Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_tls13_certificate_verify.h"
17 : :
18 : : #include <stdint.h>
19 : :
20 : : #include "crypto/s2n_hash.h"
21 : : #include "error/s2n_errno.h"
22 : : #include "stuffer/s2n_stuffer.h"
23 : : #include "tls/s2n_async_pkey.h"
24 : : #include "tls/s2n_connection.h"
25 : : #include "tls/s2n_tls13_handshake.h"
26 : : #include "utils/s2n_safety.h"
27 : :
28 : : /**
29 : : * Specified in https://tools.ietf.org/html/rfc8446#section-4.4.3
30 : : *
31 : : * Servers MUST send this message when authenticating via a certificate.
32 : : * Clients MUST send this message whenever authenticating via a certificate.
33 : : * When sent, this message MUST appear immediately after the Certificate
34 : : * message and immediately prior to the Finished message.
35 : : **/
36 : :
37 : : /* 64 'space' characters (0x20) */
38 : : const uint8_t S2N_CERT_VERIFY_PREFIX[] = { 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
39 : : 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
40 : : 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
41 : : 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20 };
42 : : /* 'TLS 1.3, server CertificateVerify' with 0x00 separator */
43 : : const uint8_t S2N_SERVER_CERT_VERIFY_CONTEXT[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33,
44 : : 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
45 : : 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00 };
46 : : /* 'TLS 1.3, client CertificateVerify' with 0x00 separator */
47 : : const uint8_t S2N_CLIENT_CERT_VERIFY_CONTEXT[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33,
48 : : 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
49 : : 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00 };
50 : :
51 : : static int s2n_tls13_write_cert_verify_signature(struct s2n_connection *conn,
52 : : const struct s2n_signature_scheme *chosen_sig_scheme);
53 : : static int s2n_tls13_write_signature(struct s2n_connection *conn, struct s2n_blob *signature);
54 : : static int s2n_tls13_generate_unsigned_cert_verify_content(struct s2n_connection *conn,
55 : : struct s2n_stuffer *unsigned_content, s2n_mode mode);
56 : : static int s2n_tls13_cert_read_and_verify_signature(struct s2n_connection *conn,
57 : : const struct s2n_signature_scheme *chosen_sig_scheme);
58 : : static uint8_t s2n_tls13_cert_verify_header_length(s2n_mode mode);
59 : :
60 : : int s2n_tls13_cert_verify_send(struct s2n_connection *conn)
61 : 2936 : {
62 [ + + ][ + + ]: 2936 : S2N_ASYNC_PKEY_GUARD(conn);
[ + + ][ - + ]
[ - + ][ + - ]
63 : :
64 [ + + ]: 2912 : if (conn->mode == S2N_SERVER) {
65 : : /* Write digital signature */
66 [ + + ]: 2865 : POSIX_GUARD(s2n_tls13_write_cert_verify_signature(conn, conn->handshake_params.server_cert_sig_scheme));
67 : 2865 : } else {
68 : : /* Write digital signature */
69 [ + + ]: 47 : POSIX_GUARD(s2n_tls13_write_cert_verify_signature(conn, conn->handshake_params.client_cert_sig_scheme));
70 : 47 : }
71 : :
72 : 2893 : return 0;
73 : 2912 : }
74 : :
75 : : int s2n_tls13_write_cert_verify_signature(struct s2n_connection *conn,
76 : : const struct s2n_signature_scheme *chosen_sig_scheme)
77 : 2879 : {
78 [ - + ][ # # ]: 2879 : POSIX_ENSURE_REF(conn->handshake_params.our_chain_and_key);
79 : :
80 : : /* Write the SignatureScheme out */
81 : 2879 : struct s2n_stuffer *out = &conn->handshake.io;
82 [ - + ]: 2879 : POSIX_GUARD(s2n_stuffer_write_uint16(out, chosen_sig_scheme->iana_value));
83 : :
84 : 2879 : DEFER_CLEANUP(struct s2n_hash_state message_hash = { 0 }, s2n_hash_free);
85 [ - + ]: 2879 : POSIX_GUARD(s2n_hash_new(&message_hash));
86 [ - + ]: 2879 : POSIX_GUARD(s2n_hash_init(&message_hash, chosen_sig_scheme->hash_alg));
87 : :
88 : 2879 : const struct s2n_pkey *pkey = conn->handshake_params.our_chain_and_key->private_key;
89 [ - + ]: 2879 : POSIX_GUARD_RESULT(s2n_pkey_init_hash(pkey, chosen_sig_scheme->sig_alg, &message_hash));
90 : :
91 : 2879 : DEFER_CLEANUP(struct s2n_stuffer unsigned_content = { 0 }, s2n_stuffer_free);
92 [ - + ]: 2879 : POSIX_GUARD(s2n_tls13_generate_unsigned_cert_verify_content(conn, &unsigned_content, conn->mode));
93 : :
94 [ - + ]: 2879 : POSIX_GUARD(s2n_hash_update(&message_hash, unsigned_content.blob.data,
95 : 2879 : s2n_stuffer_data_available(&unsigned_content)));
96 : :
97 [ + + ]: 2879 : S2N_ASYNC_PKEY_SIGN(conn, chosen_sig_scheme->sig_alg, &message_hash, s2n_tls13_write_signature);
98 : 0 : }
99 : :
100 : : int s2n_tls13_write_signature(struct s2n_connection *conn, struct s2n_blob *signature)
101 : 2878 : {
102 : 2878 : struct s2n_stuffer *out = &conn->handshake.io;
103 : :
104 [ - + ]: 2878 : POSIX_GUARD(s2n_stuffer_write_uint16(out, signature->size));
105 [ - + ]: 2878 : POSIX_GUARD(s2n_stuffer_write_bytes(out, signature->data, signature->size));
106 : :
107 : 2878 : return 0;
108 : 2878 : }
109 : :
110 : : int s2n_tls13_generate_unsigned_cert_verify_content(struct s2n_connection *conn,
111 : : struct s2n_stuffer *unsigned_content, s2n_mode mode)
112 : 4976 : {
113 [ - + ]: 4976 : s2n_tls13_connection_keys(tls13_ctx, conn);
114 : :
115 : 4976 : uint8_t hash_digest_length = tls13_ctx.size;
116 : 4976 : uint8_t digest_out[S2N_MAX_DIGEST_LEN];
117 : :
118 : : /* Get current handshake hash */
119 [ # # ][ - + ]: 4976 : POSIX_ENSURE_REF(conn->handshake.hashes);
120 : 4976 : struct s2n_hash_state *hash_state = &conn->handshake.hashes->hash_workspace;
121 [ - + ]: 4976 : POSIX_GUARD_RESULT(s2n_handshake_copy_hash_state(conn, tls13_ctx.hash_algorithm, hash_state));
122 [ - + ]: 4976 : POSIX_GUARD(s2n_hash_digest(hash_state, digest_out, hash_digest_length));
123 : :
124 : : /* Concatenate the content to be signed/verified */
125 [ - + ]: 4976 : POSIX_GUARD(s2n_stuffer_alloc(unsigned_content, hash_digest_length + s2n_tls13_cert_verify_header_length(mode)));
126 [ - + ]: 4976 : POSIX_GUARD(s2n_stuffer_write_bytes(unsigned_content, S2N_CERT_VERIFY_PREFIX, sizeof(S2N_CERT_VERIFY_PREFIX)));
127 : :
128 [ + + ]: 4976 : if (mode == S2N_CLIENT) {
129 [ - + ]: 67 : POSIX_GUARD(s2n_stuffer_write_bytes(unsigned_content, S2N_CLIENT_CERT_VERIFY_CONTEXT,
130 : 67 : sizeof(S2N_CLIENT_CERT_VERIFY_CONTEXT)));
131 : 4909 : } else {
132 [ - + ]: 4909 : POSIX_GUARD(s2n_stuffer_write_bytes(unsigned_content, S2N_SERVER_CERT_VERIFY_CONTEXT,
133 : 4909 : sizeof(S2N_SERVER_CERT_VERIFY_CONTEXT)));
134 : 4909 : }
135 : :
136 [ - + ]: 4976 : POSIX_GUARD(s2n_stuffer_write_bytes(unsigned_content, digest_out, hash_digest_length));
137 : :
138 : 4976 : return 0;
139 : 4976 : }
140 : :
141 : : uint8_t s2n_tls13_cert_verify_header_length(s2n_mode mode)
142 : 4976 : {
143 [ + + ]: 4976 : if (mode == S2N_CLIENT) {
144 : 67 : return sizeof(S2N_CERT_VERIFY_PREFIX) + sizeof(S2N_CLIENT_CERT_VERIFY_CONTEXT);
145 : 67 : }
146 : 4909 : return sizeof(S2N_CERT_VERIFY_PREFIX) + sizeof(S2N_SERVER_CERT_VERIFY_CONTEXT);
147 : 4976 : }
148 : :
149 : : int s2n_tls13_cert_verify_recv(struct s2n_connection *conn)
150 : 2130 : {
151 [ - + ]: 2130 : POSIX_GUARD_RESULT(s2n_signature_algorithm_recv(conn, &conn->handshake.io));
152 : : /* Read the rest of the signature and verify */
153 [ + + ]: 2130 : if (conn->mode == S2N_SERVER) {
154 [ + + ]: 44 : POSIX_GUARD(s2n_tls13_cert_read_and_verify_signature(conn,
155 : 44 : conn->handshake_params.client_cert_sig_scheme));
156 : 2086 : } else {
157 [ + + ]: 2086 : POSIX_GUARD(s2n_tls13_cert_read_and_verify_signature(conn,
158 : 2086 : conn->handshake_params.server_cert_sig_scheme));
159 : 2086 : }
160 : :
161 : 2108 : return 0;
162 : 2130 : }
163 : :
164 : : int s2n_tls13_cert_read_and_verify_signature(struct s2n_connection *conn,
165 : : const struct s2n_signature_scheme *chosen_sig_scheme)
166 : 2097 : {
167 : 2097 : struct s2n_stuffer *in = &conn->handshake.io;
168 : 2097 : DEFER_CLEANUP(struct s2n_blob signed_content = { 0 }, s2n_free);
169 : 2097 : DEFER_CLEANUP(struct s2n_stuffer unsigned_content = { 0 }, s2n_stuffer_free);
170 : 2097 : DEFER_CLEANUP(struct s2n_hash_state message_hash = { 0 }, s2n_hash_free);
171 [ - + ]: 2097 : POSIX_GUARD(s2n_hash_new(&message_hash));
172 : :
173 : : /* Get signature size */
174 : 2097 : uint16_t signature_size = 0;
175 [ - + ]: 2097 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_size));
176 [ - + ][ # # ]: 2097 : S2N_ERROR_IF(signature_size > s2n_stuffer_data_available(in), S2N_ERR_BAD_MESSAGE);
177 : :
178 : : /* Get wire signature */
179 [ - + ]: 2097 : POSIX_GUARD(s2n_alloc(&signed_content, signature_size));
180 : 2097 : signed_content.size = signature_size;
181 [ - + ]: 2097 : POSIX_GUARD(s2n_stuffer_read_bytes(in, signed_content.data, signature_size));
182 : :
183 : : /* Verify signature. We send the opposite mode as we are trying to verify what was sent to us */
184 [ + + ]: 2097 : if (conn->mode == S2N_CLIENT) {
185 [ - + ]: 2065 : POSIX_GUARD(s2n_tls13_generate_unsigned_cert_verify_content(conn, &unsigned_content, S2N_SERVER));
186 : 2065 : } else {
187 [ - + ]: 32 : POSIX_GUARD(s2n_tls13_generate_unsigned_cert_verify_content(conn, &unsigned_content, S2N_CLIENT));
188 : 32 : }
189 : :
190 : 2097 : struct s2n_pkey *pkey = NULL;
191 [ + + ]: 2097 : if (conn->mode == S2N_CLIENT) {
192 : 2065 : pkey = &conn->handshake_params.server_public_key;
193 : 2065 : } else {
194 : 32 : pkey = &conn->handshake_params.client_public_key;
195 : 32 : }
196 : :
197 [ - + ]: 2097 : POSIX_GUARD(s2n_hash_init(&message_hash, chosen_sig_scheme->hash_alg));
198 [ - + ]: 2097 : POSIX_GUARD_RESULT(s2n_pkey_init_hash(pkey, chosen_sig_scheme->sig_alg, &message_hash));
199 [ - + ]: 2097 : POSIX_GUARD(s2n_hash_update(&message_hash, unsigned_content.blob.data,
200 : 2097 : s2n_stuffer_data_available(&unsigned_content)));
201 : :
202 [ - + ]: 2097 : POSIX_GUARD(s2n_pkey_verify(pkey, chosen_sig_scheme->sig_alg,
203 : 2097 : &message_hash, &signed_content));
204 : 2097 : return 0;
205 : 2097 : }
|
