Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "api/s2n.h"
17 : : #include "crypto/s2n_dhe.h"
18 : : #include "crypto/s2n_fips.h"
19 : : #include "error/s2n_errno.h"
20 : : #include "stuffer/s2n_stuffer.h"
21 : : #include "tls/s2n_async_pkey.h"
22 : : #include "tls/s2n_cipher_preferences.h"
23 : : #include "tls/s2n_cipher_suites.h"
24 : : #include "tls/s2n_connection.h"
25 : : #include "tls/s2n_kem.h"
26 : : #include "tls/s2n_kex.h"
27 : : #include "tls/s2n_security_policies.h"
28 : : #include "tls/s2n_signature_algorithms.h"
29 : : #include "utils/s2n_random.h"
30 : : #include "utils/s2n_safety.h"
31 : :
32 : : static int s2n_server_key_send_write_signature(struct s2n_connection *conn, struct s2n_blob *signature);
33 : :
34 : : int s2n_server_key_recv(struct s2n_connection *conn)
35 : 836 : {
36 [ - + ][ # # ]: 836 : POSIX_ENSURE_REF(conn);
37 [ - + ][ # # ]: 836 : POSIX_ENSURE_REF(conn->secure);
38 [ # # ][ - + ]: 836 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
39 [ - + ][ # # ]: 836 : POSIX_ENSURE_REF(conn->secure->cipher_suite->key_exchange_alg);
40 [ - + ][ # # ]: 836 : POSIX_ENSURE_REF(conn->handshake.hashes);
41 : :
42 : 836 : struct s2n_hash_state *signature_hash = &conn->handshake.hashes->hash_workspace;
43 : 836 : const struct s2n_kex *key_exchange = conn->secure->cipher_suite->key_exchange_alg;
44 : 836 : struct s2n_stuffer *in = &conn->handshake.io;
45 : 836 : struct s2n_blob data_to_verify = { 0 };
46 : :
47 [ - + ][ - + ]: 1663 : S2N_ASYNC_OFFLOAD_POSIX_GUARD(conn, {
[ - + ][ - + ]
[ - + ][ + + ]
[ # # ][ - + ]
[ # # ][ - + ]
[ - + ][ + + ]
[ - + ][ - + ]
[ + + ][ - + ]
[ # # ][ - + ]
[ # # ][ - + ]
[ + + ][ + - ]
48 : : /* Read the KEX data */
49 : 827 : struct s2n_kex_raw_server_data kex_data = { 0 };
50 : 827 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(key_exchange, conn, &data_to_verify, &kex_data));
51 : :
52 : : /* Parse the KEX data into whatever form needed and save it to the connection object */
53 : 827 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(key_exchange, conn, &kex_data));
54 : :
55 : 827 : POSIX_GUARD_RESULT(s2n_signature_algorithm_recv(conn, in));
56 : 827 : const struct s2n_signature_scheme *active_sig_scheme = conn->handshake_params.server_cert_sig_scheme;
57 : 827 : POSIX_ENSURE_REF(active_sig_scheme);
58 : :
59 : 827 : POSIX_GUARD(s2n_hash_init(signature_hash, active_sig_scheme->hash_alg));
60 : 827 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.client_random, S2N_TLS_RANDOM_DATA_LEN));
61 : 827 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.server_random, S2N_TLS_RANDOM_DATA_LEN));
62 : :
63 : : /* Add KEX specific data */
64 : 827 : POSIX_GUARD(s2n_hash_update(signature_hash, data_to_verify.data, data_to_verify.size));
65 : :
66 : : /* Verify the signature */
67 : 827 : uint16_t signature_length = 0;
68 : 827 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_length));
69 : :
70 : 827 : struct s2n_blob signature = { 0 };
71 : 827 : POSIX_GUARD(s2n_blob_init(&signature, s2n_stuffer_raw_read(in, signature_length), signature_length));
72 : :
73 : 827 : POSIX_ENSURE_REF(signature.data);
74 : 827 : POSIX_ENSURE_GT(signature_length, 0);
75 : :
76 : 827 : POSIX_GUARD(s2n_async_pkey_verify(conn, active_sig_scheme->sig_alg, signature_hash, &signature));
77 : 827 : });
78 : :
79 : : /* We don't need the key any more, so free it */
80 [ - + ]: 827 : POSIX_GUARD(s2n_pkey_free(&conn->handshake_params.server_public_key));
81 : :
82 : 827 : return 0;
83 : 827 : }
84 : :
85 : : int s2n_ecdhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify,
86 : : struct s2n_kex_raw_server_data *raw_server_data)
87 : 808 : {
88 : 808 : struct s2n_stuffer *in = &conn->handshake.io;
89 : :
90 [ - + ]: 808 : POSIX_GUARD(s2n_ecc_evp_read_params(in, data_to_verify, &raw_server_data->ecdhe_data));
91 : 808 : return 0;
92 : 808 : }
93 : :
94 : : int s2n_ecdhe_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
95 : 808 : {
96 [ - + ]: 808 : POSIX_GUARD(s2n_ecc_evp_parse_params(conn, &raw_server_data->ecdhe_data, &conn->kex_params.server_ecc_evp_params));
97 : :
98 : 808 : return 0;
99 : 808 : }
100 : :
101 : : int s2n_dhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify,
102 : : struct s2n_kex_raw_server_data *raw_server_data)
103 : 24 : {
104 : 24 : struct s2n_stuffer *in = &conn->handshake.io;
105 : 24 : struct s2n_dhe_raw_server_points *dhe_data = &raw_server_data->dhe_data;
106 : :
107 : 24 : uint16_t p_length = 0;
108 : 24 : uint16_t g_length = 0;
109 : 24 : uint16_t Ys_length = 0;
110 : :
111 : : /* Keep a copy to the start of the whole structure for the signature check */
112 : 24 : data_to_verify->data = s2n_stuffer_raw_read(in, 0);
113 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(data_to_verify->data);
114 : :
115 : : /* Read each of the three elements in */
116 [ - + ]: 24 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &p_length));
117 : 24 : dhe_data->p.size = p_length;
118 : 24 : dhe_data->p.data = s2n_stuffer_raw_read(in, p_length);
119 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(dhe_data->p.data);
120 : :
121 [ - + ]: 24 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &g_length));
122 : 24 : dhe_data->g.size = g_length;
123 : 24 : dhe_data->g.data = s2n_stuffer_raw_read(in, g_length);
124 [ # # ][ - + ]: 24 : POSIX_ENSURE_REF(dhe_data->g.data);
125 : :
126 [ - + ]: 24 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &Ys_length));
127 : 24 : dhe_data->Ys.size = Ys_length;
128 : 24 : dhe_data->Ys.data = s2n_stuffer_raw_read(in, Ys_length);
129 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(dhe_data->Ys.data);
130 : :
131 : : /* Now we know the total size of the structure */
132 : 24 : data_to_verify->size = 2 + p_length + 2 + g_length + 2 + Ys_length;
133 : 24 : return 0;
134 : 24 : }
135 : :
136 : : int s2n_dhe_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
137 : 24 : {
138 : 24 : struct s2n_dhe_raw_server_points dhe_data = raw_server_data->dhe_data;
139 : :
140 : : /* Copy the DH details */
141 [ - + ]: 24 : POSIX_GUARD(s2n_dh_p_g_Ys_to_dh_params(&conn->kex_params.server_dh_params, &dhe_data.p, &dhe_data.g, &dhe_data.Ys));
142 : 24 : return 0;
143 : 24 : }
144 : :
145 : : int s2n_kem_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify,
146 : : struct s2n_kex_raw_server_data *raw_server_data)
147 : 0 : {
148 : 0 : struct s2n_kem_raw_server_params *kem_data = &raw_server_data->kem_data;
149 : 0 : struct s2n_stuffer *in = &conn->handshake.io;
150 : :
151 : : /* Keep a copy to the start of the whole structure for the signature check */
152 : 0 : data_to_verify->data = s2n_stuffer_raw_read(in, 0);
153 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(data_to_verify->data);
154 : :
155 : : /* the server sends the KEM ID */
156 : 0 : kem_data->kem_name.data = s2n_stuffer_raw_read(in, 2);
157 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(kem_data->kem_name.data);
158 : 0 : kem_data->kem_name.size = 2;
159 : :
160 : 0 : struct s2n_stuffer kem_id_stuffer = { 0 };
161 : 0 : uint8_t kem_id_arr[2];
162 : 0 : kem_extension_size kem_id = 0;
163 : 0 : struct s2n_blob kem_id_blob = { 0 };
164 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&kem_id_blob, kem_id_arr, s2n_array_len(kem_id_arr)));
165 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_init(&kem_id_stuffer, &kem_id_blob));
166 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_write(&kem_id_stuffer, &(kem_data->kem_name)));
167 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_read_uint16(&kem_id_stuffer, &kem_id));
168 : :
169 [ # # ]: 0 : POSIX_GUARD(s2n_get_kem_from_extension_id(kem_id, &(conn->kex_params.kem_params.kem)));
170 : 0 : conn->kex_params.kem_params.len_prefixed = true; /* PQ TLS 1.2 is always length prefixed. */
171 [ # # ]: 0 : POSIX_GUARD(s2n_kem_recv_public_key(in, &(conn->kex_params.kem_params)));
172 : :
173 : 0 : kem_data->raw_public_key.data = conn->kex_params.kem_params.public_key.data;
174 : 0 : kem_data->raw_public_key.size = conn->kex_params.kem_params.public_key.size;
175 : :
176 : 0 : data_to_verify->size = sizeof(kem_extension_size) + sizeof(kem_public_key_size) + kem_data->raw_public_key.size;
177 : :
178 : 0 : return 0;
179 : 0 : }
180 : :
181 : : int s2n_kem_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
182 : 0 : {
183 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
184 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
185 : :
186 : 0 : struct s2n_kem_raw_server_params *kem_data = &raw_server_data->kem_data;
187 : :
188 : : /* Check that the server's requested kem is supported by the client */
189 : 0 : const struct s2n_kem_preferences *kem_preferences = NULL;
190 [ # # ]: 0 : POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_preferences));
191 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(kem_preferences);
192 : :
193 : 0 : const struct s2n_cipher_suite *cipher_suite = conn->secure->cipher_suite;
194 : 0 : const struct s2n_kem *match = NULL;
195 [ # # ][ # # ]: 0 : S2N_ERROR_IF(s2n_choose_kem_with_peer_pref_list(cipher_suite->iana_value, &kem_data->kem_name,
196 : 0 : kem_preferences->kems, kem_preferences->kem_count, &match)
197 : 0 : != 0,
198 : 0 : S2N_ERR_KEM_UNSUPPORTED_PARAMS);
199 : 0 : conn->kex_params.kem_params.kem = match;
200 : :
201 [ # # ][ # # ]: 0 : S2N_ERROR_IF(kem_data->raw_public_key.size != conn->kex_params.kem_params.kem->public_key_length,
202 : 0 : S2N_ERR_BAD_MESSAGE);
203 : :
204 : 0 : return 0;
205 : 0 : }
206 : :
207 : : int s2n_hybrid_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *total_data_to_verify,
208 : : struct s2n_kex_raw_server_data *raw_server_data)
209 : 0 : {
210 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
211 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
212 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
213 : 0 : const struct s2n_kex *kex = conn->secure->cipher_suite->key_exchange_alg;
214 : 0 : const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
215 : 0 : const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
216 : :
217 : : /* Keep a copy to the start of the whole structure for the signature check */
218 : 0 : total_data_to_verify->data = s2n_stuffer_raw_read(&conn->handshake.io, 0);
219 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(total_data_to_verify->data);
220 : :
221 : 0 : struct s2n_blob data_to_verify_0 = { 0 };
222 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(hybrid_kex_0, conn, &data_to_verify_0, raw_server_data));
223 : :
224 : 0 : struct s2n_blob data_to_verify_1 = { 0 };
225 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(hybrid_kex_1, conn, &data_to_verify_1, raw_server_data));
226 : :
227 : 0 : total_data_to_verify->size = data_to_verify_0.size + data_to_verify_1.size;
228 : 0 : return 0;
229 : 0 : }
230 : :
231 : : int s2n_hybrid_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
232 : 0 : {
233 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
234 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
235 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
236 : 0 : const struct s2n_kex *kex = conn->secure->cipher_suite->key_exchange_alg;
237 : 0 : const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
238 : 0 : const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
239 : :
240 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(hybrid_kex_0, conn, raw_server_data));
241 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(hybrid_kex_1, conn, raw_server_data));
242 : 0 : return 0;
243 : 0 : }
244 : :
245 : : int s2n_server_key_send(struct s2n_connection *conn)
246 : 988 : {
247 [ - + ][ # # ]: 988 : POSIX_ENSURE_REF(conn);
248 [ - + ][ # # ]: 988 : POSIX_ENSURE_REF(conn->handshake.hashes);
249 : :
250 [ + + ][ + + ]: 988 : S2N_ASYNC_PKEY_GUARD(conn);
[ + + ][ - + ]
[ - + ][ + - ]
251 : :
252 : 905 : struct s2n_hash_state *signature_hash = &conn->handshake.hashes->hash_workspace;
253 : 905 : const struct s2n_kex *key_exchange = conn->secure->cipher_suite->key_exchange_alg;
254 : 905 : const struct s2n_signature_scheme *sig_scheme = conn->handshake_params.server_cert_sig_scheme;
255 [ - + ][ # # ]: 905 : POSIX_ENSURE_REF(sig_scheme);
256 : 905 : struct s2n_stuffer *out = &conn->handshake.io;
257 : 905 : struct s2n_blob data_to_sign = { 0 };
258 : :
259 : : /* Call the negotiated key exchange method to send it's data */
260 [ - + ]: 905 : POSIX_GUARD_RESULT(s2n_kex_server_key_send(key_exchange, conn, &data_to_sign));
261 : :
262 : : /* Add common signature data */
263 [ + + ]: 905 : if (conn->actual_protocol_version == S2N_TLS12) {
264 [ - + ]: 734 : POSIX_GUARD(s2n_stuffer_write_uint16(out, sig_scheme->iana_value));
265 : 734 : }
266 : :
267 : : /* Add the random data to the hash */
268 [ - + ]: 905 : POSIX_GUARD(s2n_hash_init(signature_hash, sig_scheme->hash_alg));
269 [ - + ]: 905 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.client_random, S2N_TLS_RANDOM_DATA_LEN));
270 [ - + ]: 905 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.server_random, S2N_TLS_RANDOM_DATA_LEN));
271 : :
272 : : /* Add KEX specific data to the hash */
273 [ - + ]: 905 : POSIX_GUARD(s2n_hash_update(signature_hash, data_to_sign.data, data_to_sign.size));
274 : :
275 [ + + ]: 905 : S2N_ASYNC_PKEY_SIGN(conn, sig_scheme->sig_alg, signature_hash,
276 : 0 : s2n_server_key_send_write_signature);
277 : 0 : }
278 : :
279 : : int s2n_ecdhe_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
280 : 881 : {
281 : 881 : struct s2n_stuffer *out = &conn->handshake.io;
282 : :
283 : : /* Generate an ephemeral key and */
284 [ - + ]: 881 : POSIX_GUARD(s2n_ecc_evp_generate_ephemeral_key(&conn->kex_params.server_ecc_evp_params));
285 : :
286 : : /* Write it out and calculate the data to sign later */
287 [ - + ]: 881 : POSIX_GUARD(s2n_ecc_evp_write_params(&conn->kex_params.server_ecc_evp_params, out, data_to_sign));
288 : 881 : return 0;
289 : 881 : }
290 : :
291 : : int s2n_dhe_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
292 : 24 : {
293 : 24 : struct s2n_stuffer *out = &conn->handshake.io;
294 : :
295 : : /* Duplicate the DH key from the config */
296 [ - + ]: 24 : POSIX_GUARD(s2n_dh_params_copy(conn->config->dhparams, &conn->kex_params.server_dh_params));
297 : :
298 : : /* Generate an ephemeral key */
299 [ - + ]: 24 : POSIX_GUARD(s2n_dh_generate_ephemeral_key(&conn->kex_params.server_dh_params));
300 : :
301 : : /* Write it out and calculate the data to sign later */
302 [ - + ]: 24 : POSIX_GUARD(s2n_dh_params_to_p_g_Ys(&conn->kex_params.server_dh_params, out, data_to_sign));
303 : 24 : return 0;
304 : 24 : }
305 : :
306 : : int s2n_kem_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
307 : 0 : {
308 : 0 : struct s2n_stuffer *out = &conn->handshake.io;
309 : 0 : const struct s2n_kem *kem = conn->kex_params.kem_params.kem;
310 : :
311 : 0 : data_to_sign->data = s2n_stuffer_raw_write(out, 0);
312 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(data_to_sign->data);
313 : :
314 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_write_uint16(out, kem->kem_extension_id));
315 : 0 : conn->kex_params.kem_params.len_prefixed = true; /* PQ TLS 1.2 is always length prefixed. */
316 [ # # ]: 0 : POSIX_GUARD(s2n_kem_send_public_key(out, &(conn->kex_params.kem_params)));
317 : :
318 : 0 : data_to_sign->size = sizeof(kem_extension_size) + sizeof(kem_public_key_size) + kem->public_key_length;
319 : :
320 : 0 : return 0;
321 : 0 : }
322 : :
323 : : int s2n_hybrid_server_key_send(struct s2n_connection *conn, struct s2n_blob *total_data_to_sign)
324 : 0 : {
325 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
326 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
327 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
328 : 0 : const struct s2n_kex *kex = conn->secure->cipher_suite->key_exchange_alg;
329 : 0 : const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
330 : 0 : const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
331 : :
332 : : /* Keep a copy to the start of the whole structure for the signature check */
333 : 0 : total_data_to_sign->data = s2n_stuffer_raw_write(&conn->handshake.io, 0);
334 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(total_data_to_sign->data);
335 : :
336 : 0 : struct s2n_blob data_to_verify_0 = { 0 };
337 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_send(hybrid_kex_0, conn, &data_to_verify_0));
338 : :
339 : 0 : struct s2n_blob data_to_verify_1 = { 0 };
340 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_send(hybrid_kex_1, conn, &data_to_verify_1));
341 : :
342 : 0 : total_data_to_sign->size = data_to_verify_0.size + data_to_verify_1.size;
343 : 0 : return 0;
344 : 0 : }
345 : :
346 : : int s2n_server_key_send_write_signature(struct s2n_connection *conn, struct s2n_blob *signature)
347 : 903 : {
348 : 903 : struct s2n_stuffer *out = &conn->handshake.io;
349 : :
350 [ - + ]: 903 : POSIX_GUARD(s2n_stuffer_write_uint16(out, signature->size));
351 [ - + ]: 903 : POSIX_GUARD(s2n_stuffer_write_bytes(out, signature->data, signature->size));
352 : :
353 : 903 : return 0;
354 : 903 : }
|
