1 /*
2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15
16 #include <sys/param.h>
17
18 #include <s2n.h>
19 #include <time.h>
20
21 #include "error/s2n_errno.h"
22
23 #include "tls/s2n_connection.h"
24 #include "tls/s2n_alerts.h"
25 #include "tls/s2n_tls.h"
26 #include "tls/s2n_resume.h"
27 #include "tls/s2n_tls13_handshake.h"
28 #include "tls/s2n_record.h"
29
30 #include "stuffer/s2n_stuffer.h"
31
32 #include "utils/s2n_safety.h"
33 #include "utils/s2n_random.h"
34
35 /*
36 * The maximum size of the NewSessionTicket message, not taking into account the
37 * ticket itself.
38 *
39 * To get the actual maximum size required for the NewSessionTicket message, we'll need
40 * to add the size of the ticket, which is much less predictable.
41 *
42 * This constant is enforced via unit tests.
43 */
44 #define S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE 79
45
s2n_server_nst_recv(struct s2n_connection * conn)46 int s2n_server_nst_recv(struct s2n_connection *conn) {
47 POSIX_GUARD(s2n_stuffer_read_uint32(&conn->handshake.io, &conn->ticket_lifetime_hint));
48
49 uint16_t session_ticket_len;
50 POSIX_GUARD(s2n_stuffer_read_uint16(&conn->handshake.io, &session_ticket_len));
51
52 if (session_ticket_len > 0) {
53 POSIX_GUARD(s2n_realloc(&conn->client_ticket, session_ticket_len));
54
55 POSIX_GUARD(s2n_stuffer_read(&conn->handshake.io, &conn->client_ticket));
56
57 if (conn->config->session_ticket_cb != NULL) {
58 size_t session_len = s2n_connection_get_session_length(conn);
59
60 /* Alloc some memory for the serialized session ticket */
61 DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free);
62 POSIX_GUARD(s2n_alloc(&mem, S2N_STATE_FORMAT_LEN + S2N_SESSION_TICKET_SIZE_LEN + \
63 conn->client_ticket.size + S2N_TLS12_STATE_SIZE_IN_BYTES));
64
65 POSIX_GUARD(s2n_connection_get_session(conn, mem.data, session_len));
66 uint32_t session_lifetime = s2n_connection_get_session_ticket_lifetime_hint(conn);
67
68 struct s2n_session_ticket ticket = { .ticket_data = mem, .session_lifetime = session_lifetime };
69
70 POSIX_GUARD(conn->config->session_ticket_cb(conn, conn->config->session_ticket_ctx, &ticket));
71 }
72 }
73
74 return S2N_SUCCESS;
75 }
76
s2n_server_nst_send(struct s2n_connection * conn)77 int s2n_server_nst_send(struct s2n_connection *conn)
78 {
79 uint16_t session_ticket_len = S2N_TLS12_TICKET_SIZE_IN_BYTES;
80 uint8_t data[S2N_TLS12_TICKET_SIZE_IN_BYTES] = { 0 };
81 struct s2n_blob entry = { .data = data, .size = sizeof(data) };
82 struct s2n_stuffer to;
83 uint32_t lifetime_hint_in_secs = (conn->config->encrypt_decrypt_key_lifetime_in_nanos + conn->config->decrypt_key_lifetime_in_nanos) / ONE_SEC_IN_NANOS;
84
85 /* When server changes it's mind mid handshake send lifetime hint and session ticket length as zero */
86 if (!conn->config->use_tickets) {
87 POSIX_GUARD(s2n_stuffer_write_uint32(&conn->handshake.io, 0));
88 POSIX_GUARD(s2n_stuffer_write_uint16(&conn->handshake.io, 0));
89
90 return 0;
91 }
92
93 if (!s2n_server_sending_nst(conn)) {
94 POSIX_BAIL(S2N_ERR_SENDING_NST);
95 }
96
97 POSIX_GUARD(s2n_stuffer_init(&to, &entry));
98 POSIX_GUARD(s2n_stuffer_write_uint32(&conn->handshake.io, lifetime_hint_in_secs));
99 POSIX_GUARD(s2n_stuffer_write_uint16(&conn->handshake.io, session_ticket_len));
100
101 POSIX_GUARD(s2n_encrypt_session_ticket(conn, &to));
102 POSIX_GUARD(s2n_stuffer_write(&conn->handshake.io, &to.blob));
103
104 /* For parity with TLS1.3, track the single ticket sent.
105 * This simplifies s2n_connection_get_tickets_sent.
106 */
107 conn->tickets_sent++;
108 return S2N_SUCCESS;
109 }
110
s2n_tls13_server_nst_send(struct s2n_connection * conn,s2n_blocked_status * blocked)111 S2N_RESULT s2n_tls13_server_nst_send(struct s2n_connection *conn, s2n_blocked_status *blocked)
112 {
113 RESULT_ENSURE_REF(conn);
114
115 /* Usually tickets are sent immediately after the handshake.
116 * If possible, reuse the handshake IO stuffer before it's wiped.
117 *
118 * Note: handshake.io isn't explicitly dedicated to only reading or only writing,
119 * so we have to be careful using it outside of s2n_negotiate.
120 * If we use it for writing here, we CAN'T use it for reading any post-handshake messages.
121 */
122 struct s2n_stuffer *nst_stuffer = &conn->handshake.io;
123
124 if (conn->mode != S2N_SERVER || conn->actual_protocol_version < S2N_TLS13 || !conn->config->use_tickets) {
125 return S2N_RESULT_OK;
126 }
127
128 /* No-op if all tickets already sent.
129 * Clean up the stuffer used for the ticket to conserve memory. */
130 if (conn->tickets_to_send == conn->tickets_sent) {
131 RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, 0));
132 return S2N_RESULT_OK;
133 }
134
135 /**
136 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
137 *# Note that in principle it is possible to continue issuing new tickets
138 *# which indefinitely extend the lifetime of the keying material
139 *# originally derived from an initial non-PSK handshake (which was most
140 *# likely tied to the peer's certificate). It is RECOMMENDED that
141 *# implementations place limits on the total lifetime of such keying
142 *# material; these limits should take into account the lifetime of the
143 *# peer's certificate, the likelihood of intervening revocation, and the
144 *# time since the peer's online CertificateVerify signature.
145 */
146 if (s2n_result_is_error(s2n_psk_validate_keying_material(conn))) {
147 conn->tickets_to_send = conn->tickets_sent;
148 return S2N_RESULT_OK;
149 }
150
151 RESULT_ENSURE(conn->tickets_sent <= conn->tickets_to_send, S2N_ERR_INTEGER_OVERFLOW);
152
153 size_t session_state_size = 0;
154 RESULT_GUARD(s2n_connection_get_session_state_size(conn, &session_state_size));
155 const size_t maximum_nst_size = session_state_size + S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE;
156 if (s2n_stuffer_space_remaining(nst_stuffer) < maximum_nst_size) {
157 RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, maximum_nst_size));
158 }
159
160 while (conn->tickets_to_send - conn->tickets_sent > 0) {
161 if (s2n_result_is_error(s2n_tls13_server_nst_write(conn, nst_stuffer))) {
162 return S2N_RESULT_OK;
163 }
164
165 struct s2n_blob nst_blob = { 0 };
166 uint16_t nst_size = s2n_stuffer_data_available(nst_stuffer);
167 uint8_t *nst_data = s2n_stuffer_raw_read(nst_stuffer, nst_size);
168 RESULT_ENSURE_REF(nst_data);
169 RESULT_GUARD_POSIX(s2n_blob_init(&nst_blob, nst_data, nst_size));
170
171 RESULT_GUARD_POSIX(s2n_record_write(conn, TLS_HANDSHAKE, &nst_blob));
172 RESULT_GUARD_POSIX(s2n_flush(conn, blocked));
173 RESULT_GUARD_POSIX(s2n_stuffer_wipe(nst_stuffer));
174 }
175
176 RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, 0));
177 return S2N_RESULT_OK;
178 }
179
180 /**
181 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
182 *# Indicates the lifetime in seconds as a 32-bit
183 *# unsigned integer in network byte order from the time of ticket
184 *# issuance.
185 **/
s2n_generate_ticket_lifetime(struct s2n_connection * conn,uint32_t * ticket_lifetime)186 static S2N_RESULT s2n_generate_ticket_lifetime(struct s2n_connection *conn, uint32_t *ticket_lifetime)
187 {
188 RESULT_ENSURE_REF(conn);
189 RESULT_ENSURE_MUT(ticket_lifetime);
190
191 uint32_t key_lifetime_in_secs =
192 (conn->config->encrypt_decrypt_key_lifetime_in_nanos + conn->config->decrypt_key_lifetime_in_nanos) / ONE_SEC_IN_NANOS;
193 uint32_t session_lifetime_in_secs = conn->config->session_state_lifetime_in_nanos / ONE_SEC_IN_NANOS;
194 uint32_t key_and_session_min_lifetime = MIN(key_lifetime_in_secs, session_lifetime_in_secs);
195 /**
196 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
197 *# Servers MUST NOT use any value greater than
198 *# 604800 seconds (7 days).
199 **/
200 *ticket_lifetime = MIN(key_and_session_min_lifetime, ONE_WEEK_IN_SEC);
201
202 return S2N_RESULT_OK;
203 }
204
205 /**
206 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
207 *# A per-ticket value that is unique across all tickets
208 *# issued on this connection.
209 **/
s2n_generate_ticket_nonce(uint16_t value,struct s2n_blob * output)210 static S2N_RESULT s2n_generate_ticket_nonce(uint16_t value, struct s2n_blob *output)
211 {
212 RESULT_ENSURE_MUT(output);
213
214 struct s2n_stuffer stuffer = { 0 };
215 RESULT_GUARD_POSIX(s2n_stuffer_init(&stuffer, output));
216 RESULT_GUARD_POSIX(s2n_stuffer_write_uint16(&stuffer, value));
217
218 return S2N_RESULT_OK;
219 }
220
221 /**
222 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
223 *# A securely generated, random 32-bit value that is
224 *# used to obscure the age of the ticket that the client includes in
225 *# the "pre_shared_key" extension.
226 **/
s2n_generate_ticket_age_add(struct s2n_blob * random_data,uint32_t * ticket_age_add)227 static S2N_RESULT s2n_generate_ticket_age_add(struct s2n_blob *random_data, uint32_t *ticket_age_add)
228 {
229 RESULT_ENSURE_REF(random_data);
230 RESULT_ENSURE_REF(ticket_age_add);
231
232 struct s2n_stuffer stuffer = { 0 };
233 RESULT_GUARD_POSIX(s2n_stuffer_init(&stuffer, random_data));
234 RESULT_GUARD_POSIX(s2n_stuffer_skip_write(&stuffer, random_data->size));
235 RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(&stuffer, ticket_age_add));
236
237 return S2N_RESULT_OK;
238 }
239
240 /**
241 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
242 *# The PSK associated with the ticket is computed as:
243 *#
244 *# HKDF-Expand-Label(resumption_master_secret,
245 *# "resumption", ticket_nonce, Hash.length)
246 **/
s2n_generate_session_secret(struct s2n_connection * conn,struct s2n_blob * nonce,struct s2n_blob * output)247 static int s2n_generate_session_secret(struct s2n_connection *conn, struct s2n_blob *nonce, struct s2n_blob *output)
248 {
249 POSIX_ENSURE_REF(conn);
250 POSIX_ENSURE_REF(nonce);
251 POSIX_ENSURE_REF(output);
252
253 s2n_tls13_connection_keys(secrets, conn);
254 struct s2n_blob master_secret = { 0 };
255 POSIX_GUARD(s2n_blob_init(&master_secret, conn->resumption_master_secret, secrets.size));
256 POSIX_GUARD(s2n_realloc(output, secrets.size));
257 POSIX_GUARD_RESULT(s2n_tls13_derive_session_ticket_secret(&secrets, &master_secret, nonce, output));
258
259 return S2N_SUCCESS;
260 }
261
s2n_tls13_server_nst_write(struct s2n_connection * conn,struct s2n_stuffer * output)262 S2N_RESULT s2n_tls13_server_nst_write(struct s2n_connection *conn, struct s2n_stuffer *output)
263 {
264 RESULT_ENSURE_REF(conn);
265 RESULT_ENSURE_REF(output);
266
267 struct s2n_ticket_fields *ticket_fields = &conn->tls13_ticket_fields;
268
269 /* Write message type because session resumption in TLS13 is a post-handshake message */
270 RESULT_GUARD_POSIX(s2n_stuffer_write_uint8(output, TLS_SERVER_NEW_SESSION_TICKET));
271
272 struct s2n_stuffer_reservation message_size = { 0 };
273 RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint24(output, &message_size));
274
275 uint32_t ticket_lifetime_in_secs = 0;
276 RESULT_GUARD(s2n_generate_ticket_lifetime(conn, &ticket_lifetime_in_secs));
277 RESULT_GUARD_POSIX(s2n_stuffer_write_uint32(output, ticket_lifetime_in_secs));
278
279 /* Get random data to use as ticket_age_add value */
280 uint8_t data[sizeof(uint32_t)] = { 0 };
281 struct s2n_blob random_data = { 0 };
282 RESULT_GUARD_POSIX(s2n_blob_init(&random_data, data, sizeof(data)));
283 /**
284 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
285 *# The server MUST generate a fresh value
286 *# for each ticket it sends.
287 **/
288 RESULT_GUARD(s2n_get_private_random_data(&random_data));
289 RESULT_GUARD(s2n_generate_ticket_age_add(&random_data, &ticket_fields->ticket_age_add));
290 RESULT_GUARD_POSIX(s2n_stuffer_write_uint32(output, ticket_fields->ticket_age_add));
291
292 /* Write ticket nonce */
293 uint8_t nonce_data[sizeof(uint16_t)] = { 0 };
294 struct s2n_blob nonce = { 0 };
295 RESULT_GUARD_POSIX(s2n_blob_init(&nonce, nonce_data, sizeof(nonce_data)));
296 RESULT_GUARD(s2n_generate_ticket_nonce(conn->tickets_sent, &nonce));
297 RESULT_GUARD_POSIX(s2n_stuffer_write_uint8(output, nonce.size));
298 RESULT_GUARD_POSIX(s2n_stuffer_write_bytes(output, nonce.data, nonce.size));
299
300 /* Derive individual session ticket secret */
301 RESULT_GUARD_POSIX(s2n_generate_session_secret(conn, &nonce, &ticket_fields->session_secret));
302
303 /* Write ticket */
304 struct s2n_stuffer_reservation ticket_size = { 0 };
305 RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint16(output, &ticket_size));
306 RESULT_GUARD_POSIX(s2n_encrypt_session_ticket(conn, output));
307 RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&ticket_size));
308
309 RESULT_GUARD_POSIX(s2n_extension_list_send(S2N_EXTENSION_LIST_NST, conn, output));
310
311 RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&message_size));
312
313 RESULT_ENSURE(conn->tickets_sent < UINT16_MAX, S2N_ERR_INTEGER_OVERFLOW);
314 conn->tickets_sent++;
315
316 return S2N_RESULT_OK;
317 }
318
319 /**
320 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
321 *# struct {
322 *# uint32 ticket_lifetime;
323 *# uint32 ticket_age_add;
324 *# opaque ticket_nonce<0..255>;
325 *# opaque ticket<1..2^16-1>;
326 *# Extension extensions<0..2^16-2>;
327 *# } NewSessionTicket;
328 **/
s2n_tls13_server_nst_recv(struct s2n_connection * conn,struct s2n_stuffer * input)329 S2N_RESULT s2n_tls13_server_nst_recv(struct s2n_connection *conn, struct s2n_stuffer *input)
330 {
331 RESULT_ENSURE_REF(conn);
332 RESULT_ENSURE_REF(input);
333 RESULT_ENSURE_REF(conn->config);
334
335 RESULT_ENSURE(conn->actual_protocol_version >= S2N_TLS13, S2N_ERR_BAD_MESSAGE);
336 RESULT_ENSURE(conn->mode == S2N_CLIENT, S2N_ERR_BAD_MESSAGE);
337
338 if (!conn->config->use_tickets) {
339 return S2N_RESULT_OK;
340 }
341 struct s2n_ticket_fields *ticket_fields = &conn->tls13_ticket_fields;
342
343 /* Handle `ticket_lifetime` field */
344 uint32_t ticket_lifetime = 0;
345 RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(input, &ticket_lifetime));
346 /**
347 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
348 *# Servers MUST NOT use any value greater than
349 *# 604800 seconds (7 days).
350 */
351 RESULT_ENSURE(ticket_lifetime <= ONE_WEEK_IN_SEC, S2N_ERR_BAD_MESSAGE);
352 /**
353 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
354 *# The value of zero indicates that the
355 *# ticket should be discarded immediately.
356 */
357 if (ticket_lifetime == 0) {
358 return S2N_RESULT_OK;
359 }
360 conn->ticket_lifetime_hint = ticket_lifetime;
361
362 /* Handle `ticket_age_add` field */
363 RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(input, &ticket_fields->ticket_age_add));
364
365 /* Handle `ticket_nonce` field */
366 uint8_t ticket_nonce_len = 0;
367 RESULT_GUARD_POSIX(s2n_stuffer_read_uint8(input, &ticket_nonce_len));
368 uint8_t nonce_data[UINT8_MAX] = { 0 };
369 struct s2n_blob nonce = { 0 };
370 RESULT_GUARD_POSIX(s2n_blob_init(&nonce, nonce_data, ticket_nonce_len));
371 RESULT_GUARD_POSIX(s2n_stuffer_read_bytes(input, nonce.data, ticket_nonce_len));
372 RESULT_GUARD_POSIX(s2n_generate_session_secret(conn, &nonce, &ticket_fields->session_secret));
373
374 /* Handle `ticket` field */
375 uint16_t session_ticket_len = 0;
376 RESULT_GUARD_POSIX(s2n_stuffer_read_uint16(input, &session_ticket_len));
377 RESULT_ENSURE(session_ticket_len > 0, S2N_ERR_SAFETY);
378 RESULT_GUARD_POSIX(s2n_realloc(&conn->client_ticket, session_ticket_len));
379 RESULT_GUARD_POSIX(s2n_stuffer_read(input, &conn->client_ticket));
380
381 /* Handle `extensions` field */
382 RESULT_GUARD_POSIX(s2n_extension_list_recv(S2N_EXTENSION_LIST_NST, conn, input));
383
384 if (conn->config->session_ticket_cb != NULL) {
385 /* Retrieve serialized session data */
386 const uint16_t session_state_size = s2n_connection_get_session_length(conn);
387 DEFER_CLEANUP(struct s2n_blob session_state = { 0 }, s2n_free);
388 RESULT_GUARD_POSIX(s2n_realloc(&session_state, session_state_size));
389 RESULT_GUARD_POSIX(s2n_connection_get_session(conn, session_state.data, session_state.size));
390
391 struct s2n_session_ticket ticket = {
392 .ticket_data = session_state,
393 .session_lifetime = ticket_lifetime
394 };
395 RESULT_GUARD_POSIX(conn->config->session_ticket_cb(conn, conn->config->session_ticket_ctx, &ticket));
396 }
397
398 return S2N_RESULT_OK;
399 }
400