1 /*
2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15
16 #include "s2n_test.h"
17
18 #include "tls/s2n_cipher_suites.h"
19 #include "tls/s2n_connection.h"
20 #include "tls/s2n_tls.h"
21 #include "stuffer/s2n_stuffer.h"
22 #include "utils/s2n_safety.h"
23
reset_stuffers(struct s2n_stuffer * reread,struct s2n_stuffer * wipe)24 static int reset_stuffers(struct s2n_stuffer *reread, struct s2n_stuffer *wipe)
25 {
26 POSIX_GUARD(s2n_stuffer_reread(reread));
27 POSIX_GUARD(s2n_stuffer_wipe(wipe));
28 return 0;
29 }
30
main(int argc,char ** argv)31 int main(int argc, char **argv)
32 {
33 BEGIN_TEST();
34 EXPECT_SUCCESS(s2n_disable_tls13());
35
36 /* Test s2n_tls13_client_finished_send and s2n_tls13_client_finished_recv */
37 {
38 struct s2n_cipher_suite cipher_suites[] = {
39 s2n_tls13_aes_128_gcm_sha256,
40 s2n_tls13_aes_256_gcm_sha384,
41 s2n_tls13_chacha20_poly1305_sha256
42 };
43
44 int hash_sizes[] = {
45 32, 48, 32
46 };
47
48 for (int i = 0; i < 3; i++) {
49 struct s2n_connection *client_conn;
50 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
51
52 client_conn->actual_protocol_version = S2N_TLS13;
53 client_conn->secure.cipher_suite = &cipher_suites[i];
54
55 int hash_size = hash_sizes[i];
56
57 EXPECT_SUCCESS(s2n_tls13_client_finished_send(client_conn));
58 EXPECT_EQUAL(s2n_stuffer_data_available(&client_conn->handshake.io), hash_size);
59
60 struct s2n_connection *server_conn;
61 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_CLIENT));
62 server_conn->actual_protocol_version = S2N_TLS13;
63 server_conn->secure.cipher_suite = &cipher_suites[i];
64
65 EXPECT_SUCCESS(reset_stuffers(&client_conn->handshake.io, &server_conn->handshake.io));
66 EXPECT_SUCCESS(s2n_stuffer_copy(&client_conn->handshake.io, &server_conn->handshake.io, hash_size));
67 EXPECT_SUCCESS(s2n_tls13_client_finished_recv(server_conn));
68
69 /* Expect failure if verify has a missing byte */
70 EXPECT_SUCCESS(reset_stuffers(&client_conn->handshake.io, &server_conn->handshake.io));
71 EXPECT_SUCCESS(s2n_stuffer_copy(&client_conn->handshake.io, &server_conn->handshake.io, hash_size - 1));
72 EXPECT_FAILURE(s2n_tls13_client_finished_recv(server_conn));
73
74 /* Expect failure if verify have additional byte */
75 EXPECT_SUCCESS(reset_stuffers(&client_conn->handshake.io, &server_conn->handshake.io));
76 EXPECT_SUCCESS(s2n_stuffer_copy(&client_conn->handshake.io, &server_conn->handshake.io, hash_size));
77 EXPECT_SUCCESS(s2n_stuffer_write_uint8(&server_conn->handshake.io, 0));
78 EXPECT_FAILURE(s2n_tls13_client_finished_recv(server_conn));
79
80 /* Expect failure if verify on wire is modified by 1 bit */
81 EXPECT_SUCCESS(reset_stuffers(&client_conn->handshake.io, &server_conn->handshake.io));
82 EXPECT_SUCCESS(s2n_stuffer_copy(&client_conn->handshake.io, &server_conn->handshake.io, hash_size));
83 server_conn->handshake.io.blob.data[0] ^= 1;
84 EXPECT_FAILURE(s2n_tls13_client_finished_recv(server_conn));
85
86 /* Expect failure if finished key differs */
87 EXPECT_SUCCESS(reset_stuffers(&client_conn->handshake.io, &server_conn->handshake.io));
88 EXPECT_SUCCESS(s2n_stuffer_copy(&client_conn->handshake.io, &server_conn->handshake.io, hash_size));
89 server_conn->handshake.client_finished[0] ^= 1;
90 EXPECT_FAILURE(s2n_tls13_client_finished_recv(server_conn));
91
92 EXPECT_SUCCESS(s2n_connection_free(server_conn));
93 EXPECT_SUCCESS(s2n_connection_free(client_conn));
94 }
95 }
96
97 /* Test that they can only run in TLS 1.3 mode */
98 {
99 struct s2n_connection *client_conn;
100 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
101 client_conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
102
103 EXPECT_FAILURE(s2n_tls13_client_finished_send(client_conn));
104
105 /* now with TLS 1.3, server finished send can run */
106 client_conn->actual_protocol_version = S2N_TLS13;
107 EXPECT_SUCCESS(s2n_tls13_client_finished_send(client_conn));
108 EXPECT_EQUAL(s2n_stuffer_data_available(&client_conn->handshake.io), 48);
109
110 struct s2n_connection *server_conn;
111 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_CLIENT));
112
113 server_conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
114 EXPECT_SUCCESS(s2n_stuffer_copy(&client_conn->handshake.io, &server_conn->handshake.io, 48));
115 EXPECT_FAILURE(s2n_tls13_client_finished_recv(server_conn));
116
117 EXPECT_SUCCESS(s2n_connection_free(server_conn));
118 EXPECT_SUCCESS(s2n_connection_free(client_conn));
119 }
120
121 /* Test for failure cases if cipher suites are incompatible */
122 {
123 struct s2n_connection *client_conn;
124 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
125
126 client_conn->actual_protocol_version = S2N_TLS13;
127 client_conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
128
129 EXPECT_SUCCESS(s2n_tls13_client_finished_send(client_conn));
130 EXPECT_EQUAL(s2n_stuffer_data_available(&client_conn->handshake.io), 32);
131
132 struct s2n_connection *server_conn;
133 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_CLIENT));
134 server_conn->actual_protocol_version = S2N_TLS13;
135 server_conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
136
137 EXPECT_SUCCESS(reset_stuffers(&client_conn->handshake.io, &server_conn->handshake.io));
138 EXPECT_SUCCESS(s2n_stuffer_copy(&client_conn->handshake.io, &server_conn->handshake.io, 32));
139 EXPECT_FAILURE(s2n_tls13_client_finished_recv(server_conn));
140
141 EXPECT_SUCCESS(s2n_connection_free(server_conn));
142 EXPECT_SUCCESS(s2n_connection_free(client_conn));
143 }
144
145 /* Test for failure cases when finished secret key differs */
146 {
147 struct s2n_connection *client_conn;
148 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
149
150 client_conn->actual_protocol_version = S2N_TLS13;
151 client_conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
152
153 EXPECT_SUCCESS(s2n_tls13_client_finished_send(client_conn));
154 EXPECT_EQUAL(s2n_stuffer_data_available(&client_conn->handshake.io), 48);
155
156 struct s2n_connection *server_conn;
157 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_CLIENT));
158 server_conn->actual_protocol_version = S2N_TLS13;
159 server_conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
160
161 for (int i = 0; i < 48; i++) {
162 EXPECT_SUCCESS(reset_stuffers(&client_conn->handshake.io, &server_conn->handshake.io));
163 EXPECT_SUCCESS(s2n_stuffer_copy(&client_conn->handshake.io, &server_conn->handshake.io, 48));
164
165 /* flip a bit to test failure */
166 server_conn->handshake.client_finished[i] ^= 1;
167 EXPECT_FAILURE(s2n_tls13_client_finished_recv(server_conn));
168
169 /* flip the bit back */
170 server_conn->handshake.client_finished[i] ^= 1;
171 }
172
173 EXPECT_SUCCESS(s2n_connection_free(server_conn));
174 EXPECT_SUCCESS(s2n_connection_free(client_conn));
175 }
176
177 END_TEST();
178 return 0;
179 }
180