Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_tls13_certificate_verify.h"
17 : :
18 : : #include <stdint.h>
19 : :
20 : : #include "crypto/s2n_hash.h"
21 : : #include "error/s2n_errno.h"
22 : : #include "stuffer/s2n_stuffer.h"
23 : : #include "tls/s2n_async_pkey.h"
24 : : #include "tls/s2n_connection.h"
25 : : #include "tls/s2n_tls13_handshake.h"
26 : : #include "utils/s2n_safety.h"
27 : :
28 : : /**
29 : : * Specified in https://tools.ietf.org/html/rfc8446#section-4.4.3
30 : : *
31 : : * Servers MUST send this message when authenticating via a certificate.
32 : : * Clients MUST send this message whenever authenticating via a certificate.
33 : : * When sent, this message MUST appear immediately after the Certificate
34 : : * message and immediately prior to the Finished message.
35 : : **/
36 : :
37 : : /* 64 'space' characters (0x20) */
38 : : const uint8_t S2N_CERT_VERIFY_PREFIX[] = { 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
39 : : 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
40 : : 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
41 : : 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20 };
42 : : /* 'TLS 1.3, server CertificateVerify' with 0x00 separator */
43 : : const uint8_t S2N_SERVER_CERT_VERIFY_CONTEXT[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33,
44 : : 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
45 : : 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00 };
46 : : /* 'TLS 1.3, client CertificateVerify' with 0x00 separator */
47 : : const uint8_t S2N_CLIENT_CERT_VERIFY_CONTEXT[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33,
48 : : 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
49 : : 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00 };
50 : :
51 : : static int s2n_tls13_write_cert_verify_signature(struct s2n_connection *conn,
52 : : const struct s2n_signature_scheme *chosen_sig_scheme);
53 : : static int s2n_tls13_write_signature(struct s2n_connection *conn, struct s2n_blob *signature);
54 : : static int s2n_tls13_generate_unsigned_cert_verify_content(struct s2n_connection *conn,
55 : : struct s2n_stuffer *unsigned_content, s2n_mode mode);
56 : : static int s2n_tls13_cert_read_and_verify_signature(struct s2n_connection *conn,
57 : : const struct s2n_signature_scheme *chosen_sig_scheme);
58 : : static uint8_t s2n_tls13_cert_verify_header_length(s2n_mode mode);
59 : :
60 : : int s2n_tls13_cert_verify_send(struct s2n_connection *conn)
61 : 3165 : {
62 [ + + ][ + + ]: 3165 : S2N_ASYNC_PKEY_GUARD(conn);
[ + + ][ - + ]
[ - + ][ + - ]
63 : :
64 [ + + ]: 3141 : if (conn->mode == S2N_SERVER) {
65 : : /* Write digital signature */
66 [ + + ]: 3074 : POSIX_GUARD(s2n_tls13_write_cert_verify_signature(conn, conn->handshake_params.server_cert_sig_scheme));
67 : 3074 : } else {
68 : : /* Write digital signature */
69 [ + + ]: 67 : POSIX_GUARD(s2n_tls13_write_cert_verify_signature(conn, conn->handshake_params.client_cert_sig_scheme));
70 : 67 : }
71 : :
72 : 3122 : return 0;
73 : 3141 : }
74 : :
75 : : int s2n_tls13_write_cert_verify_signature(struct s2n_connection *conn,
76 : : const struct s2n_signature_scheme *chosen_sig_scheme)
77 : 3108 : {
78 [ - + ][ # # ]: 3108 : POSIX_ENSURE_REF(conn->handshake_params.our_chain_and_key);
79 : :
80 : : /* Write the SignatureScheme out */
81 : 3108 : struct s2n_stuffer *out = &conn->handshake.io;
82 [ - + ]: 3108 : POSIX_GUARD(s2n_stuffer_write_uint16(out, chosen_sig_scheme->iana_value));
83 : :
84 : 3108 : DEFER_CLEANUP(struct s2n_hash_state message_hash = { 0 }, s2n_hash_free);
85 [ - + ]: 3108 : POSIX_GUARD(s2n_hash_new(&message_hash));
86 [ - + ]: 3108 : POSIX_GUARD(s2n_hash_init(&message_hash, chosen_sig_scheme->hash_alg));
87 : :
88 : 3108 : const struct s2n_pkey *pkey = conn->handshake_params.our_chain_and_key->private_key;
89 [ - + ]: 3108 : POSIX_GUARD_RESULT(s2n_pkey_init_hash(pkey, chosen_sig_scheme->sig_alg, &message_hash));
90 : :
91 : 3108 : DEFER_CLEANUP(struct s2n_stuffer unsigned_content = { 0 }, s2n_stuffer_free);
92 [ - + ]: 3108 : POSIX_GUARD(s2n_tls13_generate_unsigned_cert_verify_content(conn, &unsigned_content, conn->mode));
93 : :
94 [ - + ]: 3108 : POSIX_GUARD(s2n_hash_update(&message_hash, unsigned_content.blob.data,
95 : 3108 : s2n_stuffer_data_available(&unsigned_content)));
96 : :
97 [ + + ]: 3108 : S2N_ASYNC_PKEY_SIGN(conn, chosen_sig_scheme->sig_alg, &message_hash, s2n_tls13_write_signature);
98 : 0 : }
99 : :
100 : : int s2n_tls13_write_signature(struct s2n_connection *conn, struct s2n_blob *signature)
101 : 3107 : {
102 : 3107 : struct s2n_stuffer *out = &conn->handshake.io;
103 : :
104 [ - + ]: 3107 : POSIX_GUARD(s2n_stuffer_write_uint16(out, signature->size));
105 [ - + ]: 3107 : POSIX_GUARD(s2n_stuffer_write_bytes(out, signature->data, signature->size));
106 : :
107 : 3107 : return 0;
108 : 3107 : }
109 : :
110 : : int s2n_tls13_generate_unsigned_cert_verify_content(struct s2n_connection *conn,
111 : : struct s2n_stuffer *unsigned_content, s2n_mode mode)
112 : 5434 : {
113 [ - + ]: 5434 : s2n_tls13_connection_keys(tls13_ctx, conn);
114 : :
115 : 5434 : uint8_t hash_digest_length = tls13_ctx.size;
116 : 5434 : uint8_t digest_out[S2N_MAX_DIGEST_LEN];
117 : :
118 : : /* Get current handshake hash */
119 [ - + ][ # # ]: 5434 : POSIX_ENSURE_REF(conn->handshake.hashes);
120 : 5434 : struct s2n_hash_state *hash_state = &conn->handshake.hashes->hash_workspace;
121 [ - + ]: 5434 : POSIX_GUARD_RESULT(s2n_handshake_copy_hash_state(conn, tls13_ctx.hash_algorithm, hash_state));
122 [ - + ]: 5434 : POSIX_GUARD(s2n_hash_digest(hash_state, digest_out, hash_digest_length));
123 : :
124 : : /* Concatenate the content to be signed/verified */
125 [ - + ]: 5434 : POSIX_GUARD(s2n_stuffer_alloc(unsigned_content, hash_digest_length + s2n_tls13_cert_verify_header_length(mode)));
126 [ - + ]: 5434 : POSIX_GUARD(s2n_stuffer_write_bytes(unsigned_content, S2N_CERT_VERIFY_PREFIX, sizeof(S2N_CERT_VERIFY_PREFIX)));
127 : :
128 [ + + ]: 5434 : if (mode == S2N_CLIENT) {
129 [ - + ]: 107 : POSIX_GUARD(s2n_stuffer_write_bytes(unsigned_content, S2N_CLIENT_CERT_VERIFY_CONTEXT,
130 : 107 : sizeof(S2N_CLIENT_CERT_VERIFY_CONTEXT)));
131 : 5327 : } else {
132 [ - + ]: 5327 : POSIX_GUARD(s2n_stuffer_write_bytes(unsigned_content, S2N_SERVER_CERT_VERIFY_CONTEXT,
133 : 5327 : sizeof(S2N_SERVER_CERT_VERIFY_CONTEXT)));
134 : 5327 : }
135 : :
136 [ - + ]: 5434 : POSIX_GUARD(s2n_stuffer_write_bytes(unsigned_content, digest_out, hash_digest_length));
137 : :
138 : 5434 : return 0;
139 : 5434 : }
140 : :
141 : : uint8_t s2n_tls13_cert_verify_header_length(s2n_mode mode)
142 : 5434 : {
143 [ + + ]: 5434 : if (mode == S2N_CLIENT) {
144 : 107 : return sizeof(S2N_CERT_VERIFY_PREFIX) + sizeof(S2N_CLIENT_CERT_VERIFY_CONTEXT);
145 : 107 : }
146 : 5327 : return sizeof(S2N_CERT_VERIFY_PREFIX) + sizeof(S2N_SERVER_CERT_VERIFY_CONTEXT);
147 : 5434 : }
148 : :
149 : : int s2n_tls13_cert_verify_recv(struct s2n_connection *conn)
150 : 2365 : {
151 [ + + ][ + + ]: 4701 : S2N_ASYNC_OFFLOAD_POSIX_GUARD(conn, {
[ + + ][ - + ]
[ + + ][ # # ]
[ - + ][ - + ]
[ + + ][ + - ]
152 : 2336 : POSIX_GUARD_RESULT(s2n_signature_algorithm_recv(conn, &conn->handshake.io));
153 : : /* Read the rest of the signature and verify */
154 : 2336 : if (conn->mode == S2N_SERVER) {
155 : 2336 : POSIX_GUARD(s2n_tls13_cert_read_and_verify_signature(conn,
156 : 2336 : conn->handshake_params.client_cert_sig_scheme));
157 : 2336 : } else {
158 : 2336 : POSIX_GUARD(s2n_tls13_cert_read_and_verify_signature(conn,
159 : 2336 : conn->handshake_params.server_cert_sig_scheme));
160 : 2336 : }
161 : 2336 : });
162 : 2336 : return 0;
163 : 4701 : }
164 : :
165 : : int s2n_tls13_cert_read_and_verify_signature(struct s2n_connection *conn,
166 : : const struct s2n_signature_scheme *chosen_sig_scheme)
167 : 2326 : {
168 : 2326 : struct s2n_stuffer *in = &conn->handshake.io;
169 : 2326 : DEFER_CLEANUP(struct s2n_blob signed_content = { 0 }, s2n_free);
170 : 2326 : DEFER_CLEANUP(struct s2n_stuffer unsigned_content = { 0 }, s2n_stuffer_free);
171 : 2326 : DEFER_CLEANUP(struct s2n_hash_state message_hash = { 0 }, s2n_hash_free);
172 [ - + ]: 2326 : POSIX_GUARD(s2n_hash_new(&message_hash));
173 : :
174 : : /* Get signature size */
175 : 2326 : uint16_t signature_size = 0;
176 [ - + ]: 2326 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_size));
177 [ - + ][ # # ]: 2326 : S2N_ERROR_IF(signature_size > s2n_stuffer_data_available(in), S2N_ERR_BAD_MESSAGE);
178 : :
179 : : /* Get wire signature */
180 [ - + ]: 2326 : POSIX_GUARD(s2n_alloc(&signed_content, signature_size));
181 : 2326 : signed_content.size = signature_size;
182 [ - + ]: 2326 : POSIX_GUARD(s2n_stuffer_read_bytes(in, signed_content.data, signature_size));
183 : :
184 : : /* Verify signature. We send the opposite mode as we are trying to verify what was sent to us */
185 [ + + ]: 2326 : if (conn->mode == S2N_CLIENT) {
186 [ - + ]: 2274 : POSIX_GUARD(s2n_tls13_generate_unsigned_cert_verify_content(conn, &unsigned_content, S2N_SERVER));
187 : 2274 : } else {
188 [ - + ]: 52 : POSIX_GUARD(s2n_tls13_generate_unsigned_cert_verify_content(conn, &unsigned_content, S2N_CLIENT));
189 : 52 : }
190 : :
191 : 2326 : struct s2n_pkey *pkey = NULL;
192 [ + + ]: 2326 : if (conn->mode == S2N_CLIENT) {
193 : 2274 : pkey = &conn->handshake_params.server_public_key;
194 : 2274 : } else {
195 : 52 : pkey = &conn->handshake_params.client_public_key;
196 : 52 : }
197 : :
198 [ - + ]: 2326 : POSIX_GUARD(s2n_hash_init(&message_hash, chosen_sig_scheme->hash_alg));
199 [ - + ]: 2326 : POSIX_GUARD_RESULT(s2n_pkey_init_hash(pkey, chosen_sig_scheme->sig_alg, &message_hash));
200 [ - + ]: 2326 : POSIX_GUARD(s2n_hash_update(&message_hash, unsigned_content.blob.data,
201 : 2326 : s2n_stuffer_data_available(&unsigned_content)));
202 : :
203 [ + + ]: 2326 : POSIX_GUARD(s2n_async_pkey_verify(conn, chosen_sig_scheme->sig_alg,
204 : 2322 : &message_hash, &signed_content));
205 : :
206 : 2322 : return 0;
207 : 2326 : }
|
