1 /*
2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15
16 #include <sys/param.h>
17
18 #include "crypto/s2n_tls13_keys.h"
19
20 #include "tls/s2n_handshake.h"
21 #include "tls/s2n_tls13_handshake.h"
22 #include "tls/s2n_tls.h"
23 #include "tls/extensions/s2n_extension_type.h"
24
25 #include "utils/s2n_array.h"
26 #include "utils/s2n_mem.h"
27 #include "utils/s2n_safety.h"
28
29 #define S2N_HASH_ALG_COUNT S2N_HASH_SENTINEL
30
s2n_psk_init(struct s2n_psk * psk,s2n_psk_type type)31 S2N_RESULT s2n_psk_init(struct s2n_psk *psk, s2n_psk_type type)
32 {
33 RESULT_ENSURE_MUT(psk);
34
35 RESULT_CHECKED_MEMSET(psk, 0, sizeof(struct s2n_psk));
36 psk->hmac_alg = S2N_HMAC_SHA256;
37 psk->type = type;
38
39 return S2N_RESULT_OK;
40 }
41
s2n_external_psk_new()42 struct s2n_psk* s2n_external_psk_new()
43 {
44 DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free);
45 PTR_GUARD_POSIX(s2n_alloc(&mem, sizeof(struct s2n_psk)));
46
47 struct s2n_psk *psk = (struct s2n_psk*)(void*) mem.data;
48 PTR_GUARD_RESULT(s2n_psk_init(psk, S2N_PSK_TYPE_EXTERNAL));
49
50 ZERO_TO_DISABLE_DEFER_CLEANUP(mem);
51 return psk;
52 }
53
s2n_psk_set_identity(struct s2n_psk * psk,const uint8_t * identity,uint16_t identity_size)54 int s2n_psk_set_identity(struct s2n_psk *psk, const uint8_t *identity, uint16_t identity_size)
55 {
56 POSIX_ENSURE_REF(psk);
57 POSIX_ENSURE_REF(identity);
58 POSIX_ENSURE(identity_size != 0, S2N_ERR_INVALID_ARGUMENT);
59
60 POSIX_GUARD(s2n_realloc(&psk->identity, identity_size));
61 POSIX_CHECKED_MEMCPY(psk->identity.data, identity, identity_size);
62
63 return S2N_SUCCESS;
64 }
65
s2n_psk_set_secret(struct s2n_psk * psk,const uint8_t * secret,uint16_t secret_size)66 int s2n_psk_set_secret(struct s2n_psk *psk, const uint8_t *secret, uint16_t secret_size)
67 {
68 POSIX_ENSURE_REF(psk);
69 POSIX_ENSURE_REF(secret);
70 POSIX_ENSURE(secret_size != 0, S2N_ERR_INVALID_ARGUMENT);
71
72 POSIX_GUARD(s2n_realloc(&psk->secret, secret_size));
73 POSIX_CHECKED_MEMCPY(psk->secret.data, secret, secret_size);
74
75 return S2N_SUCCESS;
76 }
77
s2n_psk_clone(struct s2n_psk * new_psk,struct s2n_psk * original_psk)78 S2N_RESULT s2n_psk_clone(struct s2n_psk *new_psk, struct s2n_psk *original_psk)
79 {
80 if (original_psk == NULL) {
81 return S2N_RESULT_OK;
82 }
83 RESULT_ENSURE_REF(new_psk);
84
85 struct s2n_psk psk_copy = *new_psk;
86
87 /* Copy all fields from the old_config EXCEPT the blobs, which we need to reallocate. */
88 *new_psk = *original_psk;
89 new_psk->identity = psk_copy.identity;
90 new_psk->secret = psk_copy.secret;
91 new_psk->early_secret = psk_copy.early_secret;
92 new_psk->early_data_config = psk_copy.early_data_config;
93
94 /* Clone / realloc blobs */
95 RESULT_GUARD_POSIX(s2n_psk_set_identity(new_psk, original_psk->identity.data, original_psk->identity.size));
96 RESULT_GUARD_POSIX(s2n_psk_set_secret(new_psk, original_psk->secret.data, original_psk->secret.size));
97 RESULT_GUARD_POSIX(s2n_realloc(&new_psk->early_secret, original_psk->early_secret.size));
98 RESULT_CHECKED_MEMCPY(new_psk->early_secret.data, original_psk->early_secret.data, original_psk->early_secret.size);
99 RESULT_GUARD(s2n_early_data_config_clone(new_psk, &original_psk->early_data_config));
100
101 return S2N_RESULT_OK;
102 }
103
s2n_psk_wipe(struct s2n_psk * psk)104 S2N_CLEANUP_RESULT s2n_psk_wipe(struct s2n_psk *psk)
105 {
106 if (psk == NULL) {
107 return S2N_RESULT_OK;
108 }
109
110 RESULT_GUARD_POSIX(s2n_free(&psk->early_secret));
111 RESULT_GUARD_POSIX(s2n_free(&psk->identity));
112 RESULT_GUARD_POSIX(s2n_free(&psk->secret));
113 RESULT_GUARD(s2n_early_data_config_free(&psk->early_data_config));
114
115 return S2N_RESULT_OK;
116 }
117
s2n_psk_free(struct s2n_psk ** psk)118 int s2n_psk_free(struct s2n_psk **psk)
119 {
120 if (psk == NULL) {
121 return S2N_SUCCESS;
122 }
123 POSIX_GUARD_RESULT(s2n_psk_wipe(*psk));
124 return s2n_free_object((uint8_t **) psk, sizeof(struct s2n_psk));
125 }
126
s2n_psk_parameters_init(struct s2n_psk_parameters * params)127 S2N_RESULT s2n_psk_parameters_init(struct s2n_psk_parameters *params)
128 {
129 RESULT_ENSURE_REF(params);
130 RESULT_CHECKED_MEMSET(params, 0, sizeof(struct s2n_psk_parameters));
131 RESULT_GUARD(s2n_array_init(¶ms->psk_list, sizeof(struct s2n_psk)));
132 return S2N_RESULT_OK;
133 }
134
s2n_psk_offered_psk_size(struct s2n_psk * psk,uint32_t * size)135 static S2N_RESULT s2n_psk_offered_psk_size(struct s2n_psk *psk, uint32_t *size)
136 {
137 *size = sizeof(uint16_t) /* identity size */
138 + sizeof(uint32_t) /* obfuscated ticket age */
139 + sizeof(uint8_t) /* binder size */;
140
141 RESULT_GUARD_POSIX(s2n_add_overflow(*size, psk->identity.size, size));
142
143 uint8_t binder_size = 0;
144 RESULT_GUARD_POSIX(s2n_hmac_digest_size(psk->hmac_alg, &binder_size));
145 RESULT_GUARD_POSIX(s2n_add_overflow(*size, binder_size, size));
146
147 return S2N_RESULT_OK;
148 }
149
s2n_psk_parameters_offered_psks_size(struct s2n_psk_parameters * params,uint32_t * size)150 S2N_RESULT s2n_psk_parameters_offered_psks_size(struct s2n_psk_parameters *params, uint32_t *size)
151 {
152 RESULT_ENSURE_REF(params);
153 RESULT_ENSURE_REF(size);
154
155 *size = sizeof(uint16_t) /* identity list size */
156 + sizeof(uint16_t) /* binder list size */;
157
158 for (uint32_t i = 0; i < params->psk_list.len; i++) {
159 struct s2n_psk *psk = NULL;
160 RESULT_GUARD(s2n_array_get(¶ms->psk_list, i, (void**)&psk));
161 RESULT_ENSURE_REF(psk);
162
163 uint32_t psk_size = 0;
164 RESULT_GUARD(s2n_psk_offered_psk_size(psk, &psk_size));
165 RESULT_GUARD_POSIX(s2n_add_overflow(*size, psk_size, size));
166 }
167 return S2N_RESULT_OK;
168 }
169
s2n_psk_parameters_wipe(struct s2n_psk_parameters * params)170 S2N_CLEANUP_RESULT s2n_psk_parameters_wipe(struct s2n_psk_parameters *params)
171 {
172 RESULT_ENSURE_REF(params);
173
174 for (size_t i = 0; i < params->psk_list.len; i++) {
175 struct s2n_psk *psk = NULL;
176 RESULT_GUARD(s2n_array_get(¶ms->psk_list, i, (void**)&psk));
177 RESULT_GUARD(s2n_psk_wipe(psk));
178 }
179 RESULT_GUARD_POSIX(s2n_free(¶ms->psk_list.mem));
180 RESULT_GUARD(s2n_psk_parameters_init(params));
181
182 return S2N_RESULT_OK;
183 }
184
s2n_psk_parameters_wipe_secrets(struct s2n_psk_parameters * params)185 S2N_CLEANUP_RESULT s2n_psk_parameters_wipe_secrets(struct s2n_psk_parameters *params)
186 {
187 RESULT_ENSURE_REF(params);
188
189 for (size_t i = 0; i < params->psk_list.len; i++) {
190 struct s2n_psk *psk = NULL;
191 RESULT_GUARD(s2n_array_get(¶ms->psk_list, i, (void**)&psk));
192 RESULT_ENSURE_REF(psk);
193 RESULT_GUARD_POSIX(s2n_free(&psk->early_secret));
194 RESULT_GUARD_POSIX(s2n_free(&psk->secret));
195 }
196
197 return S2N_RESULT_OK;
198 }
199
s2n_offered_psk_list_has_next(struct s2n_offered_psk_list * psk_list)200 bool s2n_offered_psk_list_has_next(struct s2n_offered_psk_list *psk_list)
201 {
202 return psk_list != NULL && s2n_stuffer_data_available(&psk_list->wire_data) > 0;
203 }
204
s2n_offered_psk_list_read_next(struct s2n_offered_psk_list * psk_list,struct s2n_offered_psk * psk)205 S2N_RESULT s2n_offered_psk_list_read_next(struct s2n_offered_psk_list *psk_list, struct s2n_offered_psk *psk)
206 {
207 RESULT_ENSURE_REF(psk_list);
208 RESULT_ENSURE_REF(psk_list->conn);
209 RESULT_ENSURE_MUT(psk);
210
211 uint16_t identity_size = 0;
212 RESULT_GUARD_POSIX(s2n_stuffer_read_uint16(&psk_list->wire_data, &identity_size));
213 RESULT_ENSURE_GT(identity_size, 0);
214
215 uint8_t *identity_data = NULL;
216 identity_data = s2n_stuffer_raw_read(&psk_list->wire_data, identity_size);
217 RESULT_ENSURE_REF(identity_data);
218
219 /**
220 *= https://tools.ietf.org/rfc/rfc8446#section-4.2.11
221 *# For identities established externally, an obfuscated_ticket_age of 0 SHOULD be
222 *# used, and servers MUST ignore the value.
223 */
224 if (psk_list->conn->psk_params.type == S2N_PSK_TYPE_EXTERNAL) {
225 RESULT_GUARD_POSIX(s2n_stuffer_skip_read(&psk_list->wire_data, sizeof(uint32_t)));
226 } else {
227 RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(&psk_list->wire_data, &psk->obfuscated_ticket_age));
228 }
229
230 RESULT_GUARD_POSIX(s2n_blob_init(&psk->identity, identity_data, identity_size));
231 psk->wire_index = psk_list->wire_index;
232
233 RESULT_ENSURE(psk_list->wire_index < UINT16_MAX, S2N_ERR_INTEGER_OVERFLOW);
234 psk_list->wire_index++;
235 return S2N_RESULT_OK;
236 }
237
s2n_offered_psk_list_next(struct s2n_offered_psk_list * psk_list,struct s2n_offered_psk * psk)238 int s2n_offered_psk_list_next(struct s2n_offered_psk_list *psk_list, struct s2n_offered_psk *psk)
239 {
240 POSIX_ENSURE_REF(psk_list);
241 POSIX_ENSURE_REF(psk);
242 *psk = (struct s2n_offered_psk){ 0 };
243 POSIX_ENSURE(s2n_offered_psk_list_has_next(psk_list), S2N_ERR_STUFFER_OUT_OF_DATA);
244 POSIX_ENSURE(s2n_result_is_ok(s2n_offered_psk_list_read_next(psk_list, psk)), S2N_ERR_BAD_MESSAGE);
245 return S2N_SUCCESS;
246 }
247
s2n_offered_psk_list_reread(struct s2n_offered_psk_list * psk_list)248 int s2n_offered_psk_list_reread(struct s2n_offered_psk_list *psk_list)
249 {
250 POSIX_ENSURE_REF(psk_list);
251 psk_list->wire_index = 0;
252 return s2n_stuffer_reread(&psk_list->wire_data);
253 }
254
255 /* Match a PSK identity received from the client against the server's known PSK identities.
256 * This method compares a single client identity to all server identities.
257 *
258 * While both the client's offered identities and whether a match was found are public, we should make an attempt
259 * to keep the server's known identities a secret. We will make comparisons to the server's identities constant
260 * time (to hide partial matches) and not end the search early when a match is found (to hide the ordering).
261 *
262 * Keeping these comparisons constant time is not high priority. There's no known attack using these timings,
263 * and an attacker could probably guess the server's known identities just by observing the public identities
264 * sent by clients.
265 */
s2n_match_psk_identity(struct s2n_array * known_psks,const struct s2n_blob * wire_identity,struct s2n_psk ** match)266 static S2N_RESULT s2n_match_psk_identity(struct s2n_array *known_psks, const struct s2n_blob *wire_identity,
267 struct s2n_psk **match)
268 {
269 RESULT_ENSURE_REF(match);
270 RESULT_ENSURE_REF(wire_identity);
271 RESULT_ENSURE_REF(known_psks);
272 *match = NULL;
273 for (size_t i = 0; i < known_psks->len; i++) {
274 struct s2n_psk *psk = NULL;
275 RESULT_GUARD(s2n_array_get(known_psks, i, (void**)&psk));
276 RESULT_ENSURE_REF(psk);
277 RESULT_ENSURE_REF(psk->identity.data);
278 RESULT_ENSURE_REF(wire_identity->data);
279 uint32_t compare_size = MIN(wire_identity->size, psk->identity.size);
280 if (s2n_constant_time_equals(psk->identity.data, wire_identity->data, compare_size)
281 & (psk->identity.size == wire_identity->size) & (!*match)) {
282 *match = psk;
283 }
284 }
285 return S2N_RESULT_OK;
286 }
287
288 /**
289 *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
290 *# For PSKs provisioned via NewSessionTicket, a server MUST validate
291 *# that the ticket age for the selected PSK identity (computed by
292 *# subtracting ticket_age_add from PskIdentity.obfuscated_ticket_age
293 *# modulo 2^32) is within a small tolerance of the time since the ticket
294 *# was issued (see Section 8).
295 **/
s2n_validate_ticket_lifetime(struct s2n_connection * conn,uint32_t obfuscated_ticket_age,uint32_t ticket_age_add)296 static S2N_RESULT s2n_validate_ticket_lifetime(struct s2n_connection *conn, uint32_t obfuscated_ticket_age, uint32_t ticket_age_add)
297 {
298 RESULT_ENSURE_REF(conn);
299
300 if (conn->psk_params.type == S2N_PSK_TYPE_EXTERNAL) {
301 return S2N_RESULT_OK;
302 }
303
304 /* Subtract the ticket_age_add value from the ticket age in milliseconds. The resulting uint32_t value
305 * may wrap, resulting in the modulo 2^32 operation. */
306 uint32_t ticket_age_in_millis = obfuscated_ticket_age - ticket_age_add;
307 uint32_t session_lifetime_in_millis = conn->config->session_state_lifetime_in_nanos / ONE_MILLISEC_IN_NANOS;
308 RESULT_ENSURE(ticket_age_in_millis < session_lifetime_in_millis, S2N_ERR_INVALID_SESSION_TICKET);
309
310 return S2N_RESULT_OK;
311 }
312
s2n_offered_psk_list_choose_psk(struct s2n_offered_psk_list * psk_list,struct s2n_offered_psk * psk)313 int s2n_offered_psk_list_choose_psk(struct s2n_offered_psk_list *psk_list, struct s2n_offered_psk *psk)
314 {
315 POSIX_ENSURE_REF(psk_list);
316 POSIX_ENSURE_REF(psk_list->conn);
317
318 struct s2n_psk_parameters *psk_params = &psk_list->conn->psk_params;
319 struct s2n_stuffer ticket_stuffer = { 0 };
320
321 if (!psk) {
322 psk_params->chosen_psk = NULL;
323 return S2N_SUCCESS;
324 }
325
326 if (psk_params->type == S2N_PSK_TYPE_RESUMPTION && psk_list->conn->config->use_tickets) {
327 POSIX_GUARD(s2n_stuffer_init(&ticket_stuffer, &psk->identity));
328 POSIX_GUARD(s2n_stuffer_skip_write(&ticket_stuffer, psk->identity.size));
329
330 /* s2n_decrypt_session_ticket appends a new PSK with the decrypted values. */
331 POSIX_GUARD(s2n_decrypt_session_ticket(psk_list->conn, &ticket_stuffer));
332 }
333
334 struct s2n_psk *chosen_psk = NULL;
335 POSIX_GUARD_RESULT(s2n_match_psk_identity(&psk_params->psk_list, &psk->identity, &chosen_psk));
336 POSIX_ENSURE_REF(chosen_psk);
337 POSIX_GUARD_RESULT(s2n_validate_ticket_lifetime(psk_list->conn, psk->obfuscated_ticket_age, chosen_psk->ticket_age_add));
338 psk_params->chosen_psk = chosen_psk;
339 psk_params->chosen_psk_wire_index = psk->wire_index;
340
341 return S2N_SUCCESS;
342 }
343
s2n_offered_psk_new()344 struct s2n_offered_psk* s2n_offered_psk_new()
345 {
346 DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free);
347 PTR_GUARD_POSIX(s2n_alloc(&mem, sizeof(struct s2n_offered_psk)));
348 PTR_GUARD_POSIX(s2n_blob_zero(&mem));
349
350 struct s2n_offered_psk *psk = (struct s2n_offered_psk*)(void*) mem.data;
351
352 ZERO_TO_DISABLE_DEFER_CLEANUP(mem);
353 return psk;
354 }
355
s2n_offered_psk_free(struct s2n_offered_psk ** psk)356 int s2n_offered_psk_free(struct s2n_offered_psk **psk)
357 {
358 if (psk == NULL) {
359 return S2N_SUCCESS;
360 }
361 return s2n_free_object((uint8_t **) psk, sizeof(struct s2n_offered_psk));
362 }
363
s2n_offered_psk_get_identity(struct s2n_offered_psk * psk,uint8_t ** identity,uint16_t * size)364 int s2n_offered_psk_get_identity(struct s2n_offered_psk *psk, uint8_t** identity, uint16_t *size)
365 {
366 POSIX_ENSURE_REF(psk);
367 POSIX_ENSURE_REF(identity);
368 POSIX_ENSURE_REF(size);
369 *identity = psk->identity.data;
370 *size = psk->identity.size;
371 return S2N_SUCCESS;
372 }
373
374 /* The binder hash is computed by hashing the concatenation of the current transcript
375 * and a partial ClientHello that does not include the binders themselves.
376 */
s2n_psk_calculate_binder_hash(struct s2n_connection * conn,s2n_hmac_algorithm hmac_alg,const struct s2n_blob * partial_client_hello,struct s2n_blob * output_binder_hash)377 int s2n_psk_calculate_binder_hash(struct s2n_connection *conn, s2n_hmac_algorithm hmac_alg,
378 const struct s2n_blob *partial_client_hello, struct s2n_blob *output_binder_hash)
379 {
380 POSIX_ENSURE_REF(partial_client_hello);
381 POSIX_ENSURE_REF(output_binder_hash);
382
383 /* Retrieve the current transcript.
384 * The current transcript will be empty unless this handshake included a HelloRetryRequest. */
385 struct s2n_hash_state current_hash_state = {0};
386
387 s2n_hash_algorithm hash_alg;
388 POSIX_GUARD(s2n_hmac_hash_alg(hmac_alg, &hash_alg));
389 POSIX_GUARD(s2n_handshake_get_hash_state(conn, hash_alg, ¤t_hash_state));
390
391 /* Copy the current transcript to avoid modifying the original. */
392 DEFER_CLEANUP(struct s2n_hash_state hash_copy, s2n_hash_free);
393 POSIX_GUARD(s2n_hash_new(&hash_copy));
394 POSIX_GUARD(s2n_hash_copy(&hash_copy, ¤t_hash_state));
395
396 /* Add the partial client hello to the transcript. */
397 POSIX_GUARD(s2n_hash_update(&hash_copy, partial_client_hello->data, partial_client_hello->size));
398
399 /* Get the transcript digest */
400 POSIX_GUARD(s2n_hash_digest(&hash_copy, output_binder_hash->data, output_binder_hash->size));
401
402 return S2N_SUCCESS;
403 }
404
405 /* The binder is computed in the same way as the Finished message
406 * (https://tools.ietf.org/html/rfc8446#section-4.4.4) but with the BaseKey being the binder_key
407 * derived via the key schedule from the corresponding PSK which is being offered
408 * (https://tools.ietf.org/html/rfc8446#section-7.1)
409 */
s2n_psk_calculate_binder(struct s2n_psk * psk,const struct s2n_blob * binder_hash,struct s2n_blob * output_binder)410 int s2n_psk_calculate_binder(struct s2n_psk *psk, const struct s2n_blob *binder_hash,
411 struct s2n_blob *output_binder)
412 {
413 POSIX_ENSURE_REF(psk);
414 POSIX_ENSURE_REF(binder_hash);
415 POSIX_ENSURE_REF(output_binder);
416
417 DEFER_CLEANUP(struct s2n_tls13_keys psk_keys, s2n_tls13_keys_free);
418 POSIX_GUARD(s2n_tls13_keys_init(&psk_keys, psk->hmac_alg));
419 POSIX_ENSURE_EQ(binder_hash->size, psk_keys.size);
420 POSIX_ENSURE_EQ(output_binder->size, psk_keys.size);
421
422 /* Make sure the early secret is saved on the psk structure for later use */
423 POSIX_GUARD(s2n_realloc(&psk->early_secret, psk_keys.size));
424 POSIX_GUARD(s2n_blob_init(&psk_keys.extract_secret, psk->early_secret.data, psk_keys.size));
425
426 /* Derive the binder key */
427 POSIX_GUARD(s2n_tls13_derive_binder_key(&psk_keys, psk));
428 struct s2n_blob *binder_key = &psk_keys.derive_secret;
429
430 /* Expand the binder key into the finished key */
431 s2n_tls13_key_blob(finished_key, psk_keys.size);
432 POSIX_GUARD(s2n_tls13_derive_finished_key(&psk_keys, binder_key, &finished_key));
433
434 /* HMAC the binder hash with the binder finished key */
435 POSIX_GUARD(s2n_hkdf_extract(&psk_keys.hmac, psk_keys.hmac_algorithm, &finished_key, binder_hash, output_binder));
436
437 return S2N_SUCCESS;
438 }
439
s2n_psk_verify_binder(struct s2n_connection * conn,struct s2n_psk * psk,const struct s2n_blob * partial_client_hello,struct s2n_blob * binder_to_verify)440 int s2n_psk_verify_binder(struct s2n_connection *conn, struct s2n_psk *psk,
441 const struct s2n_blob *partial_client_hello, struct s2n_blob *binder_to_verify)
442 {
443 POSIX_ENSURE_REF(psk);
444 POSIX_ENSURE_REF(binder_to_verify);
445
446 DEFER_CLEANUP(struct s2n_tls13_keys psk_keys, s2n_tls13_keys_free);
447 POSIX_GUARD(s2n_tls13_keys_init(&psk_keys, psk->hmac_alg));
448 POSIX_ENSURE_EQ(binder_to_verify->size, psk_keys.size);
449
450 /* Calculate the binder hash from the transcript */
451 s2n_tls13_key_blob(binder_hash, psk_keys.size);
452 POSIX_GUARD(s2n_psk_calculate_binder_hash(conn, psk->hmac_alg, partial_client_hello, &binder_hash));
453
454 /* Calculate the expected binder from the binder hash */
455 s2n_tls13_key_blob(expected_binder, psk_keys.size);
456 POSIX_GUARD(s2n_psk_calculate_binder(psk, &binder_hash, &expected_binder));
457
458 /* Verify the expected binder matches the given binder.
459 * This operation must be constant time. */
460 POSIX_GUARD(s2n_tls13_mac_verify(&psk_keys, &expected_binder, binder_to_verify));
461
462 return S2N_SUCCESS;
463 }
464
s2n_psk_write_binder(struct s2n_connection * conn,struct s2n_psk * psk,const struct s2n_blob * binder_hash,struct s2n_stuffer * out)465 static S2N_RESULT s2n_psk_write_binder(struct s2n_connection *conn, struct s2n_psk *psk,
466 const struct s2n_blob *binder_hash, struct s2n_stuffer *out)
467 {
468 RESULT_ENSURE_REF(binder_hash);
469
470 struct s2n_blob binder;
471 uint8_t binder_data[S2N_TLS13_SECRET_MAX_LEN] = { 0 };
472 RESULT_GUARD_POSIX(s2n_blob_init(&binder, binder_data, binder_hash->size));
473
474 RESULT_GUARD_POSIX(s2n_psk_calculate_binder(psk, binder_hash, &binder));
475 RESULT_GUARD_POSIX(s2n_stuffer_write_uint8(out, binder.size));
476 RESULT_GUARD_POSIX(s2n_stuffer_write(out, &binder));
477
478 return S2N_RESULT_OK;
479 }
480
s2n_psk_write_binder_list(struct s2n_connection * conn,const struct s2n_blob * partial_client_hello,struct s2n_stuffer * out)481 static S2N_RESULT s2n_psk_write_binder_list(struct s2n_connection *conn, const struct s2n_blob *partial_client_hello,
482 struct s2n_stuffer *out)
483 {
484 RESULT_ENSURE_REF(conn);
485 RESULT_ENSURE_REF(partial_client_hello);
486
487 struct s2n_psk_parameters *psk_params = &conn->psk_params;
488 struct s2n_array *psk_list = &psk_params->psk_list;
489
490 /* Setup memory to hold the binder hashes. We potentially need one for
491 * every hash algorithm. */
492 uint8_t binder_hashes_data[S2N_HASH_ALG_COUNT][S2N_TLS13_SECRET_MAX_LEN] = { 0 };
493 struct s2n_blob binder_hashes[S2N_HASH_ALG_COUNT] = { 0 };
494
495 struct s2n_stuffer_reservation binder_list_size = { 0 };
496 RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint16(out, &binder_list_size));
497
498 /* Write binder for every psk */
499 for (size_t i = 0; i < psk_list->len; i++) {
500 struct s2n_psk *psk = NULL;
501 RESULT_GUARD(s2n_array_get(psk_list, i, (void**) &psk));
502 RESULT_ENSURE_REF(psk);
503
504 /**
505 *= https://tools.ietf.org/rfc/rfc8446#section-4.1.4
506 *# In addition, in its updated ClientHello, the client SHOULD NOT offer
507 *# any pre-shared keys associated with a hash other than that of the
508 *# selected cipher suite. This allows the client to avoid having to
509 *# compute partial hash transcripts for multiple hashes in the second
510 *# ClientHello.
511 */
512 if (s2n_is_hello_retry_handshake(conn) && conn->secure.cipher_suite->prf_alg != psk->hmac_alg) {
513 continue;
514 }
515
516 /* Retrieve or calculate the binder hash. */
517 struct s2n_blob *binder_hash = &binder_hashes[psk->hmac_alg];
518 if (binder_hash->size == 0) {
519 uint8_t hash_size = 0;
520 RESULT_GUARD_POSIX(s2n_hmac_digest_size(psk->hmac_alg, &hash_size));
521 RESULT_GUARD_POSIX(s2n_blob_init(binder_hash, binder_hashes_data[psk->hmac_alg], hash_size));
522 RESULT_GUARD_POSIX(s2n_psk_calculate_binder_hash(conn, psk->hmac_alg, partial_client_hello, binder_hash));
523 }
524
525 RESULT_GUARD(s2n_psk_write_binder(conn, psk, binder_hash, out));
526 }
527 RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&binder_list_size));
528
529 return S2N_RESULT_OK;
530 }
531
s2n_finish_psk_extension(struct s2n_connection * conn)532 S2N_RESULT s2n_finish_psk_extension(struct s2n_connection *conn)
533 {
534 RESULT_ENSURE_REF(conn);
535
536 if (!conn->psk_params.binder_list_size) {
537 return S2N_RESULT_OK;
538 }
539
540 struct s2n_stuffer *client_hello = &conn->handshake.io;
541 struct s2n_psk_parameters *psk_params = &conn->psk_params;
542
543 /* Fill in the correct message size. */
544 RESULT_GUARD_POSIX(s2n_handshake_finish_header(client_hello));
545
546 /* Remove the empty space allocated for the binder list.
547 * It was originally added to ensure the extension / extension list / message sizes
548 * were properly calculated. */
549 RESULT_GUARD_POSIX(s2n_stuffer_wipe_n(client_hello, psk_params->binder_list_size));
550
551 /* Store the partial client hello for use in calculating the binder hash. */
552 struct s2n_blob partial_client_hello = { 0 };
553 RESULT_GUARD_POSIX(s2n_blob_init(&partial_client_hello, client_hello->blob.data,
554 s2n_stuffer_data_available(client_hello)));
555
556 RESULT_GUARD(s2n_psk_write_binder_list(conn, &partial_client_hello, client_hello));
557 return S2N_RESULT_OK;
558 }
559
s2n_psk_set_hmac(struct s2n_psk * psk,s2n_psk_hmac hmac)560 int s2n_psk_set_hmac(struct s2n_psk *psk, s2n_psk_hmac hmac)
561 {
562 POSIX_ENSURE_REF(psk);
563 switch(hmac) {
564 case S2N_PSK_HMAC_SHA256: psk->hmac_alg = S2N_HMAC_SHA256; break;
565 case S2N_PSK_HMAC_SHA384: psk->hmac_alg = S2N_HMAC_SHA384; break;
566 default:
567 POSIX_BAIL(S2N_ERR_HMAC_INVALID_ALGORITHM);
568 }
569 return S2N_SUCCESS;
570 }
571
s2n_connection_set_psk_type(struct s2n_connection * conn,s2n_psk_type type)572 S2N_RESULT s2n_connection_set_psk_type(struct s2n_connection *conn, s2n_psk_type type)
573 {
574 RESULT_ENSURE_REF(conn);
575 if (conn->psk_params.psk_list.len != 0) {
576 RESULT_ENSURE(conn->psk_params.type == type, S2N_ERR_PSK_MODE);
577 }
578 conn->psk_params.type = type;
579 return S2N_RESULT_OK;
580 }
581
s2n_connection_append_psk(struct s2n_connection * conn,struct s2n_psk * input_psk)582 int s2n_connection_append_psk(struct s2n_connection *conn, struct s2n_psk *input_psk)
583 {
584 POSIX_ENSURE_REF(conn);
585 POSIX_ENSURE_REF(input_psk);
586 POSIX_GUARD_RESULT(s2n_connection_set_psk_type(conn, input_psk->type));
587
588 struct s2n_array *psk_list = &conn->psk_params.psk_list;
589
590 /* Check for duplicate identities */
591 for (uint32_t j = 0; j < psk_list->len; j++) {
592 struct s2n_psk *existing_psk = NULL;
593 POSIX_GUARD_RESULT(s2n_array_get(psk_list, j, (void**) &existing_psk));
594 POSIX_ENSURE_REF(existing_psk);
595
596 bool duplicate = existing_psk->identity.size == input_psk->identity.size
597 && memcmp(existing_psk->identity.data, input_psk->identity.data, existing_psk->identity.size) == 0;
598 POSIX_ENSURE(!duplicate, S2N_ERR_DUPLICATE_PSK_IDENTITIES);
599 }
600
601 /* Verify the PSK list will fit in the ClientHello pre_shared_key extension */
602 if (conn->mode == S2N_CLIENT) {
603 uint32_t list_size = 0;
604 POSIX_GUARD_RESULT(s2n_psk_parameters_offered_psks_size(&conn->psk_params, &list_size));
605
606 uint32_t psk_size = 0;
607 POSIX_GUARD_RESULT(s2n_psk_offered_psk_size(input_psk, &psk_size));
608
609 POSIX_ENSURE(list_size + psk_size + S2N_EXTENSION_HEADER_LENGTH <= UINT16_MAX, S2N_ERR_OFFERED_PSKS_TOO_LONG);
610 }
611
612 DEFER_CLEANUP(struct s2n_psk new_psk = { 0 }, s2n_psk_wipe);
613 POSIX_ENSURE(s2n_result_is_ok(s2n_psk_clone(&new_psk, input_psk)), S2N_ERR_INVALID_ARGUMENT);
614 POSIX_GUARD_RESULT(s2n_array_insert_and_copy(psk_list, psk_list->len, &new_psk));
615
616 ZERO_TO_DISABLE_DEFER_CLEANUP(new_psk);
617 return S2N_SUCCESS;
618 }
619
s2n_config_set_psk_mode(struct s2n_config * config,s2n_psk_mode mode)620 int s2n_config_set_psk_mode(struct s2n_config *config, s2n_psk_mode mode)
621 {
622 POSIX_ENSURE_REF(config);
623 config->psk_mode = mode;
624 return S2N_SUCCESS;
625 }
626
s2n_connection_set_psk_mode(struct s2n_connection * conn,s2n_psk_mode mode)627 int s2n_connection_set_psk_mode(struct s2n_connection *conn, s2n_psk_mode mode)
628 {
629 POSIX_ENSURE_REF(conn);
630 s2n_psk_type type = 0;
631 switch(mode) {
632 case S2N_PSK_MODE_RESUMPTION:
633 type = S2N_PSK_TYPE_RESUMPTION;
634 break;
635 case S2N_PSK_MODE_EXTERNAL:
636 type = S2N_PSK_TYPE_EXTERNAL;
637 break;
638 default:
639 POSIX_BAIL(S2N_ERR_INVALID_ARGUMENT);
640 break;
641 }
642 POSIX_GUARD_RESULT(s2n_connection_set_psk_type(conn, type));
643 conn->psk_mode_overridden = true;
644 return S2N_SUCCESS;
645 }
646
s2n_connection_get_negotiated_psk_identity_length(struct s2n_connection * conn,uint16_t * identity_length)647 int s2n_connection_get_negotiated_psk_identity_length(struct s2n_connection *conn, uint16_t *identity_length)
648 {
649 POSIX_ENSURE_REF(conn);
650 POSIX_ENSURE_REF(identity_length);
651
652 struct s2n_psk *chosen_psk = conn->psk_params.chosen_psk;
653
654 if (chosen_psk == NULL) {
655 *identity_length = 0;
656 } else {
657 *identity_length = chosen_psk->identity.size;
658 }
659
660 return S2N_SUCCESS;
661 }
662
s2n_connection_get_negotiated_psk_identity(struct s2n_connection * conn,uint8_t * identity,uint16_t max_identity_length)663 int s2n_connection_get_negotiated_psk_identity(struct s2n_connection *conn, uint8_t *identity,
664 uint16_t max_identity_length)
665 {
666 POSIX_ENSURE_REF(conn);
667 POSIX_ENSURE_REF(identity);
668
669 struct s2n_psk *chosen_psk = conn->psk_params.chosen_psk;
670
671 if (chosen_psk == NULL) {
672 return S2N_SUCCESS;
673 }
674
675 POSIX_ENSURE(chosen_psk->identity.size <= max_identity_length, S2N_ERR_INSUFFICIENT_MEM_SIZE);
676 POSIX_CHECKED_MEMCPY(identity, chosen_psk->identity.data, chosen_psk->identity.size);
677
678 return S2N_SUCCESS;
679 }
680
s2n_psk_validate_keying_material(struct s2n_connection * conn)681 S2N_RESULT s2n_psk_validate_keying_material(struct s2n_connection *conn)
682 {
683 RESULT_ENSURE_REF(conn);
684
685 struct s2n_psk *chosen_psk = conn->psk_params.chosen_psk;
686 if (!chosen_psk || chosen_psk->type != S2N_PSK_TYPE_RESUMPTION) {
687 return S2N_RESULT_OK;
688 }
689
690 /*
691 * The minimum ticket lifetime is 1s, because ticket_lifetime is given
692 * in seconds and 0 indicates that the ticket should be immediately discarded.
693 */
694 uint32_t min_lifetime = ONE_SEC_IN_NANOS;
695
696 uint64_t current_time = 0;
697 RESULT_GUARD_POSIX(conn->config->wall_clock(conn->config->sys_clock_ctx, ¤t_time));
698 RESULT_ENSURE(chosen_psk->keying_material_expiration > current_time + min_lifetime, S2N_ERR_KEYING_MATERIAL_EXPIRED);
699
700 return S2N_RESULT_OK;
701 }
702