1 /*
2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15
16 #include <sys/param.h>
17
18 #include "tls/s2n_early_data.h"
19
20 #include "tls/s2n_connection.h"
21 #include "tls/s2n_cipher_suites.h"
22 #include "tls/s2n_psk.h"
23 #include "utils/s2n_safety.h"
24 #include "utils/s2n_mem.h"
25
26 const s2n_early_data_state valid_previous_states[] = {
27 [S2N_EARLY_DATA_REQUESTED] = S2N_UNKNOWN_EARLY_DATA_STATE,
28 [S2N_EARLY_DATA_NOT_REQUESTED] = S2N_UNKNOWN_EARLY_DATA_STATE,
29 [S2N_EARLY_DATA_REJECTED] = S2N_EARLY_DATA_REQUESTED,
30 [S2N_EARLY_DATA_ACCEPTED] = S2N_EARLY_DATA_REQUESTED,
31 [S2N_END_OF_EARLY_DATA] = S2N_EARLY_DATA_ACCEPTED,
32 };
33
s2n_connection_set_early_data_state(struct s2n_connection * conn,s2n_early_data_state next_state)34 S2N_RESULT s2n_connection_set_early_data_state(struct s2n_connection *conn, s2n_early_data_state next_state)
35 {
36 RESULT_ENSURE_REF(conn);
37 if (conn->early_data_state == next_state) {
38 return S2N_RESULT_OK;
39 }
40 RESULT_ENSURE(next_state < S2N_EARLY_DATA_STATES_COUNT, S2N_ERR_INVALID_EARLY_DATA_STATE);
41 RESULT_ENSURE(next_state != S2N_UNKNOWN_EARLY_DATA_STATE, S2N_ERR_INVALID_EARLY_DATA_STATE);
42 RESULT_ENSURE(conn->early_data_state == valid_previous_states[next_state], S2N_ERR_INVALID_EARLY_DATA_STATE);
43 conn->early_data_state = next_state;
44 return S2N_RESULT_OK;
45 }
46
s2n_connection_set_early_data_expected(struct s2n_connection * conn)47 int s2n_connection_set_early_data_expected(struct s2n_connection *conn)
48 {
49 POSIX_ENSURE_REF(conn);
50 conn->early_data_expected = true;
51 return S2N_SUCCESS;
52 }
53
s2n_connection_set_end_of_early_data(struct s2n_connection * conn)54 int s2n_connection_set_end_of_early_data(struct s2n_connection *conn)
55 {
56 POSIX_ENSURE_REF(conn);
57 conn->early_data_expected = false;
58 return S2N_SUCCESS;
59 }
60
s2n_early_data_validate(struct s2n_connection * conn)61 static S2N_RESULT s2n_early_data_validate(struct s2n_connection *conn)
62 {
63 RESULT_ENSURE_REF(conn);
64
65 /**
66 *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
67 *# In order to accept early data, the server MUST have accepted a PSK
68 *# cipher suite and selected the first key offered in the client's
69 *# "pre_shared_key" extension.
70 **/
71 RESULT_ENSURE_REF(conn->psk_params.chosen_psk);
72 RESULT_ENSURE_EQ(conn->psk_params.chosen_psk_wire_index, 0);
73
74 struct s2n_early_data_config *config = &conn->psk_params.chosen_psk->early_data_config;
75 RESULT_ENSURE_GT(config->max_early_data_size, 0);
76
77 /**
78 *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
79 *# In addition, it MUST verify that the
80 *# following values are the same as those associated with the
81 *# selected PSK:
82 *#
83 *# - The TLS version number
84 **/
85 RESULT_ENSURE_EQ(config->protocol_version, s2n_connection_get_protocol_version(conn));
86 /**
87 *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
88 *# - The selected cipher suite
89 **/
90 RESULT_ENSURE_EQ(config->cipher_suite, conn->secure.cipher_suite);
91 /**
92 *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
93 *# - The selected ALPN [RFC7301] protocol, if any
94 **/
95 const size_t app_protocol_size = strlen(conn->application_protocol);
96 if (app_protocol_size > 0 || config->application_protocol.size > 0) {
97 RESULT_ENSURE_EQ(config->application_protocol.size, app_protocol_size + 1 /* null-terminating char */);
98 RESULT_ENSURE_EQ(memcmp(config->application_protocol.data, conn->application_protocol, app_protocol_size), 0);
99 }
100
101 return S2N_RESULT_OK;
102 }
103
s2n_early_data_is_valid_for_connection(struct s2n_connection * conn)104 bool s2n_early_data_is_valid_for_connection(struct s2n_connection *conn)
105 {
106 return s2n_result_is_ok(s2n_early_data_validate(conn));
107 }
108
s2n_early_data_accept_or_reject(struct s2n_connection * conn)109 S2N_RESULT s2n_early_data_accept_or_reject(struct s2n_connection *conn)
110 {
111 RESULT_ENSURE_REF(conn);
112 if (conn->early_data_state != S2N_EARLY_DATA_REQUESTED) {
113 return S2N_RESULT_OK;
114 }
115
116 if (conn->handshake.early_data_async_state.conn) {
117 RESULT_BAIL(S2N_ERR_ASYNC_BLOCKED);
118 }
119
120 /**
121 *= https://tools.ietf.org/rfc/rfc8446#section-4.2.10
122 *# If any of these checks fail, the server MUST NOT respond with the
123 *# extension
124 **/
125 if (!s2n_early_data_is_valid_for_connection(conn)) {
126 RESULT_GUARD(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_REJECTED));
127 return S2N_RESULT_OK;
128 }
129
130 /* Even if the connection is valid for early data, the client can't consider
131 * early data accepted until the server sends the early data indication. */
132 if (conn->mode == S2N_CLIENT) {
133 return S2N_RESULT_OK;
134 }
135
136 /* The server should reject early data if the application is not prepared to handle it. */
137 if (!conn->early_data_expected) {
138 RESULT_GUARD(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_REJECTED));
139 return S2N_RESULT_OK;
140 }
141
142 /* If early data would otherwise be accepted, let the application apply any additional restrictions.
143 * For example, an application could use this callback to implement anti-replay protections.
144 *
145 * This callback can be either synchronous or asynchronous. The handshake will not proceed until
146 * the application either accepts or rejects early data.
147 */
148 RESULT_ENSURE_REF(conn->config);
149 if (conn->config->early_data_cb) {
150 conn->handshake.early_data_async_state.conn = conn;
151 RESULT_GUARD_POSIX(conn->config->early_data_cb(conn, &conn->handshake.early_data_async_state));
152 if (conn->early_data_state == S2N_EARLY_DATA_REQUESTED) {
153 RESULT_BAIL(S2N_ERR_ASYNC_BLOCKED);
154 }
155 } else {
156 RESULT_GUARD(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_ACCEPTED));
157 }
158 return S2N_RESULT_OK;
159 }
160
s2n_config_set_server_max_early_data_size(struct s2n_config * config,uint32_t max_early_data_size)161 int s2n_config_set_server_max_early_data_size(struct s2n_config *config, uint32_t max_early_data_size)
162 {
163 POSIX_ENSURE_REF(config);
164 config->server_max_early_data_size = max_early_data_size;
165 return S2N_SUCCESS;
166 }
167
s2n_connection_set_server_max_early_data_size(struct s2n_connection * conn,uint32_t max_early_data_size)168 int s2n_connection_set_server_max_early_data_size(struct s2n_connection *conn, uint32_t max_early_data_size)
169 {
170 POSIX_ENSURE_REF(conn);
171 conn->server_max_early_data_size = max_early_data_size;
172 conn->server_max_early_data_size_overridden = true;
173 return S2N_SUCCESS;
174 }
175
s2n_early_data_get_server_max_size(struct s2n_connection * conn,uint32_t * max_early_data_size)176 S2N_RESULT s2n_early_data_get_server_max_size(struct s2n_connection *conn, uint32_t *max_early_data_size)
177 {
178 RESULT_ENSURE_REF(conn);
179 RESULT_ENSURE_REF(max_early_data_size);
180 if (conn->server_max_early_data_size_overridden) {
181 *max_early_data_size = conn->server_max_early_data_size;
182 } else {
183 RESULT_ENSURE_REF(conn->config);
184 *max_early_data_size = conn->config->server_max_early_data_size;
185 }
186 return S2N_RESULT_OK;
187 }
188
s2n_connection_set_server_early_data_context(struct s2n_connection * conn,const uint8_t * context,uint16_t context_size)189 int s2n_connection_set_server_early_data_context(struct s2n_connection *conn, const uint8_t *context, uint16_t context_size)
190 {
191 POSIX_ENSURE_REF(conn);
192 if (context_size > 0) {
193 POSIX_ENSURE_REF(context);
194 }
195
196 POSIX_GUARD(s2n_realloc(&conn->server_early_data_context, context_size));
197 POSIX_CHECKED_MEMCPY(conn->server_early_data_context.data, context, context_size);
198 return S2N_SUCCESS;
199 }
200
s2n_early_data_config_free(struct s2n_early_data_config * config)201 S2N_CLEANUP_RESULT s2n_early_data_config_free(struct s2n_early_data_config *config)
202 {
203 if (config == NULL) {
204 return S2N_RESULT_OK;
205 }
206 RESULT_GUARD_POSIX(s2n_free(&config->application_protocol));
207 RESULT_GUARD_POSIX(s2n_free(&config->context));
208 return S2N_RESULT_OK;
209 }
210
s2n_psk_configure_early_data(struct s2n_psk * psk,uint32_t max_early_data_size,uint8_t cipher_suite_first_byte,uint8_t cipher_suite_second_byte)211 int s2n_psk_configure_early_data(struct s2n_psk *psk, uint32_t max_early_data_size,
212 uint8_t cipher_suite_first_byte, uint8_t cipher_suite_second_byte)
213 {
214 POSIX_ENSURE_REF(psk);
215
216 const uint8_t cipher_suite_iana[] = { cipher_suite_first_byte, cipher_suite_second_byte };
217 struct s2n_cipher_suite *cipher_suite = NULL;
218 POSIX_GUARD_RESULT(s2n_cipher_suite_from_iana(cipher_suite_iana, &cipher_suite));
219 POSIX_ENSURE_REF(cipher_suite);
220 POSIX_ENSURE(cipher_suite->prf_alg == psk->hmac_alg, S2N_ERR_INVALID_ARGUMENT);
221
222 psk->early_data_config.max_early_data_size = max_early_data_size;
223 psk->early_data_config.protocol_version = S2N_TLS13;
224 psk->early_data_config.cipher_suite = cipher_suite;
225 return S2N_SUCCESS;
226 }
227
s2n_psk_set_application_protocol(struct s2n_psk * psk,const uint8_t * application_protocol,uint8_t size)228 int s2n_psk_set_application_protocol(struct s2n_psk *psk, const uint8_t *application_protocol, uint8_t size)
229 {
230 POSIX_ENSURE_REF(psk);
231 if (size > 0) {
232 POSIX_ENSURE_REF(application_protocol);
233 }
234 struct s2n_blob *protocol_blob = &psk->early_data_config.application_protocol;
235 POSIX_GUARD(s2n_realloc(protocol_blob, size));
236 POSIX_CHECKED_MEMCPY(protocol_blob->data, application_protocol, size);
237 return S2N_SUCCESS;
238 }
239
s2n_psk_set_early_data_context(struct s2n_psk * psk,const uint8_t * context,uint16_t size)240 int s2n_psk_set_early_data_context(struct s2n_psk *psk, const uint8_t *context, uint16_t size)
241 {
242 POSIX_ENSURE_REF(psk);
243 if (size > 0) {
244 POSIX_ENSURE_REF(context);
245 }
246 struct s2n_blob *context_blob = &psk->early_data_config.context;
247 POSIX_GUARD(s2n_realloc(context_blob, size));
248 POSIX_CHECKED_MEMCPY(context_blob->data, context, size);
249 return S2N_SUCCESS;
250 }
251
s2n_early_data_config_clone(struct s2n_psk * new_psk,struct s2n_early_data_config * old_config)252 S2N_RESULT s2n_early_data_config_clone(struct s2n_psk *new_psk, struct s2n_early_data_config *old_config)
253 {
254 RESULT_ENSURE_REF(old_config);
255 RESULT_ENSURE_REF(new_psk);
256
257 struct s2n_early_data_config config_copy = new_psk->early_data_config;
258
259 /* Copy all fields from the old_config EXCEPT the blobs, which we need to reallocate. */
260 new_psk->early_data_config = *old_config;
261 new_psk->early_data_config.application_protocol = config_copy.application_protocol;
262 new_psk->early_data_config.context = config_copy.context;
263
264 /* Clone / realloc blobs */
265 RESULT_GUARD_POSIX(s2n_psk_set_application_protocol(new_psk, old_config->application_protocol.data,
266 old_config->application_protocol.size));
267 RESULT_GUARD_POSIX(s2n_psk_set_early_data_context(new_psk, old_config->context.data,
268 old_config->context.size));
269
270 return S2N_RESULT_OK;
271 }
272
s2n_connection_get_early_data_status(struct s2n_connection * conn,s2n_early_data_status_t * status)273 int s2n_connection_get_early_data_status(struct s2n_connection *conn, s2n_early_data_status_t *status)
274 {
275 POSIX_ENSURE_REF(conn);
276 POSIX_ENSURE_REF(status);
277
278 switch(conn->early_data_state) {
279 case S2N_EARLY_DATA_STATES_COUNT:
280 break;
281 case S2N_EARLY_DATA_NOT_REQUESTED:
282 *status = S2N_EARLY_DATA_STATUS_NOT_REQUESTED;
283 return S2N_SUCCESS;
284 case S2N_EARLY_DATA_REJECTED:
285 *status = S2N_EARLY_DATA_STATUS_REJECTED;
286 return S2N_SUCCESS;
287 case S2N_END_OF_EARLY_DATA:
288 *status = S2N_EARLY_DATA_STATUS_END;
289 return S2N_SUCCESS;
290 case S2N_UNKNOWN_EARLY_DATA_STATE:
291 case S2N_EARLY_DATA_REQUESTED:
292 case S2N_EARLY_DATA_ACCEPTED:
293 *status = S2N_EARLY_DATA_STATUS_OK;
294 return S2N_SUCCESS;
295 }
296 POSIX_BAIL(S2N_ERR_INVALID_EARLY_DATA_STATE);
297 }
298
s2n_get_remaining_early_data_bytes(struct s2n_connection * conn,uint32_t * early_data_allowed)299 static S2N_RESULT s2n_get_remaining_early_data_bytes(struct s2n_connection *conn, uint32_t *early_data_allowed)
300 {
301 RESULT_ENSURE_REF(conn);
302 RESULT_ENSURE_REF(early_data_allowed);
303 *early_data_allowed = 0;
304
305 uint32_t max_early_data_size = 0;
306 RESULT_GUARD_POSIX(s2n_connection_get_max_early_data_size(conn, &max_early_data_size));
307
308 RESULT_ENSURE(max_early_data_size >= conn->early_data_bytes, S2N_ERR_MAX_EARLY_DATA_SIZE);
309 *early_data_allowed = (max_early_data_size - conn->early_data_bytes);
310
311 return S2N_RESULT_OK;
312 }
313
s2n_connection_get_remaining_early_data_size(struct s2n_connection * conn,uint32_t * allowed_early_data_size)314 int s2n_connection_get_remaining_early_data_size(struct s2n_connection *conn, uint32_t *allowed_early_data_size)
315 {
316 POSIX_ENSURE_REF(conn);
317 POSIX_ENSURE_REF(allowed_early_data_size);
318 *allowed_early_data_size = 0;
319
320 switch(conn->early_data_state) {
321 case S2N_EARLY_DATA_STATES_COUNT:
322 case S2N_EARLY_DATA_NOT_REQUESTED:
323 case S2N_EARLY_DATA_REJECTED:
324 case S2N_END_OF_EARLY_DATA:
325 *allowed_early_data_size = 0;
326 break;
327 case S2N_UNKNOWN_EARLY_DATA_STATE:
328 case S2N_EARLY_DATA_REQUESTED:
329 case S2N_EARLY_DATA_ACCEPTED:
330 POSIX_GUARD_RESULT(s2n_get_remaining_early_data_bytes(conn, allowed_early_data_size));
331 break;
332 }
333 return S2N_SUCCESS;
334 }
335
s2n_connection_get_max_early_data_size(struct s2n_connection * conn,uint32_t * max_early_data_size)336 int s2n_connection_get_max_early_data_size(struct s2n_connection *conn, uint32_t *max_early_data_size)
337 {
338 POSIX_ENSURE_REF(conn);
339 POSIX_ENSURE_REF(max_early_data_size);
340 *max_early_data_size = 0;
341
342 uint32_t server_max_early_data_size = 0;
343 POSIX_GUARD_RESULT(s2n_early_data_get_server_max_size(conn, &server_max_early_data_size));
344
345 if (conn->psk_params.psk_list.len == 0) {
346 /* This method may be called by the server before loading its PSKs.
347 * The server can load its PSKs during the handshake, either via the PSK selection callback
348 * or by receiving a stateless session ticket.
349 *
350 * Before that happens, we should make an optimistic assumption of the early data size.
351 * That way, the max early data size always decreases (for example, it won't go from 0 -> UINT32_MAX
352 * after receiving a PSK in the ClientHello).
353 */
354 if (conn->mode == S2N_SERVER && !IS_NEGOTIATED(conn)) {
355 *max_early_data_size = server_max_early_data_size;
356 }
357 return S2N_SUCCESS;
358 }
359
360 struct s2n_psk *first_psk = NULL;
361 POSIX_GUARD_RESULT(s2n_array_get(&conn->psk_params.psk_list, 0, (void**) &first_psk));
362 POSIX_ENSURE_REF(first_psk);
363 *max_early_data_size = first_psk->early_data_config.max_early_data_size;
364
365 /* For the server, we should use the minimum of the limit retrieved from the ticket
366 * and the current limit being set for new tickets.
367 *
368 * This is defensive: even if more early data was previously allowed, the server may not be
369 * willing or able to handle that much early data now.
370 *
371 * We don't do this for external PSKs because the server has intentionally set the limit
372 * while setting up this connection, not during a previous connection.
373 */
374 if (conn->mode == S2N_SERVER && first_psk->type == S2N_PSK_TYPE_RESUMPTION) {
375 *max_early_data_size = MIN(*max_early_data_size, server_max_early_data_size);
376 }
377
378 return S2N_SUCCESS;
379 }
380
s2n_config_set_early_data_cb(struct s2n_config * config,s2n_early_data_cb cb)381 int s2n_config_set_early_data_cb(struct s2n_config *config, s2n_early_data_cb cb)
382 {
383 POSIX_ENSURE_REF(config);
384 config->early_data_cb = cb;
385 return S2N_SUCCESS;
386 }
387
s2n_offered_early_data_get_context_length(struct s2n_offered_early_data * early_data,uint16_t * context_len)388 int s2n_offered_early_data_get_context_length(struct s2n_offered_early_data *early_data, uint16_t *context_len)
389 {
390 POSIX_ENSURE_REF(context_len);
391 POSIX_ENSURE_REF(early_data);
392 struct s2n_connection *conn = early_data->conn;
393
394 POSIX_ENSURE_REF(conn);
395 POSIX_ENSURE_REF(conn->psk_params.chosen_psk);
396 struct s2n_early_data_config *early_data_config = &conn->psk_params.chosen_psk->early_data_config;
397
398 *context_len = early_data_config->context.size;
399
400 return S2N_SUCCESS;
401 }
402
s2n_offered_early_data_get_context(struct s2n_offered_early_data * early_data,uint8_t * context,uint16_t max_len)403 int s2n_offered_early_data_get_context(struct s2n_offered_early_data *early_data, uint8_t *context, uint16_t max_len)
404 {
405 POSIX_ENSURE_REF(context);
406 POSIX_ENSURE_REF(early_data);
407 struct s2n_connection *conn = early_data->conn;
408
409 POSIX_ENSURE_REF(conn);
410 POSIX_ENSURE_REF(conn->psk_params.chosen_psk);
411 struct s2n_early_data_config *early_data_config = &conn->psk_params.chosen_psk->early_data_config;
412
413 POSIX_ENSURE(early_data_config->context.size <= max_len, S2N_ERR_INSUFFICIENT_MEM_SIZE);
414 POSIX_CHECKED_MEMCPY(context, early_data_config->context.data, early_data_config->context.size);
415
416 return S2N_SUCCESS;
417 }
418
s2n_offered_early_data_reject(struct s2n_offered_early_data * early_data)419 int s2n_offered_early_data_reject(struct s2n_offered_early_data *early_data)
420 {
421 POSIX_ENSURE_REF(early_data);
422 struct s2n_connection *conn = early_data->conn;
423 POSIX_ENSURE_REF(conn);
424 POSIX_GUARD_RESULT(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_REJECTED));
425 return S2N_SUCCESS;
426 }
427
s2n_offered_early_data_accept(struct s2n_offered_early_data * early_data)428 int s2n_offered_early_data_accept(struct s2n_offered_early_data *early_data)
429 {
430 POSIX_ENSURE_REF(early_data);
431 struct s2n_connection *conn = early_data->conn;
432 POSIX_ENSURE_REF(conn);
433 POSIX_GUARD_RESULT(s2n_connection_set_early_data_state(conn, S2N_EARLY_DATA_ACCEPTED));
434 return S2N_SUCCESS;
435 }
436