Skip to content

Commit

Permalink
fix: init implicit iv for serialization feature (#4572)
Browse files Browse the repository at this point in the history
  • Loading branch information
@maddeleine
maddeleine committed May 30, 2024
1 parent 622bcd3 commit 76af4d0
Show file tree
Hide file tree
Showing 4 changed files with 211 additions and 18 deletions.
23 changes: 23 additions & 0 deletions tests/features/S2N_LIBCRYPTO_SUPPORTS_EVP_AEAD_TLS.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

#include <openssl/aead.h>

int main()
{
EVP_aead_aes_256_gcm_tls13();
EVP_aead_aes_128_gcm_tls13();
return 0;
}
Empty file added tests/features/S2N_LIBCRYPTO_SUPPORTS_EVP_AEAD_TLS.flags
View file
Empty file.
116 changes: 98 additions & 18 deletions tests/unit/s2n_connection_serialize_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,20 @@ static S2N_RESULT s2n_test_key_update(struct s2n_connection *client_conn, struct
/* One side initiates key update */
RESULT_GUARD_POSIX(s2n_connection_request_key_update(client_conn, S2N_KEY_UPDATE_NOT_REQUESTED));

/* Sending and receiving is successful after key update */
EXPECT_OK(s2n_send_and_recv_test(client_conn, server_conn));
/* Sending and receiving multiple times is successful after key update */
for (size_t i = 0; i < 10; i++) {
EXPECT_OK(s2n_send_and_recv_test(client_conn, server_conn));
}
EXPECT_EQUAL(client_conn->send_key_updated, 1);
EXPECT_EQUAL(server_conn->recv_key_updated, 1);

/* Other side initiates key update */
EXPECT_SUCCESS(s2n_connection_request_key_update(server_conn, S2N_KEY_UPDATE_NOT_REQUESTED));

/* Sending and receiving is successful after key update */
EXPECT_OK(s2n_send_and_recv_test(server_conn, client_conn));
/* Sending and receiving multiple times is successful after key update */
for (size_t i = 0; i < 10; i++) {
EXPECT_OK(s2n_send_and_recv_test(server_conn, client_conn));
}
EXPECT_EQUAL(client_conn->recv_key_updated, 1);
EXPECT_EQUAL(server_conn->send_key_updated, 1);

Expand Down Expand Up @@ -189,6 +193,11 @@ int main(int argc, char **argv)

EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
EXPECT_EQUAL(s2n_connection_get_actual_protocol_version(server_conn), S2N_TLS12);
uint8_t iana_value[S2N_TLS_CIPHER_SUITE_LEN] = { 0 };
EXPECT_SUCCESS(s2n_connection_get_cipher_iana_value(server_conn, &iana_value[0], &iana_value[1]));

uint32_t length = 0;
EXPECT_SUCCESS(s2n_connection_serialization_length(server_conn, &length));

uint8_t buffer[S2N_SERIALIZED_CONN_TLS12_SIZE] = { 0 };
EXPECT_SUCCESS(s2n_connection_serialize(server_conn, buffer, sizeof(buffer)));
Expand All @@ -197,9 +206,6 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_blob_init(&blob, buffer, sizeof(buffer)));
struct s2n_stuffer stuffer = { 0 };
EXPECT_SUCCESS(s2n_stuffer_init_written(&stuffer, &blob));

uint32_t length = 0;
EXPECT_SUCCESS(s2n_connection_serialization_length(server_conn, &length));
EXPECT_EQUAL(length, s2n_stuffer_data_available(&stuffer));

uint64_t serialized_version = 0;
Expand All @@ -213,8 +219,7 @@ int main(int argc, char **argv)

uint8_t cipher_suite[S2N_TLS_CIPHER_SUITE_LEN] = { 0 };
EXPECT_SUCCESS(s2n_stuffer_read_bytes(&stuffer, cipher_suite, S2N_TLS_CIPHER_SUITE_LEN));
EXPECT_BYTEARRAY_EQUAL(cipher_suite, server_conn->secure->cipher_suite->iana_value,
S2N_TLS_CIPHER_SUITE_LEN);
EXPECT_BYTEARRAY_EQUAL(cipher_suite, iana_value, S2N_TLS_CIPHER_SUITE_LEN);

uint8_t client_sequence_number[S2N_TLS_SEQUENCE_NUM_LEN] = { 0 };
EXPECT_SUCCESS(s2n_stuffer_read_bytes(&stuffer, client_sequence_number,
Expand Down Expand Up @@ -269,6 +274,11 @@ int main(int argc, char **argv)

EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
EXPECT_EQUAL(s2n_connection_get_actual_protocol_version(server_conn), S2N_TLS13);
uint8_t iana_value[S2N_TLS_CIPHER_SUITE_LEN] = { 0 };
EXPECT_SUCCESS(s2n_connection_get_cipher_iana_value(server_conn, &iana_value[0], &iana_value[1]));

uint32_t length = 0;
EXPECT_SUCCESS(s2n_connection_serialization_length(server_conn, &length));

uint8_t buffer[S2N_SERIALIZED_CONN_TLS13_SHA256_SIZE] = { 0 };
EXPECT_SUCCESS(s2n_connection_serialize(server_conn, buffer, sizeof(buffer)));
Expand All @@ -277,9 +287,6 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_blob_init(&blob, buffer, sizeof(buffer)));
struct s2n_stuffer stuffer = { 0 };
EXPECT_SUCCESS(s2n_stuffer_init_written(&stuffer, &blob));

uint32_t length = 0;
EXPECT_SUCCESS(s2n_connection_serialization_length(server_conn, &length));
EXPECT_EQUAL(length, s2n_stuffer_data_available(&stuffer));

uint64_t serialized_version = 0;
Expand All @@ -293,8 +300,7 @@ int main(int argc, char **argv)

uint8_t cipher_suite[S2N_TLS_CIPHER_SUITE_LEN] = { 0 };
EXPECT_SUCCESS(s2n_stuffer_read_bytes(&stuffer, cipher_suite, S2N_TLS_CIPHER_SUITE_LEN));
EXPECT_BYTEARRAY_EQUAL(cipher_suite, server_conn->secure->cipher_suite->iana_value,
S2N_TLS_CIPHER_SUITE_LEN);
EXPECT_BYTEARRAY_EQUAL(cipher_suite, iana_value, S2N_TLS_CIPHER_SUITE_LEN);

uint8_t client_sequence_number[S2N_TLS_SEQUENCE_NUM_LEN] = { 0 };
EXPECT_SUCCESS(s2n_stuffer_read_bytes(&stuffer, client_sequence_number,
Expand Down Expand Up @@ -366,6 +372,76 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_recv(server_conn, &recv_buf, sizeof(recv_buf), &blocked));
EXPECT_SUCCESS(s2n_connection_serialize(server_conn, buffer, sizeof(buffer)));
};

/* Cannot send or recv after serialization */
{
DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(client_conn);
DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(server_conn);

EXPECT_SUCCESS(s2n_connection_set_config(client_conn, tls13_config));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, tls13_config));

DEFER_CLEANUP(struct s2n_test_io_stuffer_pair io_pair = { 0 }, s2n_io_stuffer_pair_free);
EXPECT_OK(s2n_io_stuffer_pair_init(&io_pair));
EXPECT_OK(s2n_connections_set_io_stuffer_pair(client_conn, server_conn, &io_pair));

EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));

uint8_t buffer[S2N_SERIALIZED_CONN_TLS12_SIZE] = { 0 };
EXPECT_SUCCESS(s2n_connection_serialize(server_conn, buffer, sizeof(buffer)));

s2n_blocked_status blocked = S2N_NOT_BLOCKED;
const uint8_t send_data[] = "hello world";
EXPECT_FAILURE_WITH_ERRNO(s2n_send(server_conn, send_data, sizeof(send_data), &blocked), S2N_ERR_CLOSED);

uint8_t recv_data = 0;
EXPECT_FAILURE_WITH_ERRNO(s2n_recv(server_conn, &recv_data, sizeof(recv_data), &blocked), S2N_ERR_CLOSED);

/* Calling shutdown after serialization will cause a plaintext alert to be sent
* since serialization wipes the encryption context. */
EXPECT_SUCCESS(s2n_shutdown_send(server_conn, &blocked));

const uint8_t expected_alert[] = {
TLS_ALERT,
S2N_TLS12 / 10,
S2N_TLS12 % 10,
0, 2,
S2N_TLS_ALERT_LEVEL_WARNING, S2N_TLS_ALERT_CLOSE_NOTIFY
};
uint8_t actual_alert[sizeof(expected_alert)] = { 0 };
EXPECT_SUCCESS(s2n_stuffer_read_bytes(&io_pair.client_in, actual_alert, sizeof(actual_alert)));
EXPECT_BYTEARRAY_EQUAL(actual_alert, expected_alert, sizeof(expected_alert));
}

/* Cannot serialize after connection has closed */
{
DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(client_conn);
DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(server_conn);

EXPECT_SUCCESS(s2n_connection_set_config(client_conn, tls13_config));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, tls13_config));

DEFER_CLEANUP(struct s2n_test_io_stuffer_pair io_pair = { 0 }, s2n_io_stuffer_pair_free);
EXPECT_OK(s2n_io_stuffer_pair_init(&io_pair));
EXPECT_OK(s2n_connections_set_io_stuffer_pair(client_conn, server_conn, &io_pair));

EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));

s2n_blocked_status blocked = S2N_NOT_BLOCKED;
EXPECT_SUCCESS(s2n_shutdown_send(server_conn, &blocked));

/* Serializing after the connection closes will cause an error */
uint8_t buffer[S2N_SERIALIZED_CONN_TLS12_SIZE] = { 0 };
EXPECT_FAILURE_WITH_ERRNO(s2n_connection_serialize(server_conn, buffer, sizeof(buffer)), S2N_ERR_CLOSED);
}
};

/* s2n_connection_deserialize */
Expand Down Expand Up @@ -465,8 +541,10 @@ int main(int argc, char **argv)
EXPECT_OK(s2n_connections_set_io_stuffer_pair(new_client_conn, server_conn, &io_pair));

/* Client can send and recv as usual */
EXPECT_OK(s2n_send_and_recv_test(server_conn, new_client_conn));
EXPECT_OK(s2n_send_and_recv_test(new_client_conn, server_conn));
for (size_t idx = 0; idx < 1000; idx++) {
EXPECT_OK(s2n_send_and_recv_test(server_conn, new_client_conn));
EXPECT_OK(s2n_send_and_recv_test(new_client_conn, server_conn));
}
};

/* Self-talk: Server can be serialized and deserialized and continue sending and receiving data
Expand Down Expand Up @@ -507,8 +585,10 @@ int main(int argc, char **argv)
EXPECT_OK(s2n_connections_set_io_stuffer_pair(client_conn, new_server_conn, &io_pair));

/* Server can send and recv as usual */
EXPECT_OK(s2n_send_and_recv_test(new_server_conn, client_conn));
EXPECT_OK(s2n_send_and_recv_test(client_conn, new_server_conn));
for (size_t idx = 0; idx < 1000; idx++) {
EXPECT_OK(s2n_send_and_recv_test(new_server_conn, client_conn));
EXPECT_OK(s2n_send_and_recv_test(client_conn, new_server_conn));
}
};

/* Self-talk: Test interaction between TLS1.2 session resumption and serialization */
Expand Down
90 changes: 90 additions & 0 deletions tls/s2n_connection_serialize.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,19 @@

#include "tls/s2n_connection_serialize.h"

#include "crypto/s2n_sequence.h"
#include "tls/s2n_connection.h"
#include "tls/s2n_tls13_key_schedule.h"

static bool s2n_libcrypto_supports_evp_aead_tls(void)
{
#ifdef S2N_LIBCRYPTO_SUPPORTS_EVP_AEAD_TLS
return true;
#else
return false;
#endif
}

int s2n_connection_serialization_length(struct s2n_connection *conn, uint32_t *length)
{
POSIX_ENSURE_REF(conn);
Expand Down Expand Up @@ -85,6 +95,11 @@ int s2n_connection_serialize(struct s2n_connection *conn, uint8_t *buffer, uint3
/* This method must be called after negotiation */
POSIX_ENSURE(s2n_handshake_is_complete(conn), S2N_ERR_HANDSHAKE_NOT_COMPLETE);

/* The connection must not be closed already. Otherwise, we might have an alert
* queued up that would be sent in cleartext after we disable encryption. */
s2n_io_status status = S2N_IO_FULL_DUPLEX;
POSIX_ENSURE(s2n_connection_check_io_status(conn, status), S2N_ERR_CLOSED);

/* Best effort check for pending input or output data.
* This method should not be called until the application has stopped sending and receiving.
* Saving partial read or partial write state would complicate this problem.
Expand Down Expand Up @@ -119,6 +134,17 @@ int s2n_connection_serialize(struct s2n_connection *conn, uint8_t *buffer, uint3
POSIX_GUARD_RESULT(s2n_connection_serialize_secrets(conn, &output));
}

/* Users should not be able to send/recv on the connection after serialization as that
* could lead to nonce reuse. We close the connection to prevent the application from sending
* more application data. However, the application could still send a close_notify alert record
* to shutdown the connection, so we also intentionally wipe keys and disable encryption.
*
* A plaintext close_notify alert is not a security concern, although the peer will likely consider
* it an error.
*/
POSIX_GUARD_RESULT(s2n_connection_set_closed(conn));
POSIX_GUARD_RESULT(s2n_crypto_parameters_wipe(conn->secure));

return S2N_SUCCESS;
}

Expand Down Expand Up @@ -211,6 +237,68 @@ static S2N_RESULT s2n_connection_deserialize_parse(uint8_t *buffer, uint32_t buf
return S2N_RESULT_OK;
}

/* Boringssl and AWS-LC do a special check in tls13 during the first call to encrypt after
* initialization. In the first call they assume that the sequence number will be 0, and therefore
* the provided nonce is equivalent to the implicit IV because 0 ^ iv = iv. The recovered implicit IV
* is stored and used later on to ensure the monotonicity of sequence numbers.
*
* In the case of deserialization, in the first call the sequence number may not be 0.
* Therefore the provided nonce cannot be considered to be the implicit IV because n ^ iv != iv.
* This inability to get the correct implicit IV causes issues with encryption later on.
*
* To resolve this we preform one throwaway encryption call with a zero sequence number after
* deserialization. This allows the libcrypto to recover the implicit IV correctly.
*/
static S2N_RESULT s2n_initialize_implicit_iv(struct s2n_connection *conn, struct s2n_connection_deserialize *parsed_values)
{
RESULT_ENSURE_REF(conn);
RESULT_ENSURE_REF(parsed_values);
RESULT_ENSURE_REF(conn->secure);
RESULT_ENSURE_REF(conn->server);
RESULT_ENSURE_REF(conn->client);

if (!s2n_libcrypto_supports_evp_aead_tls()) {
return S2N_RESULT_OK;
}

uint8_t *seq_num = parsed_values->server_sequence_number;
uint8_t *implicit_iv = conn->server->server_implicit_iv;
struct s2n_session_key key = conn->server->server_key;
if (conn->mode == S2N_CLIENT) {
seq_num = parsed_values->client_sequence_number;
implicit_iv = conn->client->client_implicit_iv;
key = conn->client->client_key;
}

uint64_t parsed_sequence_num = 0;
struct s2n_blob seq_num_blob = { 0 };
RESULT_GUARD_POSIX(s2n_blob_init(&seq_num_blob, seq_num, S2N_TLS_SEQUENCE_NUM_LEN));
RESULT_GUARD_POSIX(s2n_sequence_number_to_uint64(&seq_num_blob, &parsed_sequence_num));

/* we don't need to initialize the context when the sequence number is 0 */
if (parsed_sequence_num == 0) {
return S2N_RESULT_OK;
}

uint8_t in_data[S2N_TLS_GCM_TAG_LEN] = { 0 };
struct s2n_blob in_blob = { 0 };
RESULT_GUARD_POSIX(s2n_blob_init(&in_blob, in_data, sizeof(in_data)));

struct s2n_blob iv_blob = { 0 };
RESULT_GUARD_POSIX(s2n_blob_init(&iv_blob, implicit_iv, S2N_TLS13_FIXED_IV_LEN));

struct s2n_blob aad_blob = { 0 };
RESULT_GUARD_POSIX(s2n_blob_init(&aad_blob, NULL, 0));

RESULT_ENSURE_REF(conn->secure->cipher_suite);
RESULT_ENSURE_REF(conn->secure->cipher_suite->record_alg);
RESULT_ENSURE_REF(conn->secure->cipher_suite->record_alg->cipher);
RESULT_GUARD_POSIX(conn->secure->cipher_suite->record_alg->cipher->io.aead.encrypt(&key,
&iv_blob, &aad_blob, &in_blob, &in_blob));

return S2N_RESULT_OK;
}

static S2N_RESULT s2n_restore_tls13_secrets(struct s2n_connection *conn, struct s2n_connection_deserialize *parsed_values)
{
RESULT_ENSURE_REF(conn);
Expand All @@ -226,6 +314,8 @@ static S2N_RESULT s2n_restore_tls13_secrets(struct s2n_connection *conn, struct
RESULT_GUARD(s2n_tls13_key_schedule_set_key(conn, S2N_MASTER_SECRET, S2N_SERVER));
RESULT_GUARD(s2n_tls13_key_schedule_set_key(conn, S2N_MASTER_SECRET, S2N_CLIENT));

RESULT_GUARD(s2n_initialize_implicit_iv(conn, parsed_values));

return S2N_RESULT_OK;
}

Expand Down

0 comments on commit 76af4d0

Please sign in to comment.