1 /*
2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15
16 #include <s2n.h>
17
18 #include "error/s2n_errno.h"
19
20 #include "tls/s2n_async_pkey.h"
21 #include "tls/s2n_kem.h"
22 #include "tls/s2n_kex.h"
23 #include "tls/s2n_cipher_suites.h"
24 #include "tls/s2n_connection.h"
25 #include "tls/s2n_signature_algorithms.h"
26 #include "tls/s2n_cipher_preferences.h"
27 #include "tls/s2n_security_policies.h"
28
29 #include "stuffer/s2n_stuffer.h"
30
31 #include "crypto/s2n_dhe.h"
32
33 #include "utils/s2n_safety.h"
34 #include "utils/s2n_random.h"
35
36 static int s2n_server_key_send_write_signature(struct s2n_connection *conn, struct s2n_blob *signature);
37
s2n_server_key_recv(struct s2n_connection * conn)38 int s2n_server_key_recv(struct s2n_connection *conn)
39 {
40 POSIX_ENSURE_REF(conn);
41 POSIX_ENSURE_REF(conn->secure.cipher_suite);
42 POSIX_ENSURE_REF(conn->secure.cipher_suite->key_exchange_alg);
43 POSIX_ENSURE_REF(conn->handshake.hashes);
44
45 struct s2n_hash_state *signature_hash = &conn->handshake.hashes->hash_workspace;
46 const struct s2n_kex *key_exchange = conn->secure.cipher_suite->key_exchange_alg;
47 struct s2n_stuffer *in = &conn->handshake.io;
48 struct s2n_blob data_to_verify = {0};
49
50 /* Read the KEX data */
51 struct s2n_kex_raw_server_data kex_data = {0};
52 POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(key_exchange, conn, &data_to_verify, &kex_data));
53
54 /* Add common signature data */
55 struct s2n_signature_scheme *active_sig_scheme = &conn->handshake_params.conn_sig_scheme;
56 if (conn->actual_protocol_version == S2N_TLS12) {
57 /* Verify the SigScheme picked by the Server was in the preference list we sent (or is the default SigScheme) */
58 POSIX_GUARD(s2n_get_and_validate_negotiated_signature_scheme(conn, in, active_sig_scheme));
59 }
60
61 POSIX_GUARD(s2n_hash_init(signature_hash, active_sig_scheme->hash_alg));
62 POSIX_GUARD(s2n_hash_update(signature_hash, conn->secrets.client_random, S2N_TLS_RANDOM_DATA_LEN));
63 POSIX_GUARD(s2n_hash_update(signature_hash, conn->secrets.server_random, S2N_TLS_RANDOM_DATA_LEN));
64
65 /* Add KEX specific data */
66 POSIX_GUARD(s2n_hash_update(signature_hash, data_to_verify.data, data_to_verify.size));
67
68 /* Verify the signature */
69 uint16_t signature_length;
70 POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_length));
71
72 struct s2n_blob signature = {.size = signature_length, .data = s2n_stuffer_raw_read(in, signature_length)};
73 POSIX_ENSURE_REF(signature.data);
74 POSIX_ENSURE_GT(signature_length, 0);
75
76 S2N_ERROR_IF(s2n_pkey_verify(&conn->handshake_params.server_public_key, active_sig_scheme->sig_alg, signature_hash, &signature) < 0,
77 S2N_ERR_BAD_MESSAGE);
78
79 /* We don't need the key any more, so free it */
80 POSIX_GUARD(s2n_pkey_free(&conn->handshake_params.server_public_key));
81
82 /* Parse the KEX data into whatever form needed and save it to the connection object */
83 POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(key_exchange, conn, &kex_data));
84 return 0;
85 }
86
s2n_ecdhe_server_key_recv_read_data(struct s2n_connection * conn,struct s2n_blob * data_to_verify,struct s2n_kex_raw_server_data * raw_server_data)87 int s2n_ecdhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify, struct s2n_kex_raw_server_data *raw_server_data)
88 {
89 struct s2n_stuffer *in = &conn->handshake.io;
90
91 POSIX_GUARD(s2n_ecc_evp_read_params(in, data_to_verify, &raw_server_data->ecdhe_data));
92 return 0;
93 }
94
s2n_ecdhe_server_key_recv_parse_data(struct s2n_connection * conn,struct s2n_kex_raw_server_data * raw_server_data)95 int s2n_ecdhe_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
96 {
97 POSIX_GUARD(s2n_ecc_evp_parse_params(&raw_server_data->ecdhe_data, &conn->kex_params.server_ecc_evp_params));
98
99 return 0;
100 }
101
s2n_dhe_server_key_recv_read_data(struct s2n_connection * conn,struct s2n_blob * data_to_verify,struct s2n_kex_raw_server_data * raw_server_data)102 int s2n_dhe_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify, struct s2n_kex_raw_server_data *raw_server_data)
103 {
104 struct s2n_stuffer *in = &conn->handshake.io;
105 struct s2n_dhe_raw_server_points *dhe_data = &raw_server_data->dhe_data;
106
107 uint16_t p_length;
108 uint16_t g_length;
109 uint16_t Ys_length;
110
111 /* Keep a copy to the start of the whole structure for the signature check */
112 data_to_verify->data = s2n_stuffer_raw_read(in, 0);
113 POSIX_ENSURE_REF(data_to_verify->data);
114
115 /* Read each of the three elements in */
116 POSIX_GUARD(s2n_stuffer_read_uint16(in, &p_length));
117 dhe_data->p.size = p_length;
118 dhe_data->p.data = s2n_stuffer_raw_read(in, p_length);
119 POSIX_ENSURE_REF(dhe_data->p.data);
120
121 POSIX_GUARD(s2n_stuffer_read_uint16(in, &g_length));
122 dhe_data->g.size = g_length;
123 dhe_data->g.data = s2n_stuffer_raw_read(in, g_length);
124 POSIX_ENSURE_REF(dhe_data->g.data);
125
126 POSIX_GUARD(s2n_stuffer_read_uint16(in, &Ys_length));
127 dhe_data->Ys.size = Ys_length;
128 dhe_data->Ys.data = s2n_stuffer_raw_read(in, Ys_length);
129 POSIX_ENSURE_REF(dhe_data->Ys.data);
130
131 /* Now we know the total size of the structure */
132 data_to_verify->size = 2 + p_length + 2 + g_length + 2 + Ys_length;
133 return 0;
134 }
135
s2n_dhe_server_key_recv_parse_data(struct s2n_connection * conn,struct s2n_kex_raw_server_data * raw_server_data)136 int s2n_dhe_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
137 {
138 struct s2n_dhe_raw_server_points dhe_data = raw_server_data->dhe_data;
139
140 /* Copy the DH details */
141 POSIX_GUARD(s2n_dh_p_g_Ys_to_dh_params(&conn->kex_params.server_dh_params, &dhe_data.p, &dhe_data.g, &dhe_data.Ys));
142 return 0;
143 }
144
s2n_kem_server_key_recv_read_data(struct s2n_connection * conn,struct s2n_blob * data_to_verify,struct s2n_kex_raw_server_data * raw_server_data)145 int s2n_kem_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *data_to_verify, struct s2n_kex_raw_server_data *raw_server_data)
146 {
147 struct s2n_kem_raw_server_params *kem_data = &raw_server_data->kem_data;
148 struct s2n_stuffer *in = &conn->handshake.io;
149
150 /* Keep a copy to the start of the whole structure for the signature check */
151 data_to_verify->data = s2n_stuffer_raw_read(in, 0);
152 POSIX_ENSURE_REF(data_to_verify->data);
153
154 /* the server sends the KEM ID */
155 kem_data->kem_name.data = s2n_stuffer_raw_read(in, 2);
156 POSIX_ENSURE_REF(kem_data->kem_name.data);
157 kem_data->kem_name.size = 2;
158
159 struct s2n_stuffer kem_id_stuffer = { 0 };
160 uint8_t kem_id_arr[2];
161 kem_extension_size kem_id;
162 struct s2n_blob kem_id_blob = { .data = kem_id_arr, .size = s2n_array_len(kem_id_arr) };
163 POSIX_GUARD(s2n_stuffer_init(&kem_id_stuffer, &kem_id_blob));
164 POSIX_GUARD(s2n_stuffer_write(&kem_id_stuffer, &(kem_data->kem_name)));
165 POSIX_GUARD(s2n_stuffer_read_uint16(&kem_id_stuffer, &kem_id));
166
167 POSIX_GUARD(s2n_get_kem_from_extension_id(kem_id, &(conn->kex_params.kem_params.kem)));
168 POSIX_GUARD(s2n_kem_recv_public_key(in, &(conn->kex_params.kem_params)));
169
170 kem_data->raw_public_key.data = conn->kex_params.kem_params.public_key.data;
171 kem_data->raw_public_key.size = conn->kex_params.kem_params.public_key.size;
172
173 data_to_verify->size = sizeof(kem_extension_size) + sizeof(kem_public_key_size) + kem_data->raw_public_key.size;
174
175 return 0;
176 }
177
s2n_kem_server_key_recv_parse_data(struct s2n_connection * conn,struct s2n_kex_raw_server_data * raw_server_data)178 int s2n_kem_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
179 {
180 struct s2n_kem_raw_server_params *kem_data = &raw_server_data->kem_data;
181
182 /* Check that the server's requested kem is supported by the client */
183 const struct s2n_kem_preferences *kem_preferences = NULL;
184 POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_preferences));
185 POSIX_ENSURE_REF(kem_preferences);
186
187 const struct s2n_cipher_suite *cipher_suite = conn->secure.cipher_suite;
188 const struct s2n_kem *match = NULL;
189 S2N_ERROR_IF(s2n_choose_kem_with_peer_pref_list(cipher_suite->iana_value, &kem_data->kem_name, kem_preferences->kems,
190 kem_preferences->kem_count, &match) != 0, S2N_ERR_KEM_UNSUPPORTED_PARAMS);
191 conn->kex_params.kem_params.kem = match;
192
193 S2N_ERROR_IF(kem_data->raw_public_key.size != conn->kex_params.kem_params.kem->public_key_length, S2N_ERR_BAD_MESSAGE);
194
195 return 0;
196 }
197
s2n_hybrid_server_key_recv_read_data(struct s2n_connection * conn,struct s2n_blob * total_data_to_verify,struct s2n_kex_raw_server_data * raw_server_data)198 int s2n_hybrid_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_blob *total_data_to_verify, struct s2n_kex_raw_server_data *raw_server_data)
199 {
200 POSIX_ENSURE_REF(conn);
201 POSIX_ENSURE_REF(conn->secure.cipher_suite);
202 const struct s2n_kex *kex = conn->secure.cipher_suite->key_exchange_alg;
203 const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
204 const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
205
206 /* Keep a copy to the start of the whole structure for the signature check */
207 total_data_to_verify->data = s2n_stuffer_raw_read(&conn->handshake.io, 0);
208 POSIX_ENSURE_REF(total_data_to_verify->data);
209
210 struct s2n_blob data_to_verify_0 = {0};
211 POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(hybrid_kex_0, conn, &data_to_verify_0, raw_server_data));
212
213 struct s2n_blob data_to_verify_1 = {0};
214 POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(hybrid_kex_1, conn, &data_to_verify_1, raw_server_data));
215
216 total_data_to_verify->size = data_to_verify_0.size + data_to_verify_1.size;
217 return 0;
218 }
219
s2n_hybrid_server_key_recv_parse_data(struct s2n_connection * conn,struct s2n_kex_raw_server_data * raw_server_data)220 int s2n_hybrid_server_key_recv_parse_data(struct s2n_connection *conn, struct s2n_kex_raw_server_data *raw_server_data)
221 {
222 POSIX_ENSURE_REF(conn);
223 POSIX_ENSURE_REF(conn->secure.cipher_suite);
224 const struct s2n_kex *kex = conn->secure.cipher_suite->key_exchange_alg;
225 const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
226 const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
227
228 POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(hybrid_kex_0, conn, raw_server_data));
229 POSIX_GUARD_RESULT(s2n_kex_server_key_recv_parse_data(hybrid_kex_1, conn, raw_server_data));
230 return 0;
231 }
232
s2n_server_key_send(struct s2n_connection * conn)233 int s2n_server_key_send(struct s2n_connection *conn)
234 {
235 POSIX_ENSURE_REF(conn);
236 POSIX_ENSURE_REF(conn->handshake.hashes);
237
238 S2N_ASYNC_PKEY_GUARD(conn);
239
240 struct s2n_hash_state *signature_hash = &conn->handshake.hashes->hash_workspace;
241 const struct s2n_kex *key_exchange = conn->secure.cipher_suite->key_exchange_alg;
242 struct s2n_stuffer *out = &conn->handshake.io;
243 struct s2n_blob data_to_sign = {0};
244
245 /* Call the negotiated key exchange method to send it's data */
246 POSIX_GUARD_RESULT(s2n_kex_server_key_send(key_exchange, conn, &data_to_sign));
247
248 /* Add common signature data */
249 if (conn->actual_protocol_version == S2N_TLS12) {
250 POSIX_GUARD(s2n_stuffer_write_uint16(out, conn->handshake_params.conn_sig_scheme.iana_value));
251 }
252
253 /* Add the random data to the hash */
254 POSIX_GUARD(s2n_hash_init(signature_hash, conn->handshake_params.conn_sig_scheme.hash_alg));
255 POSIX_GUARD(s2n_hash_update(signature_hash, conn->secrets.client_random, S2N_TLS_RANDOM_DATA_LEN));
256 POSIX_GUARD(s2n_hash_update(signature_hash, conn->secrets.server_random, S2N_TLS_RANDOM_DATA_LEN));
257
258 /* Add KEX specific data to the hash */
259 POSIX_GUARD(s2n_hash_update(signature_hash, data_to_sign.data, data_to_sign.size));
260
261 S2N_ASYNC_PKEY_SIGN(conn, conn->handshake_params.conn_sig_scheme.sig_alg, signature_hash, s2n_server_key_send_write_signature);
262 }
263
s2n_ecdhe_server_key_send(struct s2n_connection * conn,struct s2n_blob * data_to_sign)264 int s2n_ecdhe_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
265 {
266 struct s2n_stuffer *out = &conn->handshake.io;
267
268 /* Generate an ephemeral key and */
269 POSIX_GUARD(s2n_ecc_evp_generate_ephemeral_key(&conn->kex_params.server_ecc_evp_params));
270
271 /* Write it out and calculate the data to sign later */
272 POSIX_GUARD(s2n_ecc_evp_write_params(&conn->kex_params.server_ecc_evp_params, out, data_to_sign));
273 return 0;
274 }
275
s2n_dhe_server_key_send(struct s2n_connection * conn,struct s2n_blob * data_to_sign)276 int s2n_dhe_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
277 {
278 struct s2n_stuffer *out = &conn->handshake.io;
279
280 /* Duplicate the DH key from the config */
281 POSIX_GUARD(s2n_dh_params_copy(conn->config->dhparams, &conn->kex_params.server_dh_params));
282
283 /* Generate an ephemeral key */
284 POSIX_GUARD(s2n_dh_generate_ephemeral_key(&conn->kex_params.server_dh_params));
285
286 /* Write it out and calculate the data to sign later */
287 POSIX_GUARD(s2n_dh_params_to_p_g_Ys(&conn->kex_params.server_dh_params, out, data_to_sign));
288 return 0;
289 }
290
s2n_kem_server_key_send(struct s2n_connection * conn,struct s2n_blob * data_to_sign)291 int s2n_kem_server_key_send(struct s2n_connection *conn, struct s2n_blob *data_to_sign)
292 {
293 struct s2n_stuffer *out = &conn->handshake.io;
294 const struct s2n_kem *kem = conn->kex_params.kem_params.kem;
295
296 data_to_sign->data = s2n_stuffer_raw_write(out, 0);
297 POSIX_ENSURE_REF(data_to_sign->data);
298
299 POSIX_GUARD(s2n_stuffer_write_uint16(out, kem->kem_extension_id));
300 POSIX_GUARD(s2n_kem_send_public_key(out, &(conn->kex_params.kem_params)));
301
302 data_to_sign->size = sizeof(kem_extension_size) + sizeof(kem_public_key_size) + kem->public_key_length;
303
304 return 0;
305 }
306
s2n_hybrid_server_key_send(struct s2n_connection * conn,struct s2n_blob * total_data_to_sign)307 int s2n_hybrid_server_key_send(struct s2n_connection *conn, struct s2n_blob *total_data_to_sign)
308 {
309 POSIX_ENSURE_REF(conn);
310 POSIX_ENSURE_REF(conn->secure.cipher_suite);
311 const struct s2n_kex *kex = conn->secure.cipher_suite->key_exchange_alg;
312 const struct s2n_kex *hybrid_kex_0 = kex->hybrid[0];
313 const struct s2n_kex *hybrid_kex_1 = kex->hybrid[1];
314
315 /* Keep a copy to the start of the whole structure for the signature check */
316 total_data_to_sign->data = s2n_stuffer_raw_write(&conn->handshake.io, 0);
317 POSIX_ENSURE_REF(total_data_to_sign->data);
318
319 struct s2n_blob data_to_verify_0 = {0};
320 POSIX_GUARD_RESULT(s2n_kex_server_key_send(hybrid_kex_0, conn, &data_to_verify_0));
321
322 struct s2n_blob data_to_verify_1 = {0};
323 POSIX_GUARD_RESULT(s2n_kex_server_key_send(hybrid_kex_1, conn, &data_to_verify_1));
324
325 total_data_to_sign->size = data_to_verify_0.size + data_to_verify_1.size;
326 return 0;
327 }
328
s2n_server_key_send_write_signature(struct s2n_connection * conn,struct s2n_blob * signature)329 int s2n_server_key_send_write_signature(struct s2n_connection *conn, struct s2n_blob *signature)
330 {
331 struct s2n_stuffer *out = &conn->handshake.io;
332
333 POSIX_GUARD(s2n_stuffer_write_uint16(out, signature->size));
334 POSIX_GUARD(s2n_stuffer_write_bytes(out, signature->data, signature->size));
335
336 return 0;
337 }
338