Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "api/s2n.h"
17 : : #include "crypto/s2n_dhe.h"
18 : : #include "crypto/s2n_fips.h"
19 : : #include "error/s2n_errno.h"
20 : : #include "stuffer/s2n_stuffer.h"
21 : : #include "tls/s2n_async_pkey.h"
22 : : #include "tls/s2n_cipher_preferences.h"
23 : : #include "tls/s2n_cipher_suites.h"
24 : : #include "tls/s2n_connection.h"
25 : : #include "tls/s2n_kem.h"
26 : : #include "tls/s2n_kex.h"
27 : : #include "tls/s2n_security_policies.h"
28 : : #include "tls/s2n_signature_algorithms.h"
29 : : #include "utils/s2n_random.h"
30 : : #include "utils/s2n_safety.h"
31 : :
32 : : static int s2n_server_key_send_write_signature(struct s2n_connection *conn, struct s2n_blob *signature);
33 : :
34 : : int s2n_server_key_recv(struct s2n_connection *conn)
35 : 778 : {
36 [ - + ][ # # ]: 778 : POSIX_ENSURE_REF(conn);
37 [ # # ][ - + ]: 778 : POSIX_ENSURE_REF(conn->secure);
38 [ - + ][ # # ]: 778 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
39 [ # # ][ - + ]: 778 : POSIX_ENSURE_REF(conn->secure->cipher_suite->key_exchange_alg);
40 [ - + ][ # # ]: 778 : POSIX_ENSURE_REF(conn->handshake.hashes);
41 : :
42 : 778 : struct s2n_hash_state *signature_hash = &conn->handshake.hashes->hash_workspace;
43 : 778 : const struct s2n_kex *key_exchange = conn->secure->cipher_suite->key_exchange_alg;
44 : 778 : struct s2n_stuffer *in = &conn->handshake.io;
45 : 778 : struct s2n_blob data_to_verify = { 0 };
46 : :
47 : : /* Read the KEX data */
48 : 778 : struct s2n_kex_raw_server_data kex_data = { 0 };
49 [ - + ]: 778 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(key_exchange, conn, &data_to_verify, &kex_data));
50 : :
51 [ + + ]: 778 : POSIX_GUARD_RESULT(s2n_signature_algorithm_recv(conn, in));
52 : 774 : const struct s2n_signature_scheme *active_sig_scheme = conn->handshake_params.server_cert_sig_scheme;
53 [ - + ][ # # ]: 774 : POSIX_ENSURE_REF(active_sig_scheme);
54 : :
55 [ - + ]: 774 : POSIX_GUARD(s2n_hash_init(signature_hash, active_sig_scheme->hash_alg));
56 [ - + ]: 774 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.client_random, S2N_TLS_RANDOM_DATA_LEN));
57 [ - + ]: 774 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.server_random, S2N_TLS_RANDOM_DATA_LEN));
58 : :
59 : : /* Add KEX specific data */
60 [ - + ]: 774 : POSIX_GUARD(s2n_hash_update(signature_hash, data_to_verify.data, data_to_verify.size));
61 : :
62 : : /* Verify the signature */
63 : 774 : uint16_t signature_length = 0;
64 [ - + ]: 774 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_length));
65 : :
66 : 774 : struct s2n_blob signature = { 0 };
67 [ - + ]: 774 : POSIX_GUARD(s2n_blob_init(&signature, s2n_stuffer_raw_read(in, signature_length), signature_length));
68 : :
69 [ - + ][ # # ]: 774 : POSIX_ENSURE_REF(signature.data);
70 [ - + ][ # # ]: 774 : POSIX_ENSURE_GT(signature_length, 0);
71 : :
72 [ - + ][ # # ]: 774 : S2N_ERROR_IF(s2n_pkey_verify(&conn->handshake_params.server_public_key, active_sig_scheme->sig_alg, signature_hash, &signature) < 0,
73 : 774 : S2N_ERR_BAD_MESSAGE);
74 : :
75 : : /* We don't need the key any more, so free it */
76 [ - + ]: 774 : POSIX_GUARD(s2n_pkey_free(&conn->handshake_params.server_public_key));
77 : :
78 : : /* Parse the KEX data into whatever form needed and save it to the connection object */
79 [ - + ]: 774 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(key_exchange, conn, &kex_data));
80 : 774 : return 0;
81 : 774 : }
82 : :
83 : : int s2n_ecdhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify,
84 : : struct s2n_kex_raw_server_data *raw_server_data)
85 : 754 : {
86 : 754 : struct s2n_stuffer *in = &conn->handshake.io;
87 : :
88 [ - + ]: 754 : POSIX_GUARD(s2n_ecc_evp_read_params(in, data_to_verify, &raw_server_data->ecdhe_data));
89 : 754 : return 0;
90 : 754 : }
91 : :
92 : : int s2n_ecdhe_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
93 : 750 : {
94 [ - + ]: 750 : POSIX_GUARD(s2n_ecc_evp_parse_params(conn, &raw_server_data->ecdhe_data, &conn->kex_params.server_ecc_evp_params));
95 : :
96 : 750 : return 0;
97 : 750 : }
98 : :
99 : : int s2n_dhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify,
100 : : struct s2n_kex_raw_server_data *raw_server_data)
101 : 24 : {
102 : 24 : struct s2n_stuffer *in = &conn->handshake.io;
103 : 24 : struct s2n_dhe_raw_server_points *dhe_data = &raw_server_data->dhe_data;
104 : :
105 : 24 : uint16_t p_length = 0;
106 : 24 : uint16_t g_length = 0;
107 : 24 : uint16_t Ys_length = 0;
108 : :
109 : : /* Keep a copy to the start of the whole structure for the signature check */
110 : 24 : data_to_verify->data = s2n_stuffer_raw_read(in, 0);
111 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(data_to_verify->data);
112 : :
113 : : /* Read each of the three elements in */
114 [ - + ]: 24 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &p_length));
115 : 24 : dhe_data->p.size = p_length;
116 : 24 : dhe_data->p.data = s2n_stuffer_raw_read(in, p_length);
117 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(dhe_data->p.data);
118 : :
119 [ - + ]: 24 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &g_length));
120 : 24 : dhe_data->g.size = g_length;
121 : 24 : dhe_data->g.data = s2n_stuffer_raw_read(in, g_length);
122 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(dhe_data->g.data);
123 : :
124 [ - + ]: 24 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &Ys_length));
125 : 24 : dhe_data->Ys.size = Ys_length;
126 : 24 : dhe_data->Ys.data = s2n_stuffer_raw_read(in, Ys_length);
127 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(dhe_data->Ys.data);
128 : :
129 : : /* Now we know the total size of the structure */
130 : 24 : data_to_verify->size = 2 + p_length + 2 + g_length + 2 + Ys_length;
131 : 24 : return 0;
132 : 24 : }
133 : :
134 : : int s2n_dhe_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
135 : 24 : {
136 : 24 : struct s2n_dhe_raw_server_points dhe_data = raw_server_data->dhe_data;
137 : :
138 : : /* Copy the DH details */
139 [ - + ]: 24 : POSIX_GUARD(s2n_dh_p_g_Ys_to_dh_params(&conn->kex_params.server_dh_params, &dhe_data.p, &dhe_data.g, &dhe_data.Ys));
140 : 24 : return 0;
141 : 24 : }
142 : :
143 : : int s2n_kem_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify,
144 : : struct s2n_kex_raw_server_data *raw_server_data)
145 : 0 : {
146 : 0 : struct s2n_kem_raw_server_params *kem_data = &raw_server_data->kem_data;
147 : 0 : struct s2n_stuffer *in = &conn->handshake.io;
148 : :
149 : : /* Keep a copy to the start of the whole structure for the signature check */
150 : 0 : data_to_verify->data = s2n_stuffer_raw_read(in, 0);
151 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(data_to_verify->data);
152 : :
153 : : /* the server sends the KEM ID */
154 : 0 : kem_data->kem_name.data = s2n_stuffer_raw_read(in, 2);
155 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(kem_data->kem_name.data);
156 : 0 : kem_data->kem_name.size = 2;
157 : :
158 : 0 : struct s2n_stuffer kem_id_stuffer = { 0 };
159 : 0 : uint8_t kem_id_arr[2];
160 : 0 : kem_extension_size kem_id = 0;
161 : 0 : struct s2n_blob kem_id_blob = { 0 };
162 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&kem_id_blob, kem_id_arr, s2n_array_len(kem_id_arr)));
163 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_init(&kem_id_stuffer, &kem_id_blob));
164 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_write(&kem_id_stuffer, &(kem_data->kem_name)));
165 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_read_uint16(&kem_id_stuffer, &kem_id));
166 : :
167 [ # # ]: 0 : POSIX_GUARD(s2n_get_kem_from_extension_id(kem_id, &(conn->kex_params.kem_params.kem)));
168 : 0 : conn->kex_params.kem_params.len_prefixed = true; /* PQ TLS 1.2 is always length prefixed. */
169 [ # # ]: 0 : POSIX_GUARD(s2n_kem_recv_public_key(in, &(conn->kex_params.kem_params)));
170 : :
171 : 0 : kem_data->raw_public_key.data = conn->kex_params.kem_params.public_key.data;
172 : 0 : kem_data->raw_public_key.size = conn->kex_params.kem_params.public_key.size;
173 : :
174 : 0 : data_to_verify->size = sizeof(kem_extension_size) + sizeof(kem_public_key_size) + kem_data->raw_public_key.size;
175 : :
176 : 0 : return 0;
177 : 0 : }
178 : :
179 : : int s2n_kem_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
180 : 0 : {
181 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
182 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
183 : :
184 : 0 : struct s2n_kem_raw_server_params *kem_data = &raw_server_data->kem_data;
185 : :
186 : : /* Check that the server's requested kem is supported by the client */
187 : 0 : const struct s2n_kem_preferences *kem_preferences = NULL;
188 [ # # ]: 0 : POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_preferences));
189 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(kem_preferences);
190 : :
191 : 0 : const struct s2n_cipher_suite *cipher_suite = conn->secure->cipher_suite;
192 : 0 : const struct s2n_kem *match = NULL;
193 [ # # ][ # # ]: 0 : S2N_ERROR_IF(s2n_choose_kem_with_peer_pref_list(cipher_suite->iana_value, &kem_data->kem_name,
194 : 0 : kem_preferences->kems, kem_preferences->kem_count, &match)
195 : 0 : != 0,
196 : 0 : S2N_ERR_KEM_UNSUPPORTED_PARAMS);
197 : 0 : conn->kex_params.kem_params.kem = match;
198 : :
199 [ # # ][ # # ]: 0 : S2N_ERROR_IF(kem_data->raw_public_key.size != conn->kex_params.kem_params.kem->public_key_length,
200 : 0 : S2N_ERR_BAD_MESSAGE);
201 : :
202 : 0 : return 0;
203 : 0 : }
204 : :
205 : : int s2n_hybrid_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *total_data_to_verify,
206 : : struct s2n_kex_raw_server_data *raw_server_data)
207 : 0 : {
208 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
209 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
210 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
211 : 0 : const struct s2n_kex *kex = conn->secure->cipher_suite->key_exchange_alg;
212 : 0 : const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
213 : 0 : const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
214 : :
215 : : /* Keep a copy to the start of the whole structure for the signature check */
216 : 0 : total_data_to_verify->data = s2n_stuffer_raw_read(&conn->handshake.io, 0);
217 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(total_data_to_verify->data);
218 : :
219 : 0 : struct s2n_blob data_to_verify_0 = { 0 };
220 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(hybrid_kex_0, conn, &data_to_verify_0, raw_server_data));
221 : :
222 : 0 : struct s2n_blob data_to_verify_1 = { 0 };
223 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(hybrid_kex_1, conn, &data_to_verify_1, raw_server_data));
224 : :
225 : 0 : total_data_to_verify->size = data_to_verify_0.size + data_to_verify_1.size;
226 : 0 : return 0;
227 : 0 : }
228 : :
229 : : int s2n_hybrid_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
230 : 0 : {
231 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
232 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
233 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
234 : 0 : const struct s2n_kex *kex = conn->secure->cipher_suite->key_exchange_alg;
235 : 0 : const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
236 : 0 : const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
237 : :
238 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(hybrid_kex_0, conn, raw_server_data));
239 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(hybrid_kex_1, conn, raw_server_data));
240 : 0 : return 0;
241 : 0 : }
242 : :
243 : : int s2n_server_key_send(struct s2n_connection *conn)
244 : 933 : {
245 [ - + ][ # # ]: 933 : POSIX_ENSURE_REF(conn);
246 [ # # ][ - + ]: 933 : POSIX_ENSURE_REF(conn->handshake.hashes);
247 : :
248 [ - + ][ + + ]: 933 : S2N_ASYNC_PKEY_GUARD(conn);
[ + + ][ + + ]
[ - + ][ + - ]
249 : :
250 : 850 : struct s2n_hash_state *signature_hash = &conn->handshake.hashes->hash_workspace;
251 : 850 : const struct s2n_kex *key_exchange = conn->secure->cipher_suite->key_exchange_alg;
252 : 850 : const struct s2n_signature_scheme *sig_scheme = conn->handshake_params.server_cert_sig_scheme;
253 [ - + ][ # # ]: 850 : POSIX_ENSURE_REF(sig_scheme);
254 : 850 : struct s2n_stuffer *out = &conn->handshake.io;
255 : 850 : struct s2n_blob data_to_sign = { 0 };
256 : :
257 : : /* Call the negotiated key exchange method to send it's data */
258 [ - + ]: 850 : POSIX_GUARD_RESULT(s2n_kex_server_key_send(key_exchange, conn, &data_to_sign));
259 : :
260 : : /* Add common signature data */
261 [ + + ]: 850 : if (conn->actual_protocol_version == S2N_TLS12) {
262 [ - + ]: 679 : POSIX_GUARD(s2n_stuffer_write_uint16(out, sig_scheme->iana_value));
263 : 679 : }
264 : :
265 : : /* Add the random data to the hash */
266 [ - + ]: 850 : POSIX_GUARD(s2n_hash_init(signature_hash, sig_scheme->hash_alg));
267 [ - + ]: 850 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.client_random, S2N_TLS_RANDOM_DATA_LEN));
268 [ - + ]: 850 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.server_random, S2N_TLS_RANDOM_DATA_LEN));
269 : :
270 : : /* Add KEX specific data to the hash */
271 [ - + ]: 850 : POSIX_GUARD(s2n_hash_update(signature_hash, data_to_sign.data, data_to_sign.size));
272 : :
273 [ + + ]: 850 : S2N_ASYNC_PKEY_SIGN(conn, sig_scheme->sig_alg, signature_hash,
274 : 0 : s2n_server_key_send_write_signature);
275 : 0 : }
276 : :
277 : : int s2n_ecdhe_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
278 : 826 : {
279 : 826 : struct s2n_stuffer *out = &conn->handshake.io;
280 : :
281 : : /* Generate an ephemeral key and */
282 [ - + ]: 826 : POSIX_GUARD(s2n_ecc_evp_generate_ephemeral_key(&conn->kex_params.server_ecc_evp_params));
283 : :
284 : : /* Write it out and calculate the data to sign later */
285 [ - + ]: 826 : POSIX_GUARD(s2n_ecc_evp_write_params(&conn->kex_params.server_ecc_evp_params, out, data_to_sign));
286 : 826 : return 0;
287 : 826 : }
288 : :
289 : : int s2n_dhe_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
290 : 24 : {
291 : 24 : struct s2n_stuffer *out = &conn->handshake.io;
292 : :
293 : : /* Duplicate the DH key from the config */
294 [ - + ]: 24 : POSIX_GUARD(s2n_dh_params_copy(conn->config->dhparams, &conn->kex_params.server_dh_params));
295 : :
296 : : /* Generate an ephemeral key */
297 [ - + ]: 24 : POSIX_GUARD(s2n_dh_generate_ephemeral_key(&conn->kex_params.server_dh_params));
298 : :
299 : : /* Write it out and calculate the data to sign later */
300 [ - + ]: 24 : POSIX_GUARD(s2n_dh_params_to_p_g_Ys(&conn->kex_params.server_dh_params, out, data_to_sign));
301 : 24 : return 0;
302 : 24 : }
303 : :
304 : : int s2n_kem_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
305 : 0 : {
306 : 0 : struct s2n_stuffer *out = &conn->handshake.io;
307 : 0 : const struct s2n_kem *kem = conn->kex_params.kem_params.kem;
308 : :
309 : 0 : data_to_sign->data = s2n_stuffer_raw_write(out, 0);
310 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(data_to_sign->data);
311 : :
312 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_write_uint16(out, kem->kem_extension_id));
313 : 0 : conn->kex_params.kem_params.len_prefixed = true; /* PQ TLS 1.2 is always length prefixed. */
314 [ # # ]: 0 : POSIX_GUARD(s2n_kem_send_public_key(out, &(conn->kex_params.kem_params)));
315 : :
316 : 0 : data_to_sign->size = sizeof(kem_extension_size) + sizeof(kem_public_key_size) + kem->public_key_length;
317 : :
318 : 0 : return 0;
319 : 0 : }
320 : :
321 : : int s2n_hybrid_server_key_send(struct s2n_connection *conn, struct s2n_blob *total_data_to_sign)
322 : 0 : {
323 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
324 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
325 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
326 : 0 : const struct s2n_kex *kex = conn->secure->cipher_suite->key_exchange_alg;
327 : 0 : const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
328 : 0 : const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
329 : :
330 : : /* Keep a copy to the start of the whole structure for the signature check */
331 : 0 : total_data_to_sign->data = s2n_stuffer_raw_write(&conn->handshake.io, 0);
332 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(total_data_to_sign->data);
333 : :
334 : 0 : struct s2n_blob data_to_verify_0 = { 0 };
335 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_send(hybrid_kex_0, conn, &data_to_verify_0));
336 : :
337 : 0 : struct s2n_blob data_to_verify_1 = { 0 };
338 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_send(hybrid_kex_1, conn, &data_to_verify_1));
339 : :
340 : 0 : total_data_to_sign->size = data_to_verify_0.size + data_to_verify_1.size;
341 : 0 : return 0;
342 : 0 : }
343 : :
344 : : int s2n_server_key_send_write_signature(struct s2n_connection *conn, struct s2n_blob *signature)
345 : 848 : {
346 : 848 : struct s2n_stuffer *out = &conn->handshake.io;
347 : :
348 [ - + ]: 848 : POSIX_GUARD(s2n_stuffer_write_uint16(out, signature->size));
349 [ - + ]: 848 : POSIX_GUARD(s2n_stuffer_write_bytes(out, signature->data, signature->size));
350 : :
351 : 848 : return 0;
352 : 848 : }
|
