 : return S2N_SUCCESS;
415 : 391 : }
416 : :
417 : : /* By default, s2n-tls uses a custom PRF implementation. When operating in FIPS mode, the
418 : : * FIPS-validated libcrypto implementation is used instead, if an implementation is provided.
419 : : */
420 [ - + ]: 14781 : if (s2n_is_in_fips_mode()) {
421 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_prf_libcrypto(conn, secret, label, seed_a, seed_b, seed_c, out));
422 : 0 : return S2N_SUCCESS;
423 : 0 : }
424 : :
425 [ - + ]: 14781 : POSIX_GUARD_RESULT(s2n_prf_custom(conn, secret, label, seed_a, seed_b, seed_c, out));
426 : :
427 : 14781 : return S2N_SUCCESS;
428 : 14781 : }
429 : :
430 : : int s2n_prf_tls_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
431 : 39 : {
432 [ - + ][ # # ]: 39 : POSIX_ENSURE_REF(conn);
433 : :
434 : 39 : struct s2n_blob client_random = { 0 };
435 [ - + ]: 39 : POSIX_GUARD(s2n_blob_init(&client_random, conn->client_hello.random, sizeof(conn->client_hello.random)));
436 : 39 : struct s2n_blob server_random = { 0 };
437 [ - + ]: 39 : POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
438 : 39 : struct s2n_blob master_secret = { 0 };
439 [ - + ]: 39 : POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
440 : :
441 : 39 : uint8_t master_secret_label[] = "master secret";
442 : 39 : struct s2n_blob label = { 0 };
443 [ - + ]: 39 : POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1));
444 : :
445 : 39 : return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, NULL, &master_secret);
446 : 39 : }
447 : :
448 : : int s2n_prf_hybrid_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
449 : 0 : {
450 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
451 : :
452 : 0 : struct s2n_blob client_random = { 0 };
453 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&client_random, conn->client_hello.random, sizeof(conn->client_hello.random)));
454 : 0 : struct s2n_blob server_random = { 0 };
455 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
456 : 0 : struct s2n_blob master_secret = { 0 };
457 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
458 : :
459 : 0 : uint8_t master_secret_label[] = "hybrid master secret";
460 : 0 : struct s2n_blob label = { 0 };
461 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&label, master_secret_label, sizeof(master_secret_label) - 1));
462 : :
463 : 0 : return s2n_prf(conn, premaster_secret, &label, &client_random, &server_random, &conn->kex_params.client_key_exchange_message, &master_secret);
464 : 0 : }
465 : :
466 : : int s2n_prf_calculate_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret)
467 : 4524 : {
468 [ - + ][ # # ]: 4524 : POSIX_ENSURE_REF(conn);
469 [ - + ][ # # ]: 4524 : POSIX_ENSURE_REF(conn->secure);
470 : :
471 [ + + ][ + - ]: 4524 : POSIX_ENSURE_EQ(s2n_conn_get_current_message_type(conn), CLIENT_KEY);
472 : :
473 [ + + ]: 4523 : if (!conn->ems_negotiated) {
474 [ - + ]: 34 : POSIX_GUARD(s2n_prf_tls_master_secret(conn, premaster_secret));
475 : 34 : return S2N_SUCCESS;
476 : 34 : }
477 : :
478 : : /* Only the client writes the Client Key Exchange message */
479 [ + + ]: 4489 : if (conn->mode == S2N_CLIENT) {
480 [ - + ]: 2230 : POSIX_GUARD(s2n_handshake_finish_header(&conn->handshake.io));
481 : 2230 : }
482 : 4489 : struct s2n_stuffer client_key_message = conn->handshake.io;
483 [ - + ]: 4489 : POSIX_GUARD(s2n_stuffer_reread(&client_key_message));
484 : 4489 : uint32_t client_key_message_size = s2n_stuffer_data_available(&client_key_message);
485 : 4489 : struct s2n_blob client_key_blob = { 0 };
486 [ - + ]: 4489 : POSIX_GUARD(s2n_blob_init(&client_key_blob, client_key_message.blob.data, client_key_message_size));
487 : :
488 : 4489 : uint8_t data[S2N_MAX_DIGEST_LEN] = { 0 };
489 : 4489 : struct s2n_blob digest = { 0 };
490 [ - + ]: 4489 : POSIX_GUARD(s2n_blob_init(&digest, data, sizeof(data)));
491 [ + + ]: 4489 : if (conn->actual_protocol_version < S2N_TLS12) {
492 : 541 : uint8_t sha1_data[S2N_MAX_DIGEST_LEN] = { 0 };
493 : 541 : struct s2n_blob sha1_digest = { 0 };
494 [ - + ]: 541 : POSIX_GUARD(s2n_blob_init(&sha1_digest, sha1_data, sizeof(sha1_data)));
495 [ - + ]: 541 : POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, S2N_HASH_MD5, &digest));
496 [ - + ]: 541 : POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, S2N_HASH_SHA1, &sha1_digest));
497 [ - + ]: 541 : POSIX_GUARD_RESULT(s2n_prf_tls_extended_master_secret(conn, premaster_secret, &digest, &sha1_digest));
498 : 3948 : } else {
499 : 3948 : s2n_hmac_algorithm prf_alg = conn->secure->cipher_suite->prf_alg;
500 : 3948 : s2n_hash_algorithm hash_alg = 0;
501 [ - + ]: 3948 : POSIX_GUARD(s2n_hmac_hash_alg(prf_alg, &hash_alg));
502 [ - + ]: 3948 : POSIX_GUARD_RESULT(s2n_prf_get_digest_for_ems(conn, &client_key_blob, hash_alg, &digest));
503 [ - + ]: 3948 : POSIX_GUARD_RESULT(s2n_prf_tls_extended_master_secret(conn, premaster_secret, &digest, NULL));
504 : 3948 : }
505 : 4489 : return S2N_SUCCESS;
506 : 4489 : }
507 : :
508 : : /**
509 : : *= https://www.rfc-editor.org/rfc/rfc7627#section-4
510 : : *# When the extended master secret extension is negotiated in a full
511 : : *# handshake, the "master_secret" is computed as
512 : : *#
513 : : *# master_secret = PRF(pre_master_secret, "extended master secret",
514 : : *# session_hash)
515 : : *# [0..47];
516 : : */
517 : : S2N_RESULT s2n_prf_tls_extended_master_secret(struct s2n_connection *conn, struct s2n_blob *premaster_secret, struct s2n_blob *session_hash, struct s2n_blob *sha1_hash)
518 : 4490 : {
519 [ - + ][ # # ]: 4490 : RESULT_ENSURE_REF(conn);
520 : :
521 : 4490 : struct s2n_blob extended_master_secret = { 0 };
522 [ - + ]: 4490 : RESULT_GUARD_POSIX(s2n_blob_init(&extended_master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
523 : :
524 : 4490 : uint8_t extended_master_secret_label[] = "extended master secret";
525 : : /* Subtract one from the label size to remove the "\0" */
526 : 4490 : struct s2n_blob label = { 0 };
527 [ - + ]: 4490 : RESULT_GUARD_POSIX(s2n_blob_init(&label, extended_master_secret_label, sizeof(extended_master_secret_label) - 1));
528 : :
529 [ - + ]: 4490 : RESULT_GUARD_POSIX(s2n_prf(conn, premaster_secret, &label, session_hash, sha1_hash, NULL, &extended_master_secret));
530 : :
531 : 4490 : return S2N_RESULT_OK;
532 : 4490 : }
533 : :
534 : : S2N_RESULT s2n_prf_get_digest_for_ems(struct s2n_connection *conn, struct s2n_blob *message, s2n_hash_algorithm hash_alg, struct s2n_blob *output)
535 : 5031 : {
536 [ # # ][ - + ]: 5031 : RESULT_ENSURE_REF(conn);
537 [ # # ][ - + ]: 5031 : RESULT_ENSURE_REF(conn->handshake.hashes);
538 [ - + ][ # # ]: 5031 : RESULT_ENSURE_REF(message);
539 [ - + ][ # # ]: 5031 : RESULT_ENSURE_REF(output);
540 : :
541 : 5031 : struct s2n_hash_state *hash_state = &conn->handshake.hashes->hash_workspace;
542 [ - + ]: 5031 : RESULT_GUARD(s2n_handshake_copy_hash_state(conn, hash_alg, hash_state));
543 [ - + ]: 5031 : RESULT_GUARD_POSIX(s2n_hash_update(hash_state, message->data, message->size));
544 : :
545 : 5031 : uint8_t digest_size = 0;
546 [ - + ]: 5031 : RESULT_GUARD_POSIX(s2n_hash_digest_size(hash_alg, &digest_size));
547 [ - + ][ # # ]: 5031 : RESULT_ENSURE_GTE(output->size, digest_size);
548 [ - + ]: 5031 : RESULT_GUARD_POSIX(s2n_hash_digest(hash_state, output->data, digest_size));
549 : 5031 : output->size = digest_size;
550 : :
551 : 5031 : return S2N_RESULT_OK;
552 : 5031 : }
553 : :
554 : : static int s2n_prf_sslv3_finished(struct s2n_connection *conn, uint8_t prefix[4], struct s2n_hash_state *hash_workspace, uint8_t *out)
555 : 389 : {
556 [ - + ][ # # ]: 389 : POSIX_ENSURE_REF(conn);
557 [ - + ][ # # ]: 389 : POSIX_ENSURE_REF(conn->handshake.hashes);
558 : :
559 : 389 : uint8_t xorpad1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
560 : 389 : 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 };
561 : 389 : uint8_t xorpad2[48] = { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
562 : 389 : 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c };
563 : 389 : uint8_t *md5_digest = out;
564 : 389 : uint8_t *sha_digest = out + MD5_DIGEST_LENGTH;
565 : :
566 [ - + ]: 389 : POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH));
567 : :
568 : 389 : struct s2n_hash_state *md5 = hash_workspace;
569 [ - + ]: 389 : POSIX_GUARD(s2n_hash_copy(md5, &conn->handshake.hashes->md5));
570 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(md5, prefix, 4));
571 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
572 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(md5, xorpad1, 48));
573 [ - + ]: 389 : POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
574 [ - + ]: 389 : POSIX_GUARD(s2n_hash_reset(md5));
575 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(md5, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
576 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(md5, xorpad2, 48));
577 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(md5, md5_digest, MD5_DIGEST_LENGTH));
578 [ - + ]: 389 : POSIX_GUARD(s2n_hash_digest(md5, md5_digest, MD5_DIGEST_LENGTH));
579 [ - + ]: 389 : POSIX_GUARD(s2n_hash_reset(md5));
580 : :
581 : 389 : struct s2n_hash_state *sha1 = hash_workspace;
582 [ - + ]: 389 : POSIX_GUARD(s2n_hash_copy(sha1, &conn->handshake.hashes->sha1));
583 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(sha1, prefix, 4));
584 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
585 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(sha1, xorpad1, 40));
586 [ - + ]: 389 : POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
587 [ - + ]: 389 : POSIX_GUARD(s2n_hash_reset(sha1));
588 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(sha1, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
589 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(sha1, xorpad2, 40));
590 [ - + ]: 389 : POSIX_GUARD(s2n_hash_update(sha1, sha_digest, SHA_DIGEST_LENGTH));
591 [ - + ]: 389 : POSIX_GUARD(s2n_hash_digest(sha1, sha_digest, SHA_DIGEST_LENGTH));
592 [ - + ]: 389 : POSIX_GUARD(s2n_hash_reset(sha1));
593 : :
594 : 389 : return 0;
595 : 389 : }
596 : :
597 : : static int s2n_prf_sslv3_client_finished(struct s2n_connection *conn)
598 : 194 : {
599 [ # # ][ - + ]: 194 : POSIX_ENSURE_REF(conn);
600 [ - + ][ # # ]: 194 : POSIX_ENSURE_REF(conn->handshake.hashes);
601 : :
602 : 194 : uint8_t prefix[4] = { 0x43, 0x4c, 0x4e, 0x54 };
603 : :
604 : 194 : return s2n_prf_sslv3_finished(conn, prefix, &conn->handshake.hashes->hash_workspace, conn->handshake.client_finished);
605 : 194 : }
606 : :
607 : : static int s2n_prf_sslv3_server_finished(struct s2n_connection *conn)
608 : 195 : {
609 [ - + ][ # # ]: 195 : POSIX_ENSURE_REF(conn);
610 [ - + ][ # # ]: 195 : POSIX_ENSURE_REF(conn->handshake.hashes);
611 : :
612 : 195 : uint8_t prefix[4] = { 0x53, 0x52, 0x56, 0x52 };
613 : :
614 : 195 : return s2n_prf_sslv3_finished(conn, prefix, &conn->handshake.hashes->hash_workspace, conn->handshake.server_finished);
615 : 195 : }
616 : :
617 : : int s2n_prf_client_finished(struct s2n_connection *conn)
618 : 3670 : {
619 [ - + ][ # # ]: 3670 : POSIX_ENSURE_REF(conn);
620 [ # # ][ - + ]: 3670 : POSIX_ENSURE_REF(conn->secure);
621 [ - + ][ # # ]: 3670 : POSIX_ENSURE_REF(conn->handshake.hashes);
622 : :
623 : 3670 : struct s2n_blob master_secret, md5, sha;
624 : 3670 : uint8_t md5_digest[MD5_DIGEST_LENGTH];
625 : 3670 : uint8_t sha_digest[SHA384_DIGEST_LENGTH];
626 : 3670 : uint8_t client_finished_label[] = "client finished";
627 : 3670 : struct s2n_blob client_finished = { 0 };
628 : 3670 : struct s2n_blob label = { 0 };
629 : :
630 [ + + ]: 3670 : if (conn->actual_protocol_version == S2N_SSLv3) {
631 : 194 : return s2n_prf_sslv3_client_finished(conn);
632 : 194 : }
633 : :
634 : 3476 : client_finished.data = conn->handshake.client_finished;
635 : 3476 : client_finished.size = S2N_TLS_FINISHED_LEN;
636 [ + + ]: 3476 : POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, client_finished.size));
637 : 3474 : label.data = client_finished_label;
638 : 3474 : label.size = sizeof(client_finished_label) - 1;
639 : :
640 : 3474 : master_secret.data = conn->secrets.version.tls12.master_secret;
641 : 3474 : master_secret.size = sizeof(conn->secrets.version.tls12.master_secret);
642 [ + + ]: 3474 : if (conn->actual_protocol_version == S2N_TLS12) {
643 : 3128 : switch (conn->secure->cipher_suite->prf_alg) {
644 [ + + ]: 2906 : case S2N_HMAC_SHA256:
645 [ - + ]: 2906 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha256));
646 [ - + ]: 2906 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA256_DIGEST_LENGTH));
647 : 2906 : sha.size = SHA256_DIGEST_LENGTH;
648 : 2906 : break;
649 [ + + ]: 222 : case S2N_HMAC_SHA384:
650 [ - + ]: 222 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha384));
651 [ - + ]: 222 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA384_DIGEST_LENGTH));
652 : 222 : sha.size = SHA384_DIGEST_LENGTH;
653 : 222 : break;
654 [ - + ]: 0 : default:
655 [ # # ]: 0 : POSIX_BAIL(S2N_ERR_PRF_INVALID_ALGORITHM);
656 : 3128 : }
657 : :
658 : 3128 : sha.data = sha_digest;
659 : 3128 : return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &client_finished);
660 : 3128 : }
661 : :
662 [ - + ]: 346 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->md5));
663 [ - + ]: 346 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, md5_digest, MD5_DIGEST_LENGTH));
664 : 346 : md5.data = md5_digest;
665 : 346 : md5.size = MD5_DIGEST_LENGTH;
666 : :
667 [ - + ]: 346 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha1));
668 [ - + ]: 346 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA_DIGEST_LENGTH));
669 : 346 : sha.data = sha_digest;
670 : 346 : sha.size = SHA_DIGEST_LENGTH;
671 : :
672 : 346 : return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &client_finished);
673 : 346 : }
674 : :
675 : : int s2n_prf_server_finished(struct s2n_connection *conn)
676 : 2749 : {
677 [ # # ][ - + ]: 2749 : POSIX_ENSURE_REF(conn);
678 [ - + ][ # # ]: 2749 : POSIX_ENSURE_REF(conn->secure);
679 [ # # ][ - + ]: 2749 : POSIX_ENSURE_REF(conn->handshake.hashes);
680 : :
681 : 2749 : struct s2n_blob master_secret, md5, sha;
682 : 2749 : uint8_t md5_digest[MD5_DIGEST_LENGTH];
683 : 2749 : uint8_t sha_digest[SHA384_DIGEST_LENGTH];
684 : 2749 : uint8_t server_finished_label[] = "server finished";
685 : 2749 : struct s2n_blob server_finished = { 0 };
686 : 2749 : struct s2n_blob label = { 0 };
687 : :
688 [ + + ]: 2749 : if (conn->actual_protocol_version == S2N_SSLv3) {
689 : 195 : return s2n_prf_sslv3_server_finished(conn);
690 : 195 : }
691 : :
692 : 2554 : server_finished.data = conn->handshake.server_finished;
693 : 2554 : server_finished.size = S2N_TLS_FINISHED_LEN;
694 [ - + ]: 2554 : POSIX_GUARD_RESULT(s2n_handshake_set_finished_len(conn, server_finished.size));
695 : 2554 : label.data = server_finished_label;
696 : 2554 : label.size = sizeof(server_finished_label) - 1;
697 : :
698 : 2554 : master_secret.data = conn->secrets.version.tls12.master_secret;
699 : 2554 : master_secret.size = sizeof(conn->secrets.version.tls12.master_secret);
700 [ + + ]: 2554 : if (conn->actual_protocol_version == S2N_TLS12) {
701 : 2208 : switch (conn->secure->cipher_suite->prf_alg) {
702 [ + + ]: 1989 : case S2N_HMAC_SHA256:
703 [ - + ]: 1989 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha256));
704 [ - + ]: 1989 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA256_DIGEST_LENGTH));
705 : 1989 : sha.size = SHA256_DIGEST_LENGTH;
706 : 1989 : break;
707 [ + + ]: 219 : case S2N_HMAC_SHA384:
708 [ - + ]: 219 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha384));
709 [ - + ]: 219 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA384_DIGEST_LENGTH));
710 : 219 : sha.size = SHA384_DIGEST_LENGTH;
711 : 219 : break;
712 [ - + ]: 0 : default:
713 [ # # ]: 0 : POSIX_BAIL(S2N_ERR_PRF_INVALID_ALGORITHM);
714 : 2208 : }
715 : :
716 : 2208 : sha.data = sha_digest;
717 : 2208 : return s2n_prf(conn, &master_secret, &label, &sha, NULL, NULL, &server_finished);
718 : 2208 : }
719 : :
720 [ - + ]: 346 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->md5));
721 [ - + ]: 346 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, md5_digest, MD5_DIGEST_LENGTH));
722 : 346 : md5.data = md5_digest;
723 : 346 : md5.size = MD5_DIGEST_LENGTH;
724 : :
725 [ - + ]: 346 : POSIX_GUARD(s2n_hash_copy(&conn->handshake.hashes->hash_workspace, &conn->handshake.hashes->sha1));
726 [ - + ]: 346 : POSIX_GUARD(s2n_hash_digest(&conn->handshake.hashes->hash_workspace, sha_digest, SHA_DIGEST_LENGTH));
727 : 346 : sha.data = sha_digest;
728 : 346 : sha.size = SHA_DIGEST_LENGTH;
729 : :
730 : 346 : return s2n_prf(conn, &master_secret, &label, &md5, &sha, NULL, &server_finished);
731 : 346 : }
732 : :
733 : : static int s2n_prf_make_client_key(struct s2n_connection *conn, struct s2n_key_material *key_material)
734 : 4585 : {
735 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(conn);
736 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(conn->secure);
737 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
738 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(conn->secure->cipher_suite->record_alg);
739 : 4585 : const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
740 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(cipher);
741 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(cipher->set_encryption_key);
742 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(cipher->set_decryption_key);
743 : :
744 [ + + ]: 4585 : if (conn->mode == S2N_CLIENT) {
745 [ - + ]: 2270 : POSIX_GUARD_RESULT(cipher->set_encryption_key(&conn->secure->client_key, &key_material->client_key));
746 : 2315 : } else {
747 [ - + ]: 2315 : POSIX_GUARD_RESULT(cipher->set_decryption_key(&conn->secure->client_key, &key_material->client_key));
748 : 2315 : }
749 : :
750 : 4585 : return 0;
751 : 4585 : }
752 : :
753 : : static int s2n_prf_make_server_key(struct s2n_connection *conn, struct s2n_key_material *key_material)
754 : 4585 : {
755 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(conn);
756 [ # # ][ - + ]: 4585 : POSIX_ENSURE_REF(conn->secure);
757 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
758 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(conn->secure->cipher_suite->record_alg);
759 : 4585 : const struct s2n_cipher *cipher = conn->secure->cipher_suite->record_alg->cipher;
760 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(cipher);
761 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(cipher->set_encryption_key);
762 [ # # ][ - + ]: 4585 : POSIX_ENSURE_REF(cipher->set_decryption_key);
763 : :
764 [ + + ]: 4585 : if (conn->mode == S2N_SERVER) {
765 [ - + ]: 2315 : POSIX_GUARD_RESULT(cipher->set_encryption_key(&conn->secure->server_key, &key_material->server_key));
766 : 2315 : } else {
767 [ - + ]: 2270 : POSIX_GUARD_RESULT(cipher->set_decryption_key(&conn->secure->server_key, &key_material->server_key));
768 : 2270 : }
769 : :
770 : 4585 : return 0;
771 : 4585 : }
772 : :
773 : : S2N_RESULT s2n_prf_generate_key_material(struct s2n_connection *conn, struct s2n_key_material *key_material)
774 : 4608 : {
775 [ # # ][ - + ]: 4608 : RESULT_ENSURE_REF(conn);
776 [ - + ][ # # ]: 4608 : RESULT_ENSURE_REF(key_material);
777 : :
778 : 4608 : struct s2n_blob client_random = { 0 };
779 [ - + ]: 4608 : RESULT_GUARD_POSIX(s2n_blob_init(&client_random, conn->client_hello.random, sizeof(conn->client_hello.random)));
780 : 4608 : struct s2n_blob server_random = { 0 };
781 [ - + ]: 4608 : RESULT_GUARD_POSIX(s2n_blob_init(&server_random, conn->handshake_params.server_random, sizeof(conn->handshake_params.server_random)));
782 : 4608 : struct s2n_blob master_secret = { 0 };
783 [ - + ]: 4608 : RESULT_GUARD_POSIX(s2n_blob_init(&master_secret, conn->secrets.version.tls12.master_secret, sizeof(conn->secrets.version.tls12.master_secret)));
784 : :
785 : 4608 : struct s2n_blob label = { 0 };
786 : 4608 : uint8_t key_expansion_label[] = "key expansion";
787 [ - + ]: 4608 : RESULT_GUARD_POSIX(s2n_blob_init(&label, key_expansion_label, sizeof(key_expansion_label) - 1));
788 : :
789 [ - + ]: 4608 : RESULT_GUARD(s2n_key_material_init(key_material, conn));
790 : 4608 : struct s2n_blob prf_out = { 0 };
791 [ - + ]: 4608 : RESULT_GUARD_POSIX(s2n_blob_init(&prf_out, key_material->key_block, sizeof(key_material->key_block)));
792 [ - + ]: 4608 : RESULT_GUARD_POSIX(s2n_prf(conn, &master_secret, &label, &server_random, &client_random, NULL, &prf_out));
793 : :
794 : 4608 : return S2N_RESULT_OK;
795 : 4608 : }
796 : :
797 : : int s2n_prf_key_expansion(struct s2n_connection *conn)
798 : 4585 : {
799 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(conn);
800 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(conn->secure);
801 : 4585 : struct s2n_cipher_suite *cipher_suite = conn->secure->cipher_suite;
802 [ # # ][ - + ]: 4585 : POSIX_ENSURE_REF(cipher_suite);
803 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(cipher_suite->record_alg);
804 : 4585 : const struct s2n_cipher *cipher = cipher_suite->record_alg->cipher;
805 [ - + ][ # # ]: 4585 : POSIX_ENSURE_REF(cipher);
806 : :
807 : 4585 : struct s2n_key_material key_material = { 0 };
808 [ - + ]: 4585 : POSIX_GUARD_RESULT(s2n_prf_generate_key_material(conn, &key_material));
809 : :
810 [ - + ][ # # ]: 4585 : POSIX_ENSURE(cipher_suite->available, S2N_ERR_PRF_INVALID_ALGORITHM);
811 [ - + ]: 4585 : POSIX_GUARD_RESULT(cipher->init(&conn->secure->client_key));
812 [ - + ]: 4585 : POSIX_GUARD_RESULT(cipher->init(&conn->secure->server_key));
813 : :
814 : : /* Seed the client MAC */
815 [ - + ]: 4585 : POSIX_GUARD(s2n_hmac_reset(&conn->secure->client_record_mac));
816 [ - + ]: 4585 : POSIX_GUARD(s2n_hmac_init(
817 : 4585 : &conn->secure->client_record_mac,
818 : 4585 : cipher_suite->record_alg->hmac_alg,
819 : 4585 : key_material.client_mac.data,
820 : 4585 : key_material.client_mac.size));
821 : :
822 : : /* Seed the server MAC */
823 [ - + ]: 4585 : POSIX_GUARD(s2n_hmac_reset(&conn->secure->server_record_mac));
824 [ - + ]: 4585 : POSIX_GUARD(s2n_hmac_init(
825 : 4585 : &conn->secure->server_record_mac,
826 : 4585 : conn->secure->cipher_suite->record_alg->hmac_alg,
827 : 4585 : key_material.server_mac.data,
828 : 4585 : key_material.server_mac.size));
829 : :
830 : : /* Make the client key */
831 [ - + ]: 4585 : POSIX_GUARD(s2n_prf_make_client_key(conn, &key_material));
832 : :
833 : : /* Make the server key */
834 [ - + ]: 4585 : POSIX_GUARD(s2n_prf_make_server_key(conn, &key_material));
835 : :
836 : : /* Composite CBC does MAC inside the cipher, pass it the MAC key.
837 : : * Must happen after setting encryption/decryption keys.
838 : : */
839 [ + + ]: 4585 : if (cipher->type == S2N_COMPOSITE) {
840 [ - + ]: 770 : POSIX_GUARD(cipher->io.comp.set_mac_write_key(&conn->secure->client_key, key_material.client_mac.data, key_material.client_mac.size));
841 [ - + ]: 770 : POSIX_GUARD(cipher->io.comp.set_mac_write_key(&conn->secure->server_key, key_material.server_mac.data, key_material.server_mac.size));
842 : 770 : }
843 : :
844 : : /* set IV */
845 [ - + ][ # # ]: 4585 : POSIX_ENSURE_EQ(key_material.client_iv.size, key_material.server_iv.size);
846 [ - + ][ # # ]: 4585 : POSIX_ENSURE_LTE(key_material.client_iv.size, S2N_TLS_MAX_IV_LEN);
847 [ - + ][ # # ]: 4585 : POSIX_CHECKED_MEMCPY(conn->secure->client_implicit_iv, key_material.client_iv.data, key_material.client_iv.size);
[ + + ]
848 [ - + ][ # # ]: 4585 : POSIX_CHECKED_MEMCPY(conn->secure->server_implicit_iv, key_material.server_iv.data, key_material.server_iv.size);
[ + + ]
849 : :
850 : 4585 : return 0;
851 : 4585 : }
|