aws · maddeleine · May 30, 2024 · May 23, 2024 · May 24, 2024 · May 24, 2024
diff --git a/tests/unit/s2n_connection_serialize_test.c b/tests/unit/s2n_connection_serialize_test.c
@@ -31,16 +31,20 @@ static S2N_RESULT s2n_test_key_update(struct s2n_connection *client_conn, struct
     /* One side initiates key update */
     RESULT_GUARD_POSIX(s2n_connection_request_key_update(client_conn, S2N_KEY_UPDATE_NOT_REQUESTED));
 
-    /* Sending and receiving is successful after key update */
-    EXPECT_OK(s2n_send_and_recv_test(client_conn, server_conn));
+    /* Sending and receiving multiple times is successful after key update */
+    for (size_t i = 0; i < 10; i++) {
+        EXPECT_OK(s2n_send_and_recv_test(client_conn, server_conn));
+    }
     EXPECT_EQUAL(client_conn->send_key_updated, 1);
     EXPECT_EQUAL(server_conn->recv_key_updated, 1);
 
     /* Other side initiates key update */
     EXPECT_SUCCESS(s2n_connection_request_key_update(server_conn, S2N_KEY_UPDATE_NOT_REQUESTED));
 
-    /* Sending and receiving is successful after key update */
-    EXPECT_OK(s2n_send_and_recv_test(server_conn, client_conn));
+    /* Sending and receiving multiple times is successful after key update */
+    for (size_t i = 0; i < 10; i++) {
+        EXPECT_OK(s2n_send_and_recv_test(server_conn, client_conn));
+    }
     EXPECT_EQUAL(client_conn->recv_key_updated, 1);
     EXPECT_EQUAL(server_conn->send_key_updated, 1);
 
@@ -366,6 +370,35 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_recv(server_conn, &recv_buf, sizeof(recv_buf), &blocked));
             EXPECT_SUCCESS(s2n_connection_serialize(server_conn, buffer, sizeof(buffer)));
         };
+
+        /* Cannot send or recv after serialization */
+        {
+            DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT),
+                    s2n_connection_ptr_free);
+            EXPECT_NOT_NULL(client_conn);
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            EXPECT_NOT_NULL(server_conn);
+
+            EXPECT_SUCCESS(s2n_connection_set_config(client_conn, tls13_config));
+            EXPECT_SUCCESS(s2n_connection_set_config(server_conn, tls13_config));
+
+            DEFER_CLEANUP(struct s2n_test_io_stuffer_pair io_pair = { 0 }, s2n_io_stuffer_pair_free);
+            EXPECT_OK(s2n_io_stuffer_pair_init(&io_pair));
+            EXPECT_OK(s2n_connections_set_io_stuffer_pair(client_conn, server_conn, &io_pair));
+
+            EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
+
+            uint8_t buffer[S2N_SERIALIZED_CONN_TLS12_SIZE] = { 0 };
+            EXPECT_SUCCESS(s2n_connection_serialize(server_conn, buffer, sizeof(buffer)));
+
+            s2n_blocked_status blocked = S2N_NOT_BLOCKED;
+            const uint8_t send_data[] = "hello world";
+            EXPECT_FAILURE_WITH_ERRNO(s2n_send(server_conn, send_data, sizeof(send_data), &blocked), S2N_ERR_CLOSED);
+
+            uint8_t recv_data = 0;
+            EXPECT_FAILURE_WITH_ERRNO(s2n_recv(server_conn, &recv_data, sizeof(recv_data), &blocked), S2N_ERR_CLOSED);
+        }
     };
 
     /* s2n_connection_deserialize */
@@ -465,8 +498,10 @@ int main(int argc, char **argv)
         EXPECT_OK(s2n_connections_set_io_stuffer_pair(new_client_conn, server_conn, &io_pair));
 
         /* Client can send and recv as usual */
-        EXPECT_OK(s2n_send_and_recv_test(server_conn, new_client_conn));
-        EXPECT_OK(s2n_send_and_recv_test(new_client_conn, server_conn));
+        for (size_t idx = 0; idx < 1000; idx++) {
+            EXPECT_OK(s2n_send_and_recv_test(server_conn, new_client_conn));
+            EXPECT_OK(s2n_send_and_recv_test(new_client_conn, server_conn));
+        }
     };
 
     /* Self-talk: Server can be serialized and deserialized and continue sending and receiving data
@@ -507,8 +542,10 @@ int main(int argc, char **argv)
         EXPECT_OK(s2n_connections_set_io_stuffer_pair(client_conn, new_server_conn, &io_pair));
 
         /* Server can send and recv as usual */
-        EXPECT_OK(s2n_send_and_recv_test(new_server_conn, client_conn));
-        EXPECT_OK(s2n_send_and_recv_test(client_conn, new_server_conn));
+        for (size_t idx = 0; idx < 1000; idx++) {
+            EXPECT_OK(s2n_send_and_recv_test(new_server_conn, client_conn));
+            EXPECT_OK(s2n_send_and_recv_test(client_conn, new_server_conn));
+        }
     };
 
     /* Self-talk: Test interaction between TLS1.2 session resumption and serialization */

diff --git a/tls/s2n_connection_serialize.c b/tls/s2n_connection_serialize.c
@@ -17,6 +17,7 @@
 
 #include "tls/s2n_connection.h"
 #include "tls/s2n_tls13_key_schedule.h"
+#include "crypto/s2n_sequence.h"
 
 int s2n_connection_serialization_length(struct s2n_connection *conn, uint32_t *length)
 {
@@ -119,6 +120,10 @@ int s2n_connection_serialize(struct s2n_connection *conn, uint8_t *buffer, uint3
         POSIX_GUARD_RESULT(s2n_connection_serialize_secrets(conn, &output));
     }
 
+    /* Users should not be able to use the connection after serialization as that
+     * could lead to nonce reuse. */
+    POSIX_GUARD_RESULT(s2n_connection_set_closed(conn));
+
     return S2N_SUCCESS;
 }
 
@@ -211,6 +216,53 @@ static S2N_RESULT s2n_connection_deserialize_parse(uint8_t *buffer, uint32_t buf
     return S2N_RESULT_OK;
 }
 
+/* Boringssl and AWS-LC do a special check in tls13 during the first call to encrypt after
+ * initialization. In the first call they assume that the sequence number will be 0, and therefore
+ * the provided nonce is equivalent to the implicit IV because 0 ^ iv = iv. The recovered implicit IV
+ * is stored and used later on to ensure the monotonicity of sequence numbers.
+ *
+ * In the case of deserialization, in the first call the sequence number may not be 0.
+ * Therefore the provided nonce cannot be considered to be the implicit IV because n ^ iv != iv.
+ * This inability to get the correct implicit IV causes issues with encryption later on.
+ *
+ * To resolve this we preform one throwaway encryption call with a zero sequence number after
+ * deserialization. This allows the libcrypto to recover the implicit IV correctly.
+ */
+static S2N_RESULT s2n_throwaway_encrypt(struct s2n_connection *conn, struct s2n_connection_deserialize *parsed_values)
+{
+    RESULT_ENSURE_REF(conn);
+    RESULT_ENSURE_REF(parsed_values);
+
+    uint8_t *seq_num = parsed_values->server_sequence_number;
+    uint8_t *implicit_iv = conn->server->server_implicit_iv;
+    struct s2n_session_key key = conn->server->server_key;
+    if (conn->mode == S2N_CLIENT) {
+        seq_num = parsed_values->client_sequence_number;
+        implicit_iv = conn->client->client_implicit_iv;
+        key = conn->client->client_key;
+    }
+
+    uint64_t output = 0;
+    struct s2n_blob seq_num_blob = { 0 };
+    RESULT_GUARD_POSIX(s2n_blob_init(&seq_num_blob, seq_num, S2N_TLS_SEQUENCE_NUM_LEN));
+    RESULT_GUARD_POSIX(s2n_sequence_number_to_uint64(&seq_num_blob, &output));
+    if (output > 0) {
+        uint8_t in_data[S2N_TLS_GCM_TAG_LEN] = { 0 };
+        struct s2n_blob in_blob = { 0 };
+        RESULT_GUARD_POSIX(s2n_blob_init(&in_blob, in_data, sizeof(in_data)));
+
+        struct s2n_blob iv_blob = { 0 };
+        RESULT_GUARD_POSIX(s2n_blob_init(&iv_blob, implicit_iv, S2N_TLS13_FIXED_IV_LEN));
+
+        struct s2n_blob aad_blob = { 0 };
+        RESULT_GUARD_POSIX(s2n_blob_init(&aad_blob, NULL, 0));
+
+        RESULT_GUARD_POSIX(conn->secure->cipher_suite->record_alg->cipher->io.aead.encrypt(&key,
+                &iv_blob, &aad_blob, &in_blob, &in_blob));
+    }
+    return S2N_RESULT_OK;
+}
+
 static S2N_RESULT s2n_restore_tls13_secrets(struct s2n_connection *conn, struct s2n_connection_deserialize *parsed_values)
 {
     RESULT_ENSURE_REF(conn);
@@ -226,6 +278,10 @@ static S2N_RESULT s2n_restore_tls13_secrets(struct s2n_connection *conn, struct
     RESULT_GUARD(s2n_tls13_key_schedule_set_key(conn, S2N_MASTER_SECRET, S2N_SERVER));
     RESULT_GUARD(s2n_tls13_key_schedule_set_key(conn, S2N_MASTER_SECRET, S2N_CLIENT));
 
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+    RESULT_GUARD(s2n_throwaway_encrypt(conn, parsed_values));
+#endif
+
     return S2N_RESULT_OK;
 }