s2n_client_renegotiation_info.c 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191
  1. /*
  2. * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License, Version 2.0 (the "License").
  5. * You may not use this file except in compliance with the License.
  6. * A copy of the License is located at
  7. *
  8. * http://aws.amazon.com/apache2.0
  9. *
  10. * or in the "license" file accompanying this file. This file is distributed
  11. * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
  12. * express or implied. See the License for the specific language governing
  13. * permissions and limitations under the License.
  14. */
  15. #include "tls/extensions/s2n_client_renegotiation_info.h"
  16. #include <stdint.h>
  17. #include <sys/param.h>
  18. #include "tls/s2n_tls.h"
  19. #include "utils/s2n_safety.h"
  20. static int s2n_client_renegotiation_send(struct s2n_connection *conn, struct s2n_stuffer *out);
  21. static int s2n_client_renegotiation_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
  22. static bool s2n_client_renegotiation_should_send(struct s2n_connection *conn);
  23. static int s2n_client_renegotiation_if_missing(struct s2n_connection *conn);
  24. const s2n_extension_type s2n_client_renegotiation_info_extension = {
  25. .iana_value = TLS_EXTENSION_RENEGOTIATION_INFO,
  26. .is_response = false,
  27. .send = s2n_client_renegotiation_send,
  28. .recv = s2n_client_renegotiation_recv,
  29. .should_send = s2n_client_renegotiation_should_send,
  30. .if_missing = s2n_client_renegotiation_if_missing,
  31. };
  32. /**
  33. *= https://tools.ietf.org/rfc/rfc5746#3.5
  34. *# o The client MUST include the "renegotiation_info" extension in the
  35. *# ClientHello
  36. */
  37. static bool s2n_client_renegotiation_should_send(struct s2n_connection *conn)
  38. {
  39. return conn && s2n_handshake_is_renegotiation(conn);
  40. }
  41. /**
  42. *= https://tools.ietf.org/rfc/rfc5746#3.5
  43. *# o The client MUST include the "renegotiation_info" extension in the
  44. *# ClientHello, containing the saved client_verify_data.
  45. */
  46. static int s2n_client_renegotiation_send(struct s2n_connection *conn, struct s2n_stuffer *out)
  47. {
  48. POSIX_ENSURE_REF(conn);
  49. /**
  50. *= https://tools.ietf.org/rfc/rfc5746#3.5
  51. *# This text applies if the connection's "secure_renegotiation" flag is
  52. *# set to TRUE (if it is set to FALSE, see Section 4.2).
  53. */
  54. POSIX_ENSURE(conn->secure_renegotiation, S2N_ERR_NO_RENEGOTIATION);
  55. uint8_t renegotiated_connection_len = conn->handshake.finished_len;
  56. POSIX_ENSURE_GT(renegotiated_connection_len, 0);
  57. POSIX_GUARD(s2n_stuffer_write_uint8(out, renegotiated_connection_len));
  58. POSIX_GUARD(s2n_stuffer_write_bytes(out, conn->handshake.client_finished, renegotiated_connection_len));
  59. return S2N_SUCCESS;
  60. }
  61. /**
  62. *= https://tools.ietf.org/rfc/rfc5746#3.6
  63. *# o The server MUST check if the "renegotiation_info" extension is
  64. *# included in the ClientHello.
  65. *
  66. * Note that this extension must also work for SSLv3:
  67. *= https://tools.ietf.org/rfc/rfc5746#4.5
  68. *# TLS servers that support secure renegotiation and support SSLv3 MUST accept SCSV or the
  69. *# "renegotiation_info" extension and respond as described in this
  70. *# specification even if the offered client version is {0x03, 0x00}.
  71. */
  72. static int s2n_client_renegotiation_recv_initial(struct s2n_connection *conn, struct s2n_stuffer *extension)
  73. {
  74. /**
  75. *= https://tools.ietf.org/rfc/rfc5746#3.6
  76. *# The server MUST then verify
  77. *# that the length of the "renegotiated_connection" field is zero,
  78. *# and if it is not, MUST abort the handshake.
  79. */
  80. uint8_t renegotiated_connection_len = 0;
  81. POSIX_GUARD(s2n_stuffer_read_uint8(extension, &renegotiated_connection_len));
  82. POSIX_ENSURE(s2n_stuffer_data_available(extension) == 0, S2N_ERR_NON_EMPTY_RENEGOTIATION_INFO);
  83. POSIX_ENSURE(renegotiated_connection_len == 0, S2N_ERR_NON_EMPTY_RENEGOTIATION_INFO);
  84. /**
  85. *= https://tools.ietf.org/rfc/rfc5746#3.6
  86. *# If the extension is present, set secure_renegotiation flag to TRUE.
  87. */
  88. conn->secure_renegotiation = 1;
  89. return S2N_SUCCESS;
  90. }
  91. static int s2n_client_renegotiation_recv_renegotiation(struct s2n_connection *conn, struct s2n_stuffer *extension)
  92. {
  93. POSIX_ENSURE_REF(conn);
  94. /* s2n-tls servers do not support renegotiation.
  95. * We add the renegotiation version of this logic only for testing.
  96. */
  97. POSIX_ENSURE(s2n_in_unit_test(), S2N_ERR_NOT_IN_UNIT_TEST);
  98. /**
  99. *= https://tools.ietf.org/rfc/rfc5746#3.7
  100. *# This text applies if the connection's "secure_renegotiation" flag is
  101. *# set to TRUE (if it is set to FALSE, see Section 4.4).
  102. */
  103. POSIX_ENSURE(conn->secure_renegotiation, S2N_ERR_NO_RENEGOTIATION);
  104. /**
  105. *= https://tools.ietf.org/rfc/rfc5746#3.7
  106. *# o The server MUST verify that the value of the
  107. *# "renegotiated_connection" field is equal to the saved
  108. *# client_verify_data value; if it is not, the server MUST abort the
  109. *# handshake.
  110. */
  111. uint8_t verify_data_len = conn->handshake.finished_len;
  112. POSIX_ENSURE_GT(verify_data_len, 0);
  113. uint8_t renegotiated_connection_len = 0;
  114. POSIX_GUARD(s2n_stuffer_read_uint8(extension, &renegotiated_connection_len));
  115. POSIX_ENSURE(verify_data_len == renegotiated_connection_len, S2N_ERR_BAD_MESSAGE);
  116. uint8_t *renegotiated_connection = s2n_stuffer_raw_read(extension, verify_data_len);
  117. POSIX_ENSURE_REF(renegotiated_connection);
  118. POSIX_ENSURE(s2n_constant_time_equals(renegotiated_connection, conn->handshake.client_finished, verify_data_len),
  119. S2N_ERR_BAD_MESSAGE);
  120. return S2N_SUCCESS;
  121. }
  122. static int s2n_client_renegotiation_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
  123. {
  124. if (s2n_handshake_is_renegotiation(conn)) {
  125. POSIX_GUARD(s2n_client_renegotiation_recv_renegotiation(conn, extension));
  126. } else {
  127. POSIX_GUARD(s2n_client_renegotiation_recv_initial(conn, extension));
  128. }
  129. POSIX_ENSURE(s2n_stuffer_data_available(extension) == 0, S2N_ERR_BAD_MESSAGE);
  130. return S2N_SUCCESS;
  131. }
  132. static int s2n_client_renegotiation_if_missing(struct s2n_connection *conn)
  133. {
  134. POSIX_ENSURE_REF(conn);
  135. if (s2n_handshake_is_renegotiation(conn)) {
  136. /* s2n-tls servers do not support renegotiation.
  137. * We add the renegotiation version of this logic only for testing.
  138. */
  139. POSIX_ENSURE(s2n_in_unit_test(), S2N_ERR_NOT_IN_UNIT_TEST);
  140. /**
  141. *= https://tools.ietf.org/rfc/rfc5746#3.7
  142. *# This text applies if the connection's "secure_renegotiation" flag is
  143. *# set to TRUE (if it is set to FALSE, see Section 4.4).
  144. */
  145. POSIX_ENSURE(conn->secure_renegotiation, S2N_ERR_NO_RENEGOTIATION);
  146. /**
  147. *= https://tools.ietf.org/rfc/rfc5746#3.7
  148. *# o The server MUST verify that the "renegotiation_info" extension is
  149. *# present; if it is not, the server MUST abort the handshake.
  150. */
  151. POSIX_BAIL(S2N_ERR_MISSING_EXTENSION);
  152. } else {
  153. /**
  154. *= https://tools.ietf.org/rfc/rfc5746#3.6
  155. *# o If neither the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV nor the
  156. *# "renegotiation_info" extension was included, set the
  157. *# secure_renegotiation flag to FALSE. In this case, some servers
  158. *# may want to terminate the handshake instead of continuing
  159. *
  160. * We do not terminate the handshake for compatibility reasons.
  161. * See https://github.com/aws/s2n-tls/issues/3528
  162. */
  163. conn->secure_renegotiation = false;
  164. return S2N_SUCCESS;
  165. }
  166. }