Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "api/s2n.h"
17 : : #include "crypto/s2n_dhe.h"
18 : : #include "crypto/s2n_fips.h"
19 : : #include "error/s2n_errno.h"
20 : : #include "stuffer/s2n_stuffer.h"
21 : : #include "tls/s2n_async_pkey.h"
22 : : #include "tls/s2n_cipher_preferences.h"
23 : : #include "tls/s2n_cipher_suites.h"
24 : : #include "tls/s2n_connection.h"
25 : : #include "tls/s2n_kem.h"
26 : : #include "tls/s2n_kex.h"
27 : : #include "tls/s2n_security_policies.h"
28 : : #include "tls/s2n_signature_algorithms.h"
29 : : #include "utils/s2n_random.h"
30 : : #include "utils/s2n_safety.h"
31 : :
32 : : static int s2n_server_key_send_write_signature(struct s2n_connection *conn, struct s2n_blob *signature);
33 : :
34 : : int s2n_server_key_recv(struct s2n_connection *conn)
35 : 820 : {
36 [ - + ][ # # ]: 820 : POSIX_ENSURE_REF(conn);
37 [ # # ][ - + ]: 820 : POSIX_ENSURE_REF(conn->secure);
38 [ - + ][ # # ]: 820 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
39 [ - + ][ # # ]: 820 : POSIX_ENSURE_REF(conn->secure->cipher_suite->key_exchange_alg);
40 [ # # ][ - + ]: 820 : POSIX_ENSURE_REF(conn->handshake.hashes);
41 : :
42 : 820 : struct s2n_hash_state *signature_hash = &conn->handshake.hashes->hash_workspace;
43 : 820 : const struct s2n_kex *key_exchange = conn->secure->cipher_suite->key_exchange_alg;
44 : 820 : struct s2n_stuffer *in = &conn->handshake.io;
45 : 820 : struct s2n_blob data_to_verify = { 0 };
46 : :
47 [ - + ][ - + ]: 1630 : S2N_ASYNC_OFFLOAD_POSIX_GUARD(conn, {
[ - + ][ - + ]
[ - + ][ - + ]
[ + + ][ # # ]
[ - + ][ # # ]
[ - + ][ + + ]
[ + + ][ - + ]
[ - + ][ + + ]
[ # # ][ - + ]
[ + - ][ - + ]
[ # # ][ - + ]
[ + + ][ + - ]
48 : : /* Read the KEX data */
49 : 810 : struct s2n_kex_raw_server_data kex_data = { 0 };
50 : 810 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(key_exchange, conn, &data_to_verify, &kex_data));
51 : :
52 : : /* Parse the KEX data into whatever form needed and save it to the connection object */
53 : 810 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(key_exchange, conn, &kex_data));
54 : :
55 : 810 : POSIX_GUARD_RESULT(s2n_signature_algorithm_recv(conn, in));
56 : 810 : const struct s2n_signature_scheme *active_sig_scheme = conn->handshake_params.server_cert_sig_scheme;
57 : 810 : POSIX_ENSURE_REF(active_sig_scheme);
58 : :
59 : 810 : struct s2n_pkey *pkey = &conn->handshake_params.server_public_key;
60 : :
61 : 810 : POSIX_ENSURE(s2n_result_is_ok(s2n_signature_scheme_params_match(conn, pkey, active_sig_scheme)), S2N_ERR_INVALID_SIGNATURE_ALGORITHM);
62 : :
63 : 810 : POSIX_GUARD(s2n_hash_init(signature_hash, active_sig_scheme->hash_alg));
64 : 810 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->client_hello.random, S2N_TLS_RANDOM_DATA_LEN));
65 : 810 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.server_random, S2N_TLS_RANDOM_DATA_LEN));
66 : :
67 : : /* Add KEX specific data */
68 : 810 : POSIX_GUARD(s2n_hash_update(signature_hash, data_to_verify.data, data_to_verify.size));
69 : :
70 : : /* Verify the signature */
71 : 810 : uint16_t signature_length = 0;
72 : 810 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_length));
73 : :
74 : 810 : struct s2n_blob signature = { 0 };
75 : 810 : POSIX_GUARD(s2n_blob_init(&signature, s2n_stuffer_raw_read(in, signature_length), signature_length));
76 : :
77 : 810 : POSIX_ENSURE_REF(signature.data);
78 : 810 : POSIX_ENSURE_GT(signature_length, 0);
79 : :
80 : 810 : POSIX_GUARD(s2n_async_pkey_verify(conn, active_sig_scheme->sig_alg, signature_hash, &signature));
81 : 810 : });
82 : :
83 : : /* We don't need the key any more, so free it */
84 [ - + ]: 810 : POSIX_GUARD(s2n_pkey_free(&conn->handshake_params.server_public_key));
85 : :
86 : 810 : return 0;
87 : 810 : }
88 : :
89 : : int s2n_ecdhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify,
90 : : struct s2n_kex_raw_server_data *raw_server_data)
91 : 792 : {
92 : 792 : struct s2n_stuffer *in = &conn->handshake.io;
93 : :
94 [ - + ]: 792 : POSIX_GUARD(s2n_ecc_evp_read_params(in, data_to_verify, &raw_server_data->ecdhe_data));
95 : 792 : return 0;
96 : 792 : }
97 : :
98 : : int s2n_ecdhe_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
99 : 792 : {
100 [ - + ]: 792 : POSIX_GUARD(s2n_ecc_evp_parse_params(conn, &raw_server_data->ecdhe_data, &conn->kex_params.server_ecc_evp_params));
101 : :
102 : 792 : return 0;
103 : 792 : }
104 : :
105 : : int s2n_dhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify,
106 : : struct s2n_kex_raw_server_data *raw_server_data)
107 : 24 : {
108 : 24 : struct s2n_stuffer *in = &conn->handshake.io;
109 : 24 : struct s2n_dhe_raw_server_points *dhe_data = &raw_server_data->dhe_data;
110 : :
111 : 24 : uint16_t p_length = 0;
112 : 24 : uint16_t g_length = 0;
113 : 24 : uint16_t Ys_length = 0;
114 : :
115 : : /* Keep a copy to the start of the whole structure for the signature check */
116 : 24 : data_to_verify->data = s2n_stuffer_raw_read(in, 0);
117 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(data_to_verify->data);
118 : :
119 : : /* Read each of the three elements in */
120 [ - + ]: 24 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &p_length));
121 : 24 : dhe_data->p.size = p_length;
122 : 24 : dhe_data->p.data = s2n_stuffer_raw_read(in, p_length);
123 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(dhe_data->p.data);
124 : :
125 [ - + ]: 24 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &g_length));
126 : 24 : dhe_data->g.size = g_length;
127 : 24 : dhe_data->g.data = s2n_stuffer_raw_read(in, g_length);
128 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(dhe_data->g.data);
129 : :
130 [ - + ]: 24 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &Ys_length));
131 : 24 : dhe_data->Ys.size = Ys_length;
132 : 24 : dhe_data->Ys.data = s2n_stuffer_raw_read(in, Ys_length);
133 [ - + ][ # # ]: 24 : POSIX_ENSURE_REF(dhe_data->Ys.data);
134 : :
135 : : /* Now we know the total size of the structure */
136 : 24 : data_to_verify->size = 2 + p_length + 2 + g_length + 2 + Ys_length;
137 : 24 : return 0;
138 : 24 : }
139 : :
140 : : int s2n_dhe_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
141 : 24 : {
142 : 24 : struct s2n_dhe_raw_server_points dhe_data = raw_server_data->dhe_data;
143 : :
144 : : /* Copy the DH details */
145 [ - + ]: 24 : POSIX_GUARD(s2n_dh_p_g_Ys_to_dh_params(&conn->kex_params.server_dh_params, &dhe_data.p, &dhe_data.g, &dhe_data.Ys));
146 : 24 : return 0;
147 : 24 : }
148 : :
149 : : int s2n_kem_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify,
150 : : struct s2n_kex_raw_server_data *raw_server_data)
151 : 0 : {
152 : 0 : struct s2n_kem_raw_server_params *kem_data = &raw_server_data->kem_data;
153 : 0 : struct s2n_stuffer *in = &conn->handshake.io;
154 : :
155 : : /* Keep a copy to the start of the whole structure for the signature check */
156 : 0 : data_to_verify->data = s2n_stuffer_raw_read(in, 0);
157 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(data_to_verify->data);
158 : :
159 : : /* the server sends the KEM ID */
160 : 0 : kem_data->kem_name.data = s2n_stuffer_raw_read(in, 2);
161 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(kem_data->kem_name.data);
162 : 0 : kem_data->kem_name.size = 2;
163 : :
164 : 0 : struct s2n_stuffer kem_id_stuffer = { 0 };
165 : 0 : uint8_t kem_id_arr[2];
166 : 0 : kem_extension_size kem_id = 0;
167 : 0 : struct s2n_blob kem_id_blob = { 0 };
168 [ # # ]: 0 : POSIX_GUARD(s2n_blob_init(&kem_id_blob, kem_id_arr, s2n_array_len(kem_id_arr)));
169 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_init(&kem_id_stuffer, &kem_id_blob));
170 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_write(&kem_id_stuffer, &(kem_data->kem_name)));
171 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_read_uint16(&kem_id_stuffer, &kem_id));
172 : :
173 [ # # ]: 0 : POSIX_GUARD(s2n_get_kem_from_extension_id(kem_id, &(conn->kex_params.kem_params.kem)));
174 : 0 : conn->kex_params.kem_params.len_prefixed = true; /* PQ TLS 1.2 is always length prefixed. */
175 [ # # ]: 0 : POSIX_GUARD(s2n_kem_recv_public_key(in, &(conn->kex_params.kem_params)));
176 : :
177 : 0 : kem_data->raw_public_key.data = conn->kex_params.kem_params.public_key.data;
178 : 0 : kem_data->raw_public_key.size = conn->kex_params.kem_params.public_key.size;
179 : :
180 : 0 : data_to_verify->size = sizeof(kem_extension_size) + sizeof(kem_public_key_size) + kem_data->raw_public_key.size;
181 : :
182 : 0 : return 0;
183 : 0 : }
184 : :
185 : : int s2n_kem_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
186 : 0 : {
187 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
188 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
189 : :
190 : 0 : struct s2n_kem_raw_server_params *kem_data = &raw_server_data->kem_data;
191 : :
192 : : /* Check that the server's requested kem is supported by the client */
193 : 0 : const struct s2n_kem_preferences *kem_preferences = NULL;
194 [ # # ]: 0 : POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_preferences));
195 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(kem_preferences);
196 : :
197 : 0 : const struct s2n_cipher_suite *cipher_suite = conn->secure->cipher_suite;
198 : 0 : const struct s2n_kem *match = NULL;
199 [ # # ][ # # ]: 0 : S2N_ERROR_IF(s2n_choose_kem_with_peer_pref_list(cipher_suite->iana_value, &kem_data->kem_name,
200 : 0 : kem_preferences->kems, kem_preferences->kem_count, &match)
201 : 0 : != 0,
202 : 0 : S2N_ERR_KEM_UNSUPPORTED_PARAMS);
203 : 0 : conn->kex_params.kem_params.kem = match;
204 : :
205 [ # # ][ # # ]: 0 : S2N_ERROR_IF(kem_data->raw_public_key.size != conn->kex_params.kem_params.kem->public_key_length,
206 : 0 : S2N_ERR_BAD_MESSAGE);
207 : :
208 : 0 : return 0;
209 : 0 : }
210 : :
211 : : int s2n_hybrid_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *total_data_to_verify,
212 : : struct s2n_kex_raw_server_data *raw_server_data)
213 : 0 : {
214 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
215 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
216 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
217 : 0 : const struct s2n_kex *kex = conn->secure->cipher_suite->key_exchange_alg;
218 : 0 : const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
219 : 0 : const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
220 : :
221 : : /* Keep a copy to the start of the whole structure for the signature check */
222 : 0 : total_data_to_verify->data = s2n_stuffer_raw_read(&conn->handshake.io, 0);
223 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(total_data_to_verify->data);
224 : :
225 : 0 : struct s2n_blob data_to_verify_0 = { 0 };
226 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(hybrid_kex_0, conn, &data_to_verify_0, raw_server_data));
227 : :
228 : 0 : struct s2n_blob data_to_verify_1 = { 0 };
229 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(hybrid_kex_1, conn, &data_to_verify_1, raw_server_data));
230 : :
231 [ # # ]: 0 : POSIX_GUARD(s2n_add_overflow(data_to_verify_0.size, data_to_verify_1.size, &total_data_to_verify->size));
232 : 0 : return 0;
233 : 0 : }
234 : :
235 : : int s2n_hybrid_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
236 : 0 : {
237 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
238 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
239 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
240 : 0 : const struct s2n_kex *kex = conn->secure->cipher_suite->key_exchange_alg;
241 : 0 : const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
242 : 0 : const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
243 : :
244 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(hybrid_kex_0, conn, raw_server_data));
245 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(hybrid_kex_1, conn, raw_server_data));
246 : 0 : return 0;
247 : 0 : }
248 : :
249 : : int s2n_server_key_send(struct s2n_connection *conn)
250 : 971 : {
251 [ # # ][ - + ]: 971 : POSIX_ENSURE_REF(conn);
252 [ - + ][ # # ]: 971 : POSIX_ENSURE_REF(conn->handshake.hashes);
253 : :
254 [ + + ][ + + ]: 971 : S2N_ASYNC_PKEY_GUARD(conn);
[ + + ][ - + ]
[ - + ][ + - ]
255 : :
256 : 888 : struct s2n_hash_state *signature_hash = &conn->handshake.hashes->hash_workspace;
257 : 888 : const struct s2n_kex *key_exchange = conn->secure->cipher_suite->key_exchange_alg;
258 : 888 : const struct s2n_signature_scheme *sig_scheme = conn->handshake_params.server_cert_sig_scheme;
259 [ - + ][ # # ]: 888 : POSIX_ENSURE_REF(sig_scheme);
260 : 888 : struct s2n_stuffer *out = &conn->handshake.io;
261 : 888 : struct s2n_blob data_to_sign = { 0 };
262 : :
263 : : /* Call the negotiated key exchange method to send it's data */
264 [ - + ]: 888 : POSIX_GUARD_RESULT(s2n_kex_server_key_send(key_exchange, conn, &data_to_sign));
265 : :
266 : : /* Add common signature data */
267 [ + + ]: 888 : if (conn->actual_protocol_version == S2N_TLS12) {
268 [ - + ]: 717 : POSIX_GUARD(s2n_stuffer_write_uint16(out, sig_scheme->iana_value));
269 : 717 : }
270 : :
271 : : /* Add the random data to the hash */
272 [ - + ]: 888 : POSIX_GUARD(s2n_hash_init(signature_hash, sig_scheme->hash_alg));
273 [ - + ]: 888 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->client_hello.random, S2N_TLS_RANDOM_DATA_LEN));
274 [ - + ]: 888 : POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.server_random, S2N_TLS_RANDOM_DATA_LEN));
275 : :
276 : : /* Add KEX specific data to the hash */
277 [ - + ]: 888 : POSIX_GUARD(s2n_hash_update(signature_hash, data_to_sign.data, data_to_sign.size));
278 : :
279 [ + + ]: 888 : S2N_ASYNC_PKEY_SIGN(conn, sig_scheme->sig_alg, signature_hash,
280 : 0 : s2n_server_key_send_write_signature);
281 : 0 : }
282 : :
283 : : int s2n_ecdhe_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
284 : 864 : {
285 : 864 : struct s2n_stuffer *out = &conn->handshake.io;
286 : :
287 : : /* Generate an ephemeral key and */
288 [ - + ]: 864 : POSIX_GUARD(s2n_ecc_evp_generate_ephemeral_key(&conn->kex_params.server_ecc_evp_params));
289 : :
290 : : /* Write it out and calculate the data to sign later */
291 [ - + ]: 864 : POSIX_GUARD(s2n_ecc_evp_write_params(&conn->kex_params.server_ecc_evp_params, out, data_to_sign));
292 : 864 : return 0;
293 : 864 : }
294 : :
295 : : int s2n_dhe_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
296 : 24 : {
297 : 24 : struct s2n_stuffer *out = &conn->handshake.io;
298 : :
299 : : /* Duplicate the DH key from the config */
300 [ - + ]: 24 : POSIX_GUARD(s2n_dh_params_copy(conn->config->dhparams, &conn->kex_params.server_dh_params));
301 : :
302 : : /* Generate an ephemeral key */
303 [ - + ]: 24 : POSIX_GUARD(s2n_dh_generate_ephemeral_key(&conn->kex_params.server_dh_params));
304 : :
305 : : /* Write it out and calculate the data to sign later */
306 [ - + ]: 24 : POSIX_GUARD(s2n_dh_params_to_p_g_Ys(&conn->kex_params.server_dh_params, out, data_to_sign));
307 : 24 : return 0;
308 : 24 : }
309 : :
310 : : int s2n_kem_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
311 : 0 : {
312 : 0 : struct s2n_stuffer *out = &conn->handshake.io;
313 : 0 : const struct s2n_kem *kem = conn->kex_params.kem_params.kem;
314 : :
315 : 0 : data_to_sign->data = s2n_stuffer_raw_write(out, 0);
316 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(data_to_sign->data);
317 : :
318 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_write_uint16(out, kem->kem_extension_id));
319 : 0 : conn->kex_params.kem_params.len_prefixed = true; /* PQ TLS 1.2 is always length prefixed. */
320 [ # # ]: 0 : POSIX_GUARD(s2n_kem_send_public_key(out, &(conn->kex_params.kem_params)));
321 : :
322 : 0 : data_to_sign->size = sizeof(kem_extension_size) + sizeof(kem_public_key_size) + kem->public_key_length;
323 : :
324 : 0 : return 0;
325 : 0 : }
326 : :
327 : : int s2n_hybrid_server_key_send(struct s2n_connection *conn, struct s2n_blob *total_data_to_sign)
328 : 0 : {
329 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn);
330 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure);
331 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
332 : 0 : const struct s2n_kex *kex = conn->secure->cipher_suite->key_exchange_alg;
333 : 0 : const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
334 : 0 : const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
335 : :
336 : : /* Keep a copy to the start of the whole structure for the signature check */
337 : 0 : total_data_to_sign->data = s2n_stuffer_raw_write(&conn->handshake.io, 0);
338 [ # # ][ # # ]: 0 : POSIX_ENSURE_REF(total_data_to_sign->data);
339 : :
340 : 0 : struct s2n_blob data_to_verify_0 = { 0 };
341 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_send(hybrid_kex_0, conn, &data_to_verify_0));
342 : :
343 : 0 : struct s2n_blob data_to_verify_1 = { 0 };
344 [ # # ]: 0 : POSIX_GUARD_RESULT(s2n_kex_server_key_send(hybrid_kex_1, conn, &data_to_verify_1));
345 : :
346 [ # # ]: 0 : POSIX_GUARD(s2n_add_overflow(data_to_verify_0.size, data_to_verify_1.size, &total_data_to_sign->size));
347 : 0 : return 0;
348 : 0 : }
349 : :
350 : : int s2n_server_key_send_write_signature(struct s2n_connection *conn, struct s2n_blob *signature)
351 : 886 : {
352 : 886 : struct s2n_stuffer *out = &conn->handshake.io;
353 : :
354 [ - + ]: 886 : POSIX_GUARD(s2n_stuffer_write_uint16(out, signature->size));
355 [ - + ]: 886 : POSIX_GUARD(s2n_stuffer_write_bytes(out, signature->data, signature->size));
356 : :
357 : 886 : return 0;
358 : 886 : }
|
