1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
|
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
#include <sys/param.h>
#include "api/s2n.h"
#include <time.h>
#include "error/s2n_errno.h"
#include "tls/s2n_connection.h"
#include "tls/s2n_alerts.h"
#include "tls/s2n_tls.h"
#include "tls/s2n_resume.h"
#include "tls/s2n_tls13_handshake.h"
#include "tls/s2n_record.h"
#include "stuffer/s2n_stuffer.h"
#include "utils/s2n_safety.h"
#include "utils/s2n_random.h"
/*
* The maximum size of the NewSessionTicket message, not taking into account the
* ticket itself.
*
* To get the actual maximum size required for the NewSessionTicket message, we'll need
* to add the size of the ticket, which is much less predictable.
*
* This constant is enforced via unit tests.
*/
#define S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE 79
int s2n_server_nst_recv(struct s2n_connection *conn) {
POSIX_GUARD(s2n_stuffer_read_uint32(&conn->handshake.io, &conn->ticket_lifetime_hint));
uint16_t session_ticket_len;
POSIX_GUARD(s2n_stuffer_read_uint16(&conn->handshake.io, &session_ticket_len));
if (session_ticket_len > 0) {
POSIX_GUARD(s2n_realloc(&conn->client_ticket, session_ticket_len));
POSIX_GUARD(s2n_stuffer_read(&conn->handshake.io, &conn->client_ticket));
if (conn->config->session_ticket_cb != NULL) {
size_t session_len = s2n_connection_get_session_length(conn);
/* Alloc some memory for the serialized session ticket */
DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free);
POSIX_GUARD(s2n_alloc(&mem, S2N_STATE_FORMAT_LEN + S2N_SESSION_TICKET_SIZE_LEN + \
conn->client_ticket.size + S2N_TLS12_STATE_SIZE_IN_BYTES));
POSIX_GUARD(s2n_connection_get_session(conn, mem.data, session_len));
uint32_t session_lifetime = s2n_connection_get_session_ticket_lifetime_hint(conn);
struct s2n_session_ticket ticket = { .ticket_data = mem, .session_lifetime = session_lifetime };
POSIX_ENSURE(conn->config->session_ticket_cb(conn, conn->config->session_ticket_ctx, &ticket) >= S2N_SUCCESS,
S2N_ERR_CANCELLED);
}
}
return S2N_SUCCESS;
}
int s2n_server_nst_send(struct s2n_connection *conn)
{
uint16_t session_ticket_len = S2N_TLS12_TICKET_SIZE_IN_BYTES;
uint8_t data[S2N_TLS12_TICKET_SIZE_IN_BYTES] = { 0 };
struct s2n_blob entry = { .data = data, .size = sizeof(data) };
struct s2n_stuffer to;
uint32_t lifetime_hint_in_secs = (conn->config->encrypt_decrypt_key_lifetime_in_nanos + conn->config->decrypt_key_lifetime_in_nanos) / ONE_SEC_IN_NANOS;
/* When server changes it's mind mid handshake send lifetime hint and session ticket length as zero */
if (!conn->config->use_tickets) {
POSIX_GUARD(s2n_stuffer_write_uint32(&conn->handshake.io, 0));
POSIX_GUARD(s2n_stuffer_write_uint16(&conn->handshake.io, 0));
return 0;
}
if (!s2n_server_sending_nst(conn)) {
POSIX_BAIL(S2N_ERR_SENDING_NST);
}
POSIX_GUARD(s2n_stuffer_init(&to, &entry));
POSIX_GUARD(s2n_stuffer_write_uint32(&conn->handshake.io, lifetime_hint_in_secs));
POSIX_GUARD(s2n_stuffer_write_uint16(&conn->handshake.io, session_ticket_len));
POSIX_GUARD(s2n_encrypt_session_ticket(conn, &to));
POSIX_GUARD(s2n_stuffer_write(&conn->handshake.io, &to.blob));
/* For parity with TLS1.3, track the single ticket sent.
* This simplifies s2n_connection_get_tickets_sent.
*/
conn->tickets_sent++;
return S2N_SUCCESS;
}
S2N_RESULT s2n_tls13_server_nst_send(struct s2n_connection *conn, s2n_blocked_status *blocked)
{
RESULT_ENSURE_REF(conn);
/* Usually tickets are sent immediately after the handshake.
* If possible, reuse the handshake IO stuffer before it's wiped.
*
* Note: handshake.io isn't explicitly dedicated to only reading or only writing,
* so we have to be careful using it outside of s2n_negotiate.
* If we use it for writing here, we CAN'T use it for reading any post-handshake messages.
*/
struct s2n_stuffer *nst_stuffer = &conn->handshake.io;
if (conn->mode != S2N_SERVER || conn->actual_protocol_version < S2N_TLS13 || !conn->config->use_tickets) {
return S2N_RESULT_OK;
}
/* No-op if all tickets already sent.
* Clean up the stuffer used for the ticket to conserve memory. */
if (conn->tickets_to_send == conn->tickets_sent) {
RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, 0));
return S2N_RESULT_OK;
}
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# Note that in principle it is possible to continue issuing new tickets
*# which indefinitely extend the lifetime of the keying material
*# originally derived from an initial non-PSK handshake (which was most
*# likely tied to the peer's certificate). It is RECOMMENDED that
*# implementations place limits on the total lifetime of such keying
*# material; these limits should take into account the lifetime of the
*# peer's certificate, the likelihood of intervening revocation, and the
*# time since the peer's online CertificateVerify signature.
*/
if (s2n_result_is_error(s2n_psk_validate_keying_material(conn))) {
conn->tickets_to_send = conn->tickets_sent;
return S2N_RESULT_OK;
}
RESULT_ENSURE(conn->tickets_sent <= conn->tickets_to_send, S2N_ERR_INTEGER_OVERFLOW);
/* Flush any buffered records to ensure an empty output buffer.
*
* This is important when buffering multiple records because we don't:
* 1) Respect max fragment length for handshake messages
* 2) Check if there is sufficient space in the output buffer for
* post-handshake messages.
*
* Careful how this flush fits into the ordering of this method:
* We want to avoid unnecessary work like repeatedly encrypting
* the ticket if the flush repeatedly blocks, but we also want
* to avoid unnecessarily flushing if no ticket will actually
* need to be sent.
*/
RESULT_GUARD_POSIX(s2n_flush(conn, blocked));
size_t session_state_size = 0;
RESULT_GUARD(s2n_connection_get_session_state_size(conn, &session_state_size));
const size_t maximum_nst_size = session_state_size + S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE;
if (s2n_stuffer_space_remaining(nst_stuffer) < maximum_nst_size) {
RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, maximum_nst_size));
}
while (conn->tickets_to_send - conn->tickets_sent > 0) {
if (s2n_result_is_error(s2n_tls13_server_nst_write(conn, nst_stuffer))) {
return S2N_RESULT_OK;
}
struct s2n_blob nst_blob = { 0 };
uint16_t nst_size = s2n_stuffer_data_available(nst_stuffer);
uint8_t *nst_data = s2n_stuffer_raw_read(nst_stuffer, nst_size);
RESULT_ENSURE_REF(nst_data);
RESULT_GUARD_POSIX(s2n_blob_init(&nst_blob, nst_data, nst_size));
RESULT_GUARD_POSIX(s2n_record_write(conn, TLS_HANDSHAKE, &nst_blob));
RESULT_GUARD_POSIX(s2n_flush(conn, blocked));
RESULT_GUARD_POSIX(s2n_stuffer_wipe(nst_stuffer));
}
RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, 0));
return S2N_RESULT_OK;
}
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# Indicates the lifetime in seconds as a 32-bit
*# unsigned integer in network byte order from the time of ticket
*# issuance.
**/
static S2N_RESULT s2n_generate_ticket_lifetime(struct s2n_connection *conn, uint32_t *ticket_lifetime)
{
RESULT_ENSURE_REF(conn);
RESULT_ENSURE_MUT(ticket_lifetime);
uint32_t key_lifetime_in_secs =
(conn->config->encrypt_decrypt_key_lifetime_in_nanos + conn->config->decrypt_key_lifetime_in_nanos) / ONE_SEC_IN_NANOS;
uint32_t session_lifetime_in_secs = conn->config->session_state_lifetime_in_nanos / ONE_SEC_IN_NANOS;
uint32_t key_and_session_min_lifetime = MIN(key_lifetime_in_secs, session_lifetime_in_secs);
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# Servers MUST NOT use any value greater than
*# 604800 seconds (7 days).
**/
*ticket_lifetime = MIN(key_and_session_min_lifetime, ONE_WEEK_IN_SEC);
return S2N_RESULT_OK;
}
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# A per-ticket value that is unique across all tickets
*# issued on this connection.
**/
static S2N_RESULT s2n_generate_ticket_nonce(uint16_t value, struct s2n_blob *output)
{
RESULT_ENSURE_MUT(output);
struct s2n_stuffer stuffer = { 0 };
RESULT_GUARD_POSIX(s2n_stuffer_init(&stuffer, output));
RESULT_GUARD_POSIX(s2n_stuffer_write_uint16(&stuffer, value));
return S2N_RESULT_OK;
}
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# A securely generated, random 32-bit value that is
*# used to obscure the age of the ticket that the client includes in
*# the "pre_shared_key" extension.
**/
static S2N_RESULT s2n_generate_ticket_age_add(struct s2n_blob *random_data, uint32_t *ticket_age_add)
{
RESULT_ENSURE_REF(random_data);
RESULT_ENSURE_REF(ticket_age_add);
struct s2n_stuffer stuffer = { 0 };
RESULT_GUARD_POSIX(s2n_stuffer_init(&stuffer, random_data));
RESULT_GUARD_POSIX(s2n_stuffer_skip_write(&stuffer, random_data->size));
RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(&stuffer, ticket_age_add));
return S2N_RESULT_OK;
}
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# The PSK associated with the ticket is computed as:
*#
*# HKDF-Expand-Label(resumption_master_secret,
*# "resumption", ticket_nonce, Hash.length)
**/
static int s2n_generate_session_secret(struct s2n_connection *conn, struct s2n_blob *nonce, struct s2n_blob *output)
{
POSIX_ENSURE_REF(conn);
POSIX_ENSURE_REF(nonce);
POSIX_ENSURE_REF(output);
s2n_tls13_connection_keys(secrets, conn);
struct s2n_blob master_secret = { 0 };
POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.tls13.resumption_master_secret, secrets.size));
POSIX_GUARD(s2n_realloc(output, secrets.size));
POSIX_GUARD_RESULT(s2n_tls13_derive_session_ticket_secret(&secrets, &master_secret, nonce, output));
return S2N_SUCCESS;
}
S2N_RESULT s2n_tls13_server_nst_write(struct s2n_connection *conn, struct s2n_stuffer *output)
{
RESULT_ENSURE_REF(conn);
RESULT_ENSURE_REF(output);
struct s2n_ticket_fields *ticket_fields = &conn->tls13_ticket_fields;
/* Write message type because session resumption in TLS13 is a post-handshake message */
RESULT_GUARD_POSIX(s2n_stuffer_write_uint8(output, TLS_SERVER_NEW_SESSION_TICKET));
struct s2n_stuffer_reservation message_size = { 0 };
RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint24(output, &message_size));
uint32_t ticket_lifetime_in_secs = 0;
RESULT_GUARD(s2n_generate_ticket_lifetime(conn, &ticket_lifetime_in_secs));
RESULT_GUARD_POSIX(s2n_stuffer_write_uint32(output, ticket_lifetime_in_secs));
/* Get random data to use as ticket_age_add value */
uint8_t data[sizeof(uint32_t)] = { 0 };
struct s2n_blob random_data = { 0 };
RESULT_GUARD_POSIX(s2n_blob_init(&random_data, data, sizeof(data)));
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# The server MUST generate a fresh value
*# for each ticket it sends.
**/
RESULT_GUARD(s2n_get_private_random_data(&random_data));
RESULT_GUARD(s2n_generate_ticket_age_add(&random_data, &ticket_fields->ticket_age_add));
RESULT_GUARD_POSIX(s2n_stuffer_write_uint32(output, ticket_fields->ticket_age_add));
/* Write ticket nonce */
uint8_t nonce_data[sizeof(uint16_t)] = { 0 };
struct s2n_blob nonce = { 0 };
RESULT_GUARD_POSIX(s2n_blob_init(&nonce, nonce_data, sizeof(nonce_data)));
RESULT_GUARD(s2n_generate_ticket_nonce(conn->tickets_sent, &nonce));
RESULT_GUARD_POSIX(s2n_stuffer_write_uint8(output, nonce.size));
RESULT_GUARD_POSIX(s2n_stuffer_write_bytes(output, nonce.data, nonce.size));
/* Derive individual session ticket secret */
RESULT_GUARD_POSIX(s2n_generate_session_secret(conn, &nonce, &ticket_fields->session_secret));
/* Write ticket */
struct s2n_stuffer_reservation ticket_size = { 0 };
RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint16(output, &ticket_size));
RESULT_GUARD_POSIX(s2n_encrypt_session_ticket(conn, output));
RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&ticket_size));
RESULT_GUARD_POSIX(s2n_extension_list_send(S2N_EXTENSION_LIST_NST, conn, output));
RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&message_size));
RESULT_ENSURE(conn->tickets_sent < UINT16_MAX, S2N_ERR_INTEGER_OVERFLOW);
conn->tickets_sent++;
return S2N_RESULT_OK;
}
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# struct {
*# uint32 ticket_lifetime;
*# uint32 ticket_age_add;
*# opaque ticket_nonce<0..255>;
*# opaque ticket<1..2^16-1>;
*# Extension extensions<0..2^16-2>;
*# } NewSessionTicket;
**/
S2N_RESULT s2n_tls13_server_nst_recv(struct s2n_connection *conn, struct s2n_stuffer *input)
{
RESULT_ENSURE_REF(conn);
RESULT_ENSURE_REF(input);
RESULT_ENSURE_REF(conn->config);
RESULT_ENSURE(conn->actual_protocol_version >= S2N_TLS13, S2N_ERR_BAD_MESSAGE);
RESULT_ENSURE(conn->mode == S2N_CLIENT, S2N_ERR_BAD_MESSAGE);
if (!conn->config->use_tickets) {
return S2N_RESULT_OK;
}
struct s2n_ticket_fields *ticket_fields = &conn->tls13_ticket_fields;
/* Handle `ticket_lifetime` field */
uint32_t ticket_lifetime = 0;
RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(input, &ticket_lifetime));
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# Servers MUST NOT use any value greater than
*# 604800 seconds (7 days).
*/
RESULT_ENSURE(ticket_lifetime <= ONE_WEEK_IN_SEC, S2N_ERR_BAD_MESSAGE);
/**
*= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
*# The value of zero indicates that the
*# ticket should be discarded immediately.
*/
if (ticket_lifetime == 0) {
return S2N_RESULT_OK;
}
conn->ticket_lifetime_hint = ticket_lifetime;
/* Handle `ticket_age_add` field */
RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(input, &ticket_fields->ticket_age_add));
/* Handle `ticket_nonce` field */
uint8_t ticket_nonce_len = 0;
RESULT_GUARD_POSIX(s2n_stuffer_read_uint8(input, &ticket_nonce_len));
uint8_t nonce_data[UINT8_MAX] = { 0 };
struct s2n_blob nonce = { 0 };
RESULT_GUARD_POSIX(s2n_blob_init(&nonce, nonce_data, ticket_nonce_len));
RESULT_GUARD_POSIX(s2n_stuffer_read_bytes(input, nonce.data, ticket_nonce_len));
RESULT_GUARD_POSIX(s2n_generate_session_secret(conn, &nonce, &ticket_fields->session_secret));
/* Handle `ticket` field */
uint16_t session_ticket_len = 0;
RESULT_GUARD_POSIX(s2n_stuffer_read_uint16(input, &session_ticket_len));
RESULT_ENSURE(session_ticket_len > 0, S2N_ERR_SAFETY);
RESULT_GUARD_POSIX(s2n_realloc(&conn->client_ticket, session_ticket_len));
RESULT_GUARD_POSIX(s2n_stuffer_read(input, &conn->client_ticket));
/* Handle `extensions` field */
RESULT_GUARD_POSIX(s2n_extension_list_recv(S2N_EXTENSION_LIST_NST, conn, input));
if (conn->config->session_ticket_cb != NULL) {
/* Retrieve serialized session data */
const uint16_t session_state_size = s2n_connection_get_session_length(conn);
DEFER_CLEANUP(struct s2n_blob session_state = { 0 }, s2n_free);
RESULT_GUARD_POSIX(s2n_realloc(&session_state, session_state_size));
RESULT_GUARD_POSIX(s2n_connection_get_session(conn, session_state.data, session_state.size));
struct s2n_session_ticket ticket = {
.ticket_data = session_state,
.session_lifetime = ticket_lifetime
};
RESULT_ENSURE(conn->config->session_ticket_cb(conn, conn->config->session_ticket_ctx, &ticket) >= S2N_SUCCESS,
S2N_ERR_CANCELLED);
}
return S2N_RESULT_OK;
}
|