diff options
| author | thegeorg <thegeorg@yandex-team.ru> | 2022-05-10 22:16:03 +0300 |
|---|---|---|
| committer | thegeorg <thegeorg@yandex-team.ru> | 2022-05-10 22:16:03 +0300 |
| commit | 09c71d918d4d0b0ebf67e1ab41aa90ddf587a3f2 (patch) | |
| tree | dd44d2cb68e2845c2d4c367b66893f3e043a6e8e /contrib/restricted/aws/s2n/tls/s2n_psk.c | |
| parent | 5eb4a8a2d487411924e1d1b27c454223dcf35005 (diff) | |
| download | ydb-09c71d918d4d0b0ebf67e1ab41aa90ddf587a3f2.tar.gz | |
Update contrib/restricted/aws/s2n to 1.3.12
ref:f8279d764b4c00974a63543a1364c91e2b81b7a6
Diffstat (limited to 'contrib/restricted/aws/s2n/tls/s2n_psk.c')
| -rw-r--r-- | contrib/restricted/aws/s2n/tls/s2n_psk.c | 597 |
1 files changed, 480 insertions, 117 deletions
diff --git a/contrib/restricted/aws/s2n/tls/s2n_psk.c b/contrib/restricted/aws/s2n/tls/s2n_psk.c index 59d4d75158..4aacb13d87 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_psk.c +++ b/contrib/restricted/aws/s2n/tls/s2n_psk.c @@ -13,11 +13,15 @@ * permissions and limitations under the License. */ +#include <sys/param.h> + #include "crypto/s2n_tls13_keys.h" #include "tls/s2n_handshake.h" #include "tls/s2n_tls13_handshake.h" #include "tls/s2n_tls.h" +#include "tls/extensions/s2n_extension_type.h" +#include "tls/s2n_tls13_secrets.h" #include "utils/s2n_array.h" #include "utils/s2n_mem.h" @@ -25,100 +29,373 @@ #define S2N_HASH_ALG_COUNT S2N_HASH_SENTINEL -int s2n_psk_init(struct s2n_psk *psk, s2n_psk_type type) +S2N_RESULT s2n_psk_init(struct s2n_psk *psk, s2n_psk_type type) { - notnull_check(psk); + RESULT_ENSURE_MUT(psk); - memset_check(psk, 0, sizeof(struct s2n_psk)); + RESULT_CHECKED_MEMSET(psk, 0, sizeof(struct s2n_psk)); psk->hmac_alg = S2N_HMAC_SHA256; psk->type = type; - return S2N_SUCCESS; + return S2N_RESULT_OK; } -int s2n_psk_new_identity(struct s2n_psk *psk, const uint8_t *identity, size_t identity_size) +struct s2n_psk* s2n_external_psk_new() { - notnull_check(psk); + DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free); + PTR_GUARD_POSIX(s2n_alloc(&mem, sizeof(struct s2n_psk))); - GUARD(s2n_realloc(&psk->identity, identity_size)); - memcpy_check(psk->identity.data, identity, identity_size); + struct s2n_psk *psk = (struct s2n_psk*)(void*) mem.data; + PTR_GUARD_RESULT(s2n_psk_init(psk, S2N_PSK_TYPE_EXTERNAL)); + + ZERO_TO_DISABLE_DEFER_CLEANUP(mem); + return psk; +} + +int s2n_psk_set_identity(struct s2n_psk *psk, const uint8_t *identity, uint16_t identity_size) +{ + POSIX_ENSURE_REF(psk); + POSIX_ENSURE_REF(identity); + POSIX_ENSURE(identity_size != 0, S2N_ERR_INVALID_ARGUMENT); + + POSIX_GUARD(s2n_realloc(&psk->identity, identity_size)); + POSIX_CHECKED_MEMCPY(psk->identity.data, identity, identity_size); return S2N_SUCCESS; } -int s2n_psk_new_secret(struct s2n_psk *psk, const uint8_t *secret, size_t secret_size) +int s2n_psk_set_secret(struct s2n_psk *psk, const uint8_t *secret, uint16_t secret_size) { - notnull_check(psk); + POSIX_ENSURE_REF(psk); + POSIX_ENSURE_REF(secret); + POSIX_ENSURE(secret_size != 0, S2N_ERR_INVALID_ARGUMENT); - GUARD(s2n_realloc(&psk->secret, secret_size)); - memcpy_check(psk->secret.data, secret, secret_size); + POSIX_GUARD(s2n_realloc(&psk->secret, secret_size)); + POSIX_CHECKED_MEMCPY(psk->secret.data, secret, secret_size); return S2N_SUCCESS; } -int s2n_psk_free(struct s2n_psk *psk) +S2N_RESULT s2n_psk_clone(struct s2n_psk *new_psk, struct s2n_psk *original_psk) +{ + if (original_psk == NULL) { + return S2N_RESULT_OK; + } + RESULT_ENSURE_REF(new_psk); + + struct s2n_psk psk_copy = *new_psk; + + /* Copy all fields from the old_config EXCEPT the blobs, which we need to reallocate. */ + *new_psk = *original_psk; + new_psk->identity = psk_copy.identity; + new_psk->secret = psk_copy.secret; + new_psk->early_secret = psk_copy.early_secret; + new_psk->early_data_config = psk_copy.early_data_config; + + /* Clone / realloc blobs */ + RESULT_GUARD_POSIX(s2n_psk_set_identity(new_psk, original_psk->identity.data, original_psk->identity.size)); + RESULT_GUARD_POSIX(s2n_psk_set_secret(new_psk, original_psk->secret.data, original_psk->secret.size)); + RESULT_GUARD_POSIX(s2n_realloc(&new_psk->early_secret, original_psk->early_secret.size)); + RESULT_CHECKED_MEMCPY(new_psk->early_secret.data, original_psk->early_secret.data, original_psk->early_secret.size); + RESULT_GUARD(s2n_early_data_config_clone(new_psk, &original_psk->early_data_config)); + + return S2N_RESULT_OK; +} + +S2N_CLEANUP_RESULT s2n_psk_wipe(struct s2n_psk *psk) { if (psk == NULL) { - return S2N_SUCCESS; + return S2N_RESULT_OK; } - GUARD(s2n_free(&psk->early_secret)); - GUARD(s2n_free(&psk->identity)); - GUARD(s2n_free(&psk->secret)); + RESULT_GUARD_POSIX(s2n_free(&psk->early_secret)); + RESULT_GUARD_POSIX(s2n_free(&psk->identity)); + RESULT_GUARD_POSIX(s2n_free(&psk->secret)); + RESULT_GUARD(s2n_early_data_config_free(&psk->early_data_config)); - return S2N_SUCCESS; + return S2N_RESULT_OK; +} + +int s2n_psk_free(struct s2n_psk **psk) +{ + if (psk == NULL) { + return S2N_SUCCESS; + } + POSIX_GUARD_RESULT(s2n_psk_wipe(*psk)); + return s2n_free_object((uint8_t **) psk, sizeof(struct s2n_psk)); } S2N_RESULT s2n_psk_parameters_init(struct s2n_psk_parameters *params) { - ENSURE_REF(params); - CHECKED_MEMSET(params, 0, sizeof(struct s2n_psk_parameters)); - GUARD_RESULT(s2n_array_init(¶ms->psk_list, sizeof(struct s2n_psk))); + RESULT_ENSURE_REF(params); + RESULT_CHECKED_MEMSET(params, 0, sizeof(struct s2n_psk_parameters)); + RESULT_GUARD(s2n_array_init(¶ms->psk_list, sizeof(struct s2n_psk))); + return S2N_RESULT_OK; +} + +static S2N_RESULT s2n_psk_offered_psk_size(struct s2n_psk *psk, uint32_t *size) +{ + *size = sizeof(uint16_t) /* identity size */ + + sizeof(uint32_t) /* obfuscated ticket age */ + + sizeof(uint8_t) /* binder size */; + + RESULT_GUARD_POSIX(s2n_add_overflow(*size, psk->identity.size, size)); + + uint8_t binder_size = 0; + RESULT_GUARD_POSIX(s2n_hmac_digest_size(psk->hmac_alg, &binder_size)); + RESULT_GUARD_POSIX(s2n_add_overflow(*size, binder_size, size)); + + return S2N_RESULT_OK; +} + +S2N_RESULT s2n_psk_parameters_offered_psks_size(struct s2n_psk_parameters *params, uint32_t *size) +{ + RESULT_ENSURE_REF(params); + RESULT_ENSURE_REF(size); + + *size = sizeof(uint16_t) /* identity list size */ + + sizeof(uint16_t) /* binder list size */; + + for (uint32_t i = 0; i < params->psk_list.len; i++) { + struct s2n_psk *psk = NULL; + RESULT_GUARD(s2n_array_get(¶ms->psk_list, i, (void**)&psk)); + RESULT_ENSURE_REF(psk); + + uint32_t psk_size = 0; + RESULT_GUARD(s2n_psk_offered_psk_size(psk, &psk_size)); + RESULT_GUARD_POSIX(s2n_add_overflow(*size, psk_size, size)); + } return S2N_RESULT_OK; } S2N_CLEANUP_RESULT s2n_psk_parameters_wipe(struct s2n_psk_parameters *params) { - ENSURE_REF(params); + RESULT_ENSURE_REF(params); for (size_t i = 0; i < params->psk_list.len; i++) { - struct s2n_psk *psk; - GUARD_RESULT(s2n_array_get(¶ms->psk_list, i, (void**)&psk)); - GUARD_AS_RESULT(s2n_psk_free(psk)); + struct s2n_psk *psk = NULL; + RESULT_GUARD(s2n_array_get(¶ms->psk_list, i, (void**)&psk)); + RESULT_GUARD(s2n_psk_wipe(psk)); + } + RESULT_GUARD_POSIX(s2n_free(¶ms->psk_list.mem)); + RESULT_GUARD(s2n_psk_parameters_init(params)); + + return S2N_RESULT_OK; +} + +S2N_CLEANUP_RESULT s2n_psk_parameters_wipe_secrets(struct s2n_psk_parameters *params) +{ + RESULT_ENSURE_REF(params); + + for (size_t i = 0; i < params->psk_list.len; i++) { + struct s2n_psk *psk = NULL; + RESULT_GUARD(s2n_array_get(¶ms->psk_list, i, (void**)&psk)); + RESULT_ENSURE_REF(psk); + RESULT_GUARD_POSIX(s2n_free(&psk->early_secret)); + RESULT_GUARD_POSIX(s2n_free(&psk->secret)); + } + + return S2N_RESULT_OK; +} + +bool s2n_offered_psk_list_has_next(struct s2n_offered_psk_list *psk_list) +{ + return psk_list != NULL && s2n_stuffer_data_available(&psk_list->wire_data) > 0; +} + +S2N_RESULT s2n_offered_psk_list_read_next(struct s2n_offered_psk_list *psk_list, struct s2n_offered_psk *psk) +{ + RESULT_ENSURE_REF(psk_list); + RESULT_ENSURE_REF(psk_list->conn); + RESULT_ENSURE_MUT(psk); + + uint16_t identity_size = 0; + RESULT_GUARD_POSIX(s2n_stuffer_read_uint16(&psk_list->wire_data, &identity_size)); + RESULT_ENSURE_GT(identity_size, 0); + + uint8_t *identity_data = NULL; + identity_data = s2n_stuffer_raw_read(&psk_list->wire_data, identity_size); + RESULT_ENSURE_REF(identity_data); + + /** + *= https://tools.ietf.org/rfc/rfc8446#section-4.2.11 + *# For identities established externally, an obfuscated_ticket_age of 0 SHOULD be + *# used, and servers MUST ignore the value. + */ + if (psk_list->conn->psk_params.type == S2N_PSK_TYPE_EXTERNAL) { + RESULT_GUARD_POSIX(s2n_stuffer_skip_read(&psk_list->wire_data, sizeof(uint32_t))); + } else { + RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(&psk_list->wire_data, &psk->obfuscated_ticket_age)); + } + + RESULT_GUARD_POSIX(s2n_blob_init(&psk->identity, identity_data, identity_size)); + psk->wire_index = psk_list->wire_index; + + RESULT_ENSURE(psk_list->wire_index < UINT16_MAX, S2N_ERR_INTEGER_OVERFLOW); + psk_list->wire_index++; + return S2N_RESULT_OK; +} + +int s2n_offered_psk_list_next(struct s2n_offered_psk_list *psk_list, struct s2n_offered_psk *psk) +{ + POSIX_ENSURE_REF(psk_list); + POSIX_ENSURE_REF(psk); + *psk = (struct s2n_offered_psk){ 0 }; + POSIX_ENSURE(s2n_offered_psk_list_has_next(psk_list), S2N_ERR_STUFFER_OUT_OF_DATA); + POSIX_ENSURE(s2n_result_is_ok(s2n_offered_psk_list_read_next(psk_list, psk)), S2N_ERR_BAD_MESSAGE); + return S2N_SUCCESS; +} + +int s2n_offered_psk_list_reread(struct s2n_offered_psk_list *psk_list) +{ + POSIX_ENSURE_REF(psk_list); + psk_list->wire_index = 0; + return s2n_stuffer_reread(&psk_list->wire_data); +} + +/* Match a PSK identity received from the client against the server's known PSK identities. + * This method compares a single client identity to all server identities. + * + * While both the client's offered identities and whether a match was found are public, we should make an attempt + * to keep the server's known identities a secret. We will make comparisons to the server's identities constant + * time (to hide partial matches) and not end the search early when a match is found (to hide the ordering). + * + * Keeping these comparisons constant time is not high priority. There's no known attack using these timings, + * and an attacker could probably guess the server's known identities just by observing the public identities + * sent by clients. + */ +static S2N_RESULT s2n_match_psk_identity(struct s2n_array *known_psks, const struct s2n_blob *wire_identity, + struct s2n_psk **match) +{ + RESULT_ENSURE_REF(match); + RESULT_ENSURE_REF(wire_identity); + RESULT_ENSURE_REF(known_psks); + *match = NULL; + for (size_t i = 0; i < known_psks->len; i++) { + struct s2n_psk *psk = NULL; + RESULT_GUARD(s2n_array_get(known_psks, i, (void**)&psk)); + RESULT_ENSURE_REF(psk); + RESULT_ENSURE_REF(psk->identity.data); + RESULT_ENSURE_REF(wire_identity->data); + uint32_t compare_size = MIN(wire_identity->size, psk->identity.size); + if (s2n_constant_time_equals(psk->identity.data, wire_identity->data, compare_size) + & (psk->identity.size == wire_identity->size) & (!*match)) { + *match = psk; + } + } + return S2N_RESULT_OK; +} + +/** + *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10 + *# For PSKs provisioned via NewSessionTicket, a server MUST validate + *# that the ticket age for the selected PSK identity (computed by + *# subtracting ticket_age_add from PskIdentity.obfuscated_ticket_age + *# modulo 2^32) is within a small tolerance of the time since the ticket + *# was issued (see Section 8). + **/ +static S2N_RESULT s2n_validate_ticket_lifetime(struct s2n_connection *conn, uint32_t obfuscated_ticket_age, uint32_t ticket_age_add) +{ + RESULT_ENSURE_REF(conn); + + if (conn->psk_params.type == S2N_PSK_TYPE_EXTERNAL) { + return S2N_RESULT_OK; } - GUARD_AS_RESULT(s2n_free(¶ms->psk_list.mem)); - GUARD_RESULT(s2n_psk_parameters_init(params)); + + /* Subtract the ticket_age_add value from the ticket age in milliseconds. The resulting uint32_t value + * may wrap, resulting in the modulo 2^32 operation. */ + uint32_t ticket_age_in_millis = obfuscated_ticket_age - ticket_age_add; + uint32_t session_lifetime_in_millis = conn->config->session_state_lifetime_in_nanos / ONE_MILLISEC_IN_NANOS; + RESULT_ENSURE(ticket_age_in_millis < session_lifetime_in_millis, S2N_ERR_INVALID_SESSION_TICKET); return S2N_RESULT_OK; } +int s2n_offered_psk_list_choose_psk(struct s2n_offered_psk_list *psk_list, struct s2n_offered_psk *psk) +{ + POSIX_ENSURE_REF(psk_list); + POSIX_ENSURE_REF(psk_list->conn); + + struct s2n_psk_parameters *psk_params = &psk_list->conn->psk_params; + struct s2n_stuffer ticket_stuffer = { 0 }; + + if (!psk) { + psk_params->chosen_psk = NULL; + return S2N_SUCCESS; + } + + if (psk_params->type == S2N_PSK_TYPE_RESUMPTION && psk_list->conn->config->use_tickets) { + POSIX_GUARD(s2n_stuffer_init(&ticket_stuffer, &psk->identity)); + POSIX_GUARD(s2n_stuffer_skip_write(&ticket_stuffer, psk->identity.size)); + + /* s2n_decrypt_session_ticket appends a new PSK with the decrypted values. */ + POSIX_GUARD(s2n_decrypt_session_ticket(psk_list->conn, &ticket_stuffer)); + } + + struct s2n_psk *chosen_psk = NULL; + POSIX_GUARD_RESULT(s2n_match_psk_identity(&psk_params->psk_list, &psk->identity, &chosen_psk)); + POSIX_ENSURE_REF(chosen_psk); + POSIX_GUARD_RESULT(s2n_validate_ticket_lifetime(psk_list->conn, psk->obfuscated_ticket_age, chosen_psk->ticket_age_add)); + psk_params->chosen_psk = chosen_psk; + psk_params->chosen_psk_wire_index = psk->wire_index; + + return S2N_SUCCESS; +} + +struct s2n_offered_psk* s2n_offered_psk_new() +{ + DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free); + PTR_GUARD_POSIX(s2n_alloc(&mem, sizeof(struct s2n_offered_psk))); + PTR_GUARD_POSIX(s2n_blob_zero(&mem)); + + struct s2n_offered_psk *psk = (struct s2n_offered_psk*)(void*) mem.data; + + ZERO_TO_DISABLE_DEFER_CLEANUP(mem); + return psk; +} + +int s2n_offered_psk_free(struct s2n_offered_psk **psk) +{ + if (psk == NULL) { + return S2N_SUCCESS; + } + return s2n_free_object((uint8_t **) psk, sizeof(struct s2n_offered_psk)); +} + +int s2n_offered_psk_get_identity(struct s2n_offered_psk *psk, uint8_t** identity, uint16_t *size) +{ + POSIX_ENSURE_REF(psk); + POSIX_ENSURE_REF(identity); + POSIX_ENSURE_REF(size); + *identity = psk->identity.data; + *size = psk->identity.size; + return S2N_SUCCESS; +} + /* The binder hash is computed by hashing the concatenation of the current transcript * and a partial ClientHello that does not include the binders themselves. */ int s2n_psk_calculate_binder_hash(struct s2n_connection *conn, s2n_hmac_algorithm hmac_alg, const struct s2n_blob *partial_client_hello, struct s2n_blob *output_binder_hash) { - notnull_check(partial_client_hello); - notnull_check(output_binder_hash); + POSIX_ENSURE_REF(conn); + POSIX_ENSURE_REF(partial_client_hello); + POSIX_ENSURE_REF(output_binder_hash); + struct s2n_handshake_hashes *hashes = conn->handshake.hashes; + POSIX_ENSURE_REF(hashes); /* Retrieve the current transcript. * The current transcript will be empty unless this handshake included a HelloRetryRequest. */ - struct s2n_hash_state current_hash_state = {0}; - - s2n_hash_algorithm hash_alg; - GUARD(s2n_hmac_hash_alg(hmac_alg, &hash_alg)); - GUARD(s2n_handshake_get_hash_state(conn, hash_alg, ¤t_hash_state)); - - /* Copy the current transcript to avoid modifying the original. */ - DEFER_CLEANUP(struct s2n_hash_state hash_copy, s2n_hash_free); - GUARD(s2n_hash_new(&hash_copy)); - GUARD(s2n_hash_copy(&hash_copy, ¤t_hash_state)); + s2n_hash_algorithm hash_alg = S2N_HASH_NONE; + struct s2n_hash_state *hash_state = &hashes->hash_workspace; + POSIX_GUARD(s2n_hmac_hash_alg(hmac_alg, &hash_alg)); + POSIX_GUARD_RESULT(s2n_handshake_copy_hash_state(conn, hash_alg, hash_state)); /* Add the partial client hello to the transcript. */ - GUARD(s2n_hash_update(&hash_copy, partial_client_hello->data, partial_client_hello->size)); + POSIX_GUARD(s2n_hash_update(hash_state, partial_client_hello->data, partial_client_hello->size)); /* Get the transcript digest */ - GUARD(s2n_hash_digest(&hash_copy, output_binder_hash->data, output_binder_hash->size)); + POSIX_GUARD(s2n_hash_digest(hash_state, output_binder_hash->data, output_binder_hash->size)); return S2N_SUCCESS; } @@ -131,29 +408,26 @@ int s2n_psk_calculate_binder_hash(struct s2n_connection *conn, s2n_hmac_algorith int s2n_psk_calculate_binder(struct s2n_psk *psk, const struct s2n_blob *binder_hash, struct s2n_blob *output_binder) { - notnull_check(psk); - notnull_check(binder_hash); - notnull_check(output_binder); + POSIX_ENSURE_REF(psk); + POSIX_ENSURE_REF(binder_hash); + POSIX_ENSURE_REF(output_binder); DEFER_CLEANUP(struct s2n_tls13_keys psk_keys, s2n_tls13_keys_free); - GUARD(s2n_tls13_keys_init(&psk_keys, psk->hmac_alg)); - eq_check(binder_hash->size, psk_keys.size); - eq_check(output_binder->size, psk_keys.size); - - /* Make sure the early secret is saved on the psk structure for later use */ - GUARD(s2n_realloc(&psk->early_secret, psk_keys.size)); - GUARD(s2n_blob_init(&psk_keys.extract_secret, psk->early_secret.data, psk_keys.size)); + POSIX_GUARD(s2n_tls13_keys_init(&psk_keys, psk->hmac_alg)); + POSIX_ENSURE_EQ(binder_hash->size, psk_keys.size); + POSIX_ENSURE_EQ(output_binder->size, psk_keys.size); /* Derive the binder key */ - GUARD(s2n_tls13_derive_binder_key(&psk_keys, psk)); + POSIX_GUARD_RESULT(s2n_derive_binder_key(psk, &psk_keys.derive_secret)); + POSIX_GUARD(s2n_blob_init(&psk_keys.extract_secret, psk->early_secret.data, psk_keys.size)); struct s2n_blob *binder_key = &psk_keys.derive_secret; /* Expand the binder key into the finished key */ s2n_tls13_key_blob(finished_key, psk_keys.size); - GUARD(s2n_tls13_derive_finished_key(&psk_keys, binder_key, &finished_key)); + POSIX_GUARD(s2n_tls13_derive_finished_key(&psk_keys, binder_key, &finished_key)); /* HMAC the binder hash with the binder finished key */ - GUARD(s2n_hkdf_extract(&psk_keys.hmac, psk_keys.hmac_algorithm, &finished_key, binder_hash, output_binder)); + POSIX_GUARD(s2n_hkdf_extract(&psk_keys.hmac, psk_keys.hmac_algorithm, &finished_key, binder_hash, output_binder)); return S2N_SUCCESS; } @@ -161,24 +435,24 @@ int s2n_psk_calculate_binder(struct s2n_psk *psk, const struct s2n_blob *binder_ int s2n_psk_verify_binder(struct s2n_connection *conn, struct s2n_psk *psk, const struct s2n_blob *partial_client_hello, struct s2n_blob *binder_to_verify) { - notnull_check(psk); - notnull_check(binder_to_verify); + POSIX_ENSURE_REF(psk); + POSIX_ENSURE_REF(binder_to_verify); DEFER_CLEANUP(struct s2n_tls13_keys psk_keys, s2n_tls13_keys_free); - GUARD(s2n_tls13_keys_init(&psk_keys, psk->hmac_alg)); - eq_check(binder_to_verify->size, psk_keys.size); + POSIX_GUARD(s2n_tls13_keys_init(&psk_keys, psk->hmac_alg)); + POSIX_ENSURE_EQ(binder_to_verify->size, psk_keys.size); /* Calculate the binder hash from the transcript */ s2n_tls13_key_blob(binder_hash, psk_keys.size); - GUARD(s2n_psk_calculate_binder_hash(conn, psk->hmac_alg, partial_client_hello, &binder_hash)); + POSIX_GUARD(s2n_psk_calculate_binder_hash(conn, psk->hmac_alg, partial_client_hello, &binder_hash)); /* Calculate the expected binder from the binder hash */ s2n_tls13_key_blob(expected_binder, psk_keys.size); - GUARD(s2n_psk_calculate_binder(psk, &binder_hash, &expected_binder)); + POSIX_GUARD(s2n_psk_calculate_binder(psk, &binder_hash, &expected_binder)); /* Verify the expected binder matches the given binder. * This operation must be constant time. */ - GUARD(s2n_tls13_mac_verify(&psk_keys, &expected_binder, binder_to_verify)); + POSIX_GUARD(s2n_tls13_mac_verify(&psk_keys, &expected_binder, binder_to_verify)); return S2N_SUCCESS; } @@ -186,15 +460,15 @@ int s2n_psk_verify_binder(struct s2n_connection *conn, struct s2n_psk *psk, static S2N_RESULT s2n_psk_write_binder(struct s2n_connection *conn, struct s2n_psk *psk, const struct s2n_blob *binder_hash, struct s2n_stuffer *out) { - ENSURE_REF(binder_hash); + RESULT_ENSURE_REF(binder_hash); struct s2n_blob binder; uint8_t binder_data[S2N_TLS13_SECRET_MAX_LEN] = { 0 }; - GUARD_AS_RESULT(s2n_blob_init(&binder, binder_data, binder_hash->size)); + RESULT_GUARD_POSIX(s2n_blob_init(&binder, binder_data, binder_hash->size)); - GUARD_AS_RESULT(s2n_psk_calculate_binder(psk, binder_hash, &binder)); - GUARD_AS_RESULT(s2n_stuffer_write_uint8(out, binder.size)); - GUARD_AS_RESULT(s2n_stuffer_write(out, &binder)); + RESULT_GUARD_POSIX(s2n_psk_calculate_binder(psk, binder_hash, &binder)); + RESULT_GUARD_POSIX(s2n_stuffer_write_uint8(out, binder.size)); + RESULT_GUARD_POSIX(s2n_stuffer_write(out, &binder)); return S2N_RESULT_OK; } @@ -202,8 +476,8 @@ static S2N_RESULT s2n_psk_write_binder(struct s2n_connection *conn, struct s2n_p static S2N_RESULT s2n_psk_write_binder_list(struct s2n_connection *conn, const struct s2n_blob *partial_client_hello, struct s2n_stuffer *out) { - ENSURE_REF(conn); - ENSURE_REF(partial_client_hello); + RESULT_ENSURE_REF(conn); + RESULT_ENSURE_REF(partial_client_hello); struct s2n_psk_parameters *psk_params = &conn->psk_params; struct s2n_array *psk_list = &psk_params->psk_list; @@ -214,13 +488,13 @@ static S2N_RESULT s2n_psk_write_binder_list(struct s2n_connection *conn, const s struct s2n_blob binder_hashes[S2N_HASH_ALG_COUNT] = { 0 }; struct s2n_stuffer_reservation binder_list_size = { 0 }; - GUARD_AS_RESULT(s2n_stuffer_reserve_uint16(out, &binder_list_size)); + RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint16(out, &binder_list_size)); /* Write binder for every psk */ for (size_t i = 0; i < psk_list->len; i++) { struct s2n_psk *psk = NULL; - GUARD_RESULT(s2n_array_get(psk_list, i, (void**) &psk)); - ENSURE_REF(psk); + RESULT_GUARD(s2n_array_get(psk_list, i, (void**) &psk)); + RESULT_ENSURE_REF(psk); /** *= https://tools.ietf.org/rfc/rfc8446#section-4.1.4 @@ -238,21 +512,21 @@ static S2N_RESULT s2n_psk_write_binder_list(struct s2n_connection *conn, const s struct s2n_blob *binder_hash = &binder_hashes[psk->hmac_alg]; if (binder_hash->size == 0) { uint8_t hash_size = 0; - GUARD_AS_RESULT(s2n_hmac_digest_size(psk->hmac_alg, &hash_size)); - GUARD_AS_RESULT(s2n_blob_init(binder_hash, binder_hashes_data[psk->hmac_alg], hash_size)); - GUARD_AS_RESULT(s2n_psk_calculate_binder_hash(conn, psk->hmac_alg, partial_client_hello, binder_hash)); + RESULT_GUARD_POSIX(s2n_hmac_digest_size(psk->hmac_alg, &hash_size)); + RESULT_GUARD_POSIX(s2n_blob_init(binder_hash, binder_hashes_data[psk->hmac_alg], hash_size)); + RESULT_GUARD_POSIX(s2n_psk_calculate_binder_hash(conn, psk->hmac_alg, partial_client_hello, binder_hash)); } - GUARD_RESULT(s2n_psk_write_binder(conn, psk, binder_hash, out)); + RESULT_GUARD(s2n_psk_write_binder(conn, psk, binder_hash, out)); } - GUARD_AS_RESULT(s2n_stuffer_write_vector_size(&binder_list_size)); + RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&binder_list_size)); return S2N_RESULT_OK; } S2N_RESULT s2n_finish_psk_extension(struct s2n_connection *conn) { - ENSURE_REF(conn); + RESULT_ENSURE_REF(conn); if (!conn->psk_params.binder_list_size) { return S2N_RESULT_OK; @@ -262,72 +536,161 @@ S2N_RESULT s2n_finish_psk_extension(struct s2n_connection *conn) struct s2n_psk_parameters *psk_params = &conn->psk_params; /* Fill in the correct message size. */ - GUARD_AS_RESULT(s2n_handshake_finish_header(client_hello)); + RESULT_GUARD_POSIX(s2n_handshake_finish_header(client_hello)); /* Remove the empty space allocated for the binder list. * It was originally added to ensure the extension / extension list / message sizes * were properly calculated. */ - GUARD_AS_RESULT(s2n_stuffer_wipe_n(client_hello, psk_params->binder_list_size)); + RESULT_GUARD_POSIX(s2n_stuffer_wipe_n(client_hello, psk_params->binder_list_size)); /* Store the partial client hello for use in calculating the binder hash. */ struct s2n_blob partial_client_hello = { 0 }; - GUARD_AS_RESULT(s2n_blob_init(&partial_client_hello, client_hello->blob.data, + RESULT_GUARD_POSIX(s2n_blob_init(&partial_client_hello, client_hello->blob.data, s2n_stuffer_data_available(client_hello))); - GUARD_RESULT(s2n_psk_write_binder_list(conn, &partial_client_hello, client_hello)); + RESULT_GUARD(s2n_psk_write_binder_list(conn, &partial_client_hello, client_hello)); return S2N_RESULT_OK; } -static S2N_RESULT s2n_psk_set_hmac(struct s2n_psk *psk, s2n_psk_hmac psk_hmac_alg) +int s2n_psk_set_hmac(struct s2n_psk *psk, s2n_psk_hmac hmac) { - switch(psk_hmac_alg) { - case S2N_PSK_HMAC_SHA224: psk->hmac_alg = S2N_HMAC_SHA224; break; + POSIX_ENSURE_REF(psk); + switch(hmac) { case S2N_PSK_HMAC_SHA256: psk->hmac_alg = S2N_HMAC_SHA256; break; case S2N_PSK_HMAC_SHA384: psk->hmac_alg = S2N_HMAC_SHA384; break; default: - BAIL(S2N_ERR_HMAC_INVALID_ALGORITHM); + POSIX_BAIL(S2N_ERR_HMAC_INVALID_ALGORITHM); + } + return S2N_SUCCESS; +} + +S2N_RESULT s2n_connection_set_psk_type(struct s2n_connection *conn, s2n_psk_type type) +{ + RESULT_ENSURE_REF(conn); + if (conn->psk_params.psk_list.len != 0) { + RESULT_ENSURE(conn->psk_params.type == type, S2N_ERR_PSK_MODE); } + conn->psk_params.type = type; return S2N_RESULT_OK; } -int s2n_connection_set_external_psks(struct s2n_connection *conn, struct s2n_external_psk *psk_vec, size_t psk_vec_length) +int s2n_connection_append_psk(struct s2n_connection *conn, struct s2n_psk *input_psk) { - ENSURE_POSIX_REF(conn); - ENSURE_POSIX_REF(psk_vec); + POSIX_ENSURE_REF(conn); + POSIX_ENSURE_REF(input_psk); + POSIX_GUARD_RESULT(s2n_connection_set_psk_type(conn, input_psk->type)); + + struct s2n_array *psk_list = &conn->psk_params.psk_list; - /* Remove all previously-set external psks */ - /* The loop iterates from len to 1 instead of from len-1 to 0 to avoid size_t underflowing */ - for (size_t i = conn->psk_params.psk_list.len; i > 0; i--) { - size_t i_index = i - 1; - struct s2n_psk *psk = NULL; - GUARD_AS_POSIX(s2n_array_get(&conn->psk_params.psk_list, i_index, (void**) &psk)); - ENSURE_POSIX_REF(psk); - if (psk->type == S2N_PSK_TYPE_EXTERNAL) { - GUARD(s2n_psk_free(psk)); - GUARD_AS_POSIX(s2n_array_remove(&conn->psk_params.psk_list, i_index)); - } + /* Check for duplicate identities */ + for (uint32_t j = 0; j < psk_list->len; j++) { + struct s2n_psk *existing_psk = NULL; + POSIX_GUARD_RESULT(s2n_array_get(psk_list, j, (void**) &existing_psk)); + POSIX_ENSURE_REF(existing_psk); + + bool duplicate = existing_psk->identity.size == input_psk->identity.size + && memcmp(existing_psk->identity.data, input_psk->identity.data, existing_psk->identity.size) == 0; + POSIX_ENSURE(!duplicate, S2N_ERR_DUPLICATE_PSK_IDENTITIES); } - for (size_t i = 0; i < psk_vec_length; i++) { - /* Check for duplicate identities */ - size_t array_len = conn->psk_params.psk_list.len; - for (size_t j = 0; j < array_len; j++) { - struct s2n_psk *psk = NULL; - GUARD_AS_POSIX(s2n_array_get(&conn->psk_params.psk_list, j, (void**) &psk)); - ENSURE_POSIX_REF(psk); - if (psk->identity.size == psk_vec[i].identity_length) { - ENSURE_POSIX(memcmp(psk->identity.data, psk_vec[i].identity, psk->identity.size) != 0, S2N_ERR_DUPLICATE_PSK_IDENTITIES); - } - } + /* Verify the PSK list will fit in the ClientHello pre_shared_key extension */ + if (conn->mode == S2N_CLIENT) { + uint32_t list_size = 0; + POSIX_GUARD_RESULT(s2n_psk_parameters_offered_psks_size(&conn->psk_params, &list_size)); + + uint32_t psk_size = 0; + POSIX_GUARD_RESULT(s2n_psk_offered_psk_size(input_psk, &psk_size)); + + POSIX_ENSURE(list_size + psk_size + S2N_EXTENSION_HEADER_LENGTH <= UINT16_MAX, S2N_ERR_OFFERED_PSKS_TOO_LONG); + } + + DEFER_CLEANUP(struct s2n_psk new_psk = { 0 }, s2n_psk_wipe); + POSIX_ENSURE(s2n_result_is_ok(s2n_psk_clone(&new_psk, input_psk)), S2N_ERR_INVALID_ARGUMENT); + POSIX_GUARD_RESULT(s2n_array_insert_and_copy(psk_list, psk_list->len, &new_psk)); + + ZERO_TO_DISABLE_DEFER_CLEANUP(new_psk); + return S2N_SUCCESS; +} + +int s2n_config_set_psk_mode(struct s2n_config *config, s2n_psk_mode mode) +{ + POSIX_ENSURE_REF(config); + config->psk_mode = mode; + return S2N_SUCCESS; +} + +int s2n_connection_set_psk_mode(struct s2n_connection *conn, s2n_psk_mode mode) +{ + POSIX_ENSURE_REF(conn); + s2n_psk_type type = 0; + switch(mode) { + case S2N_PSK_MODE_RESUMPTION: + type = S2N_PSK_TYPE_RESUMPTION; + break; + case S2N_PSK_MODE_EXTERNAL: + type = S2N_PSK_TYPE_EXTERNAL; + break; + default: + POSIX_BAIL(S2N_ERR_INVALID_ARGUMENT); + break; + } + POSIX_GUARD_RESULT(s2n_connection_set_psk_type(conn, type)); + conn->psk_mode_overridden = true; + return S2N_SUCCESS; +} + +int s2n_connection_get_negotiated_psk_identity_length(struct s2n_connection *conn, uint16_t *identity_length) +{ + POSIX_ENSURE_REF(conn); + POSIX_ENSURE_REF(identity_length); - struct s2n_psk *new_psk = NULL; - GUARD_AS_POSIX(s2n_array_pushback(&conn->psk_params.psk_list, (void**) &new_psk)); - ENSURE_POSIX_REF(new_psk); - GUARD(s2n_psk_init(new_psk, S2N_PSK_TYPE_EXTERNAL)); - GUARD(s2n_psk_new_identity(new_psk, psk_vec[i].identity, psk_vec[i].identity_length)); - GUARD(s2n_psk_new_secret(new_psk, psk_vec[i].secret, psk_vec[i].secret_length)); - GUARD_AS_POSIX(s2n_psk_set_hmac(new_psk, psk_vec[i].hmac)); + struct s2n_psk *chosen_psk = conn->psk_params.chosen_psk; + + if (chosen_psk == NULL) { + *identity_length = 0; + } else { + *identity_length = chosen_psk->identity.size; } return S2N_SUCCESS; } + +int s2n_connection_get_negotiated_psk_identity(struct s2n_connection *conn, uint8_t *identity, + uint16_t max_identity_length) +{ + POSIX_ENSURE_REF(conn); + POSIX_ENSURE_REF(identity); + + struct s2n_psk *chosen_psk = conn->psk_params.chosen_psk; + + if (chosen_psk == NULL) { + return S2N_SUCCESS; + } + + POSIX_ENSURE(chosen_psk->identity.size <= max_identity_length, S2N_ERR_INSUFFICIENT_MEM_SIZE); + POSIX_CHECKED_MEMCPY(identity, chosen_psk->identity.data, chosen_psk->identity.size); + + return S2N_SUCCESS; +} + +S2N_RESULT s2n_psk_validate_keying_material(struct s2n_connection *conn) +{ + RESULT_ENSURE_REF(conn); + + struct s2n_psk *chosen_psk = conn->psk_params.chosen_psk; + if (!chosen_psk || chosen_psk->type != S2N_PSK_TYPE_RESUMPTION) { + return S2N_RESULT_OK; + } + + /* + * The minimum ticket lifetime is 1s, because ticket_lifetime is given + * in seconds and 0 indicates that the ticket should be immediately discarded. + */ + uint32_t min_lifetime = ONE_SEC_IN_NANOS; + + uint64_t current_time = 0; + RESULT_GUARD_POSIX(conn->config->wall_clock(conn->config->sys_clock_ctx, ¤t_time)); + RESULT_ENSURE(chosen_psk->keying_material_expiration > current_time + min_lifetime, S2N_ERR_KEYING_MATERIAL_EXPIRED); + + return S2N_RESULT_OK; +} |