Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : : #include <stdbool.h>
16 : :
17 : : #include "crypto/s2n_pq.h"
18 : : #include "error/s2n_errno.h"
19 : : #include "tls/s2n_cipher_suites.h"
20 : : #include "tls/s2n_server_extensions.h"
21 : : #include "tls/s2n_tls.h"
22 : : #include "tls/s2n_tls13.h"
23 : : #include "tls/s2n_tls13_handshake.h"
24 : : #include "utils/s2n_blob.h"
25 : : #include "utils/s2n_safety.h"
26 : :
27 : : /* From RFC5246 7.4.1.2. */
28 : : #define S2N_TLS_COMPRESSION_METHOD_NULL 0
29 : :
30 : : /* from RFC: https://tools.ietf.org/html/rfc8446#section-4.1.3*/
31 : : uint8_t hello_retry_req_random[S2N_TLS_RANDOM_DATA_LEN] = {
32 : : 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
33 : : 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
34 : : };
35 : :
36 : : int s2n_server_hello_retry_send(struct s2n_connection *conn)
37 : 652 : {
38 [ - + ][ # # ]: 652 : POSIX_ENSURE_REF(conn);
39 : :
40 [ # # ][ - + ]: 652 : POSIX_CHECKED_MEMCPY(conn->handshake_params.server_random, hello_retry_req_random, S2N_TLS_RANDOM_DATA_LEN);
[ + - ]
41 : :
42 [ - + ]: 652 : POSIX_GUARD(s2n_server_hello_write_message(conn));
43 : :
44 : : /* Write the extensions */
45 [ - + ]: 652 : POSIX_GUARD(s2n_server_extensions_send(conn, &conn->handshake.io));
46 : :
47 : : /* Update transcript */
48 [ - + ]: 652 : POSIX_GUARD(s2n_server_hello_retry_recreate_transcript(conn));
49 : :
50 : : /* Reset handshake values */
51 : 652 : conn->handshake.client_hello_received = 0;
52 : 652 : conn->client_hello.parsed = 0;
53 [ - + ][ # # ]: 652 : POSIX_CHECKED_MEMSET((uint8_t *) conn->extension_requests_received, 0, sizeof(s2n_extension_bitfield));
[ + - ]
54 : :
55 : 652 : return 0;
56 : 652 : }
57 : :
58 : : int s2n_server_hello_retry_recv(struct s2n_connection *conn)
59 : 653 : {
60 [ - + ][ # # ]: 653 : POSIX_ENSURE_REF(conn);
61 [ + + ][ + - ]: 653 : POSIX_ENSURE(conn->actual_protocol_version >= S2N_TLS13, S2N_ERR_INVALID_HELLO_RETRY);
62 : :
63 : 652 : const struct s2n_ecc_preferences *ecc_pref = NULL;
64 [ - + ]: 652 : POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
65 [ - + ][ # # ]: 652 : POSIX_ENSURE_REF(ecc_pref);
66 : :
67 : 652 : const struct s2n_kem_preferences *kem_pref = NULL;
68 [ - + ]: 652 : POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_pref));
69 [ - + ][ # # ]: 652 : POSIX_ENSURE_REF(kem_pref);
70 : :
71 : 652 : const struct s2n_ecc_named_curve *named_curve = conn->kex_params.server_ecc_evp_params.negotiated_curve;
72 : 652 : const struct s2n_kem_group *server_preferred_kem_group = conn->kex_params.server_kem_group_params.kem_group;
73 : 652 : const struct s2n_kem_group *client_preferred_kem_group = conn->kex_params.client_kem_group_params.kem_group;
74 : :
75 : : /* Boolean XOR check: exactly one of {named_curve, kem_group} should be non-null. */
76 [ - + ][ # # ]: 652 : POSIX_ENSURE((named_curve != NULL) != (server_preferred_kem_group != NULL), S2N_ERR_INVALID_HELLO_RETRY);
77 : :
78 : : /**
79 : : *= https://www.rfc-editor.org/rfc/rfc8446#4.2.8
80 : : *# Upon receipt of this extension in a HelloRetryRequest, the client
81 : : *# MUST verify that (1) the selected_group field corresponds to a group
82 : : *# which was provided in the "supported_groups" extension in the
83 : : *# original ClientHello
84 : : **/
85 : 652 : bool selected_group_in_supported_groups = false;
86 [ + + ][ + - ]: 652 : if (named_curve != NULL && s2n_ecc_preferences_includes_curve(ecc_pref, named_curve->iana_id)) {
87 : 651 : selected_group_in_supported_groups = true;
88 : 651 : }
89 [ + + ]: 652 : if (server_preferred_kem_group != NULL
90 [ - + ]: 652 : && s2n_kem_group_is_available(server_preferred_kem_group)
91 [ # # ]: 652 : && s2n_kem_preferences_includes_tls13_kem_group(kem_pref, server_preferred_kem_group->iana_id)) {
92 : 0 : selected_group_in_supported_groups = true;
93 : 0 : }
94 : :
95 : : /**
96 : : *= https://www.rfc-editor.org/rfc/rfc8446#4.2.8
97 : : *# and (2) the selected_group field does not
98 : : *# correspond to a group which was provided in the "key_share" extension
99 : : *# in the original ClientHello.
100 : : **/
101 : 652 : bool new_key_share_requested = false;
102 : :
103 [ + + ]: 652 : if (named_curve != NULL) {
104 : 651 : new_key_share_requested = (named_curve != conn->kex_params.client_ecc_evp_params.negotiated_curve);
105 : 651 : }
106 : :
107 [ + + ]: 652 : if (server_preferred_kem_group != NULL) {
108 : : /* If PQ is disabled, the client should not have sent any PQ IDs
109 : : * in the supported_groups list of the initial ClientHello */
110 [ + - ][ + - ]: 1 : POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_INVALID_HELLO_RETRY);
111 : 0 : new_key_share_requested = (server_preferred_kem_group != client_preferred_kem_group);
112 : 0 : }
113 : :
114 : : /**
115 : : *= https://www.rfc-editor.org/rfc/rfc8446#4.2.8
116 : : *# If either of these checks fails, then
117 : : *# the client MUST abort the handshake with an "illegal_parameter"
118 : : *# alert.
119 : : *
120 : : *= https://www.rfc-editor.org/rfc/rfc8446#section-4.1.4
121 : : *# Clients MUST abort the handshake with an
122 : : *# "illegal_parameter" alert if the HelloRetryRequest would not result
123 : : *# in any change in the ClientHello.
124 : : **/
125 [ + + ][ + - ]: 651 : POSIX_ENSURE(new_key_share_requested, S2N_ERR_INVALID_HELLO_RETRY);
126 [ - + ][ # # ]: 647 : POSIX_ENSURE(selected_group_in_supported_groups, S2N_ERR_INVALID_HELLO_RETRY);
127 : :
128 : : /* Update transcript hash */
129 [ - + ]: 647 : POSIX_GUARD(s2n_server_hello_retry_recreate_transcript(conn));
130 : :
131 : : /* Reset handshake values */
132 [ - + ][ # # ]: 647 : POSIX_CHECKED_MEMSET((uint8_t *) conn->extension_requests_sent, 0, sizeof(s2n_extension_bitfield));
[ + - ]
133 : :
134 : 647 : return S2N_SUCCESS;
135 : 647 : }
|
