Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Changes ticket encryption scheme to be nonce-reuse resistant #4663

Merged
merged 19 commits into from
Aug 7, 2024
Merged

feat: Changes ticket encryption scheme to be nonce-reuse resistant #4663

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
1ba7ea7
Adds version num
maddeleine Jul 22, 2024
7f60b97
Adds forgotten rust binding
maddeleine Jul 23, 2024
c655887
Remove magic num
maddeleine Jul 23, 2024
2f1ba35
Fixes comment style
maddeleine Jul 24, 2024
e3f003e
Removes extra variable
maddeleine Jul 24, 2024
e1bc4e9
Adds extra check
maddeleine Jul 24, 2024
3c2879c
PR feedback
maddeleine Jul 26, 2024
9441a9c
Whoops
maddeleine Jul 26, 2024
4822b3b
cargo fmt
maddeleine Jul 26, 2024
ec37462
clippy
maddeleine Jul 26, 2024
5d7796d
fmt
maddeleine Jul 27, 2024
ec15171
PR feedback
maddeleine Jul 31, 2024
315926c
Fixed mem issue
maddeleine Aug 1, 2024
9bd07dd
PR feedback
maddeleine Aug 1, 2024
da3934f
Update tests/unit/s2n_resume_test.c
maddeleine Aug 5, 2024
c60581f
Merge branch 'main' into stek_nonce_misuse_2
maddeleine Aug 5, 2024
ce1131b
Merge branch 'main' into stek_nonce_misuse_2
maddeleine Aug 5, 2024
d509be6
Merge branch 'main' into stek_nonce_misuse_2
maddeleine Aug 6, 2024
e8ff5b9
Merge branch 'main' into stek_nonce_misuse_2
maddeleine Aug 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions bindings/rust/s2n-tls/src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -752,6 +752,14 @@ impl Builder {
Ok(self)
}

/// Requires that session tickets are only used when forward secrecy is possible
pub fn require_ticket_forward_secrecy(&mut self, enable: bool) -> Result<&mut Self, Error> {
unsafe {
s2n_config_require_ticket_forward_secrecy(self.as_mut_ptr(), enable).into_result()
}?;
Ok(self)
}

pub fn build(mut self) -> Result<Config, Error> {
if self.load_system_certs {
unsafe {
Expand Down
125 changes: 83 additions & 42 deletions tests/unit/s2n_resume_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1281,13 +1281,8 @@ int main(int argc, char **argv)
};
};

/* s2n_resume_encrypt_session_ticket */
/* s2n_resume_encrypt/decrypt_session_ticket */
{
/* Session ticket keys. Taken from test vectors in https://tools.ietf.org/html/rfc5869 */
uint8_t ticket_key_name[16] = "2016.07.26.15\0";
S2N_BLOB_FROM_HEX(ticket_key,
"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5");

/* Check error is thrown when no ticket key is available */
{
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
Expand All @@ -1302,16 +1297,11 @@ int main(int argc, char **argv)
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);

/* Adds a valid ticket encryption key */
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
uint64_t current_time = 0;
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));

DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(conn);

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));

struct s2n_stuffer output = { 0 };
Expand All @@ -1322,15 +1312,10 @@ int main(int argc, char **argv)
{
struct s2n_connection *conn = NULL;
struct s2n_config *config = NULL;
uint64_t current_time = 0;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_NOT_NULL(config = s2n_config_new());

EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
conn->actual_protocol_version = S2N_TLS12;
conn->handshake.handshake_type = NEGOTIATED;
Expand Down Expand Up @@ -1362,16 +1347,10 @@ int main(int argc, char **argv)
{
struct s2n_connection *conn = NULL;
struct s2n_config *config = NULL;
uint64_t current_time = 0;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_NOT_NULL(config = s2n_config_new());

/* Setting up session resumption encryption key */
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));

conn->actual_protocol_version = S2N_TLS13;
Expand Down Expand Up @@ -1404,16 +1383,10 @@ int main(int argc, char **argv)
{
struct s2n_connection *conn = NULL;
struct s2n_config *config = NULL;
uint64_t current_time = 0;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_NOT_NULL(config = s2n_config_new());

/* Setting up session resumption encryption key */
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));

conn->actual_protocol_version = S2N_TLS13;
Expand Down Expand Up @@ -1442,6 +1415,81 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_config_free(config));
};

/* Check error is thrown when wrong version number is read */
{
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(conn);
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
conn->actual_protocol_version = S2N_TLS12;
conn->handshake.handshake_type = NEGOTIATED;

EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &conn->client_ticket_to_decrypt));
EXPECT_NOT_EQUAL(s2n_stuffer_data_available(&conn->client_ticket_to_decrypt), 0);

/* Modify the version number of the ticket */
uint8_t *version_num = conn->client_ticket_to_decrypt.blob.data;
EXPECT_EQUAL(*version_num, S2N_PRE_ENCRYPTED_STATE_V1);
*version_num = S2N_PRE_ENCRYPTED_STATE_V1 + 100;

EXPECT_ERROR_WITH_ERRNO(s2n_resume_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt),
S2N_ERR_SAFETY);

/* The correct version number should succeed */
*version_num = S2N_PRE_ENCRYPTED_STATE_V1;
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->client_ticket_to_decrypt));
EXPECT_OK(s2n_resume_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt));
}

/* Check error is thrown when info bytes used to generate the ticket key are incorrect */
{
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(conn);
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
conn->actual_protocol_version = S2N_TLS12;
conn->handshake.handshake_type = NEGOTIATED;

DEFER_CLEANUP(struct s2n_stuffer valid_ticket = { 0 }, s2n_stuffer_free);
EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&valid_ticket, 0));
EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &valid_ticket));
uint32_t ticket_size = s2n_stuffer_data_available(&valid_ticket);

/* Copy ticket so that we don't modify the original ticket */
EXPECT_SUCCESS(s2n_stuffer_copy(&valid_ticket, &conn->client_ticket_to_decrypt,
ticket_size));

/* We assert that everything up to the info bytes is as expected since this test checks
* a failure condition. This will cause this test to fail earlier if we change the
* serialization format in the future. */
uint8_t version_number = 0;
EXPECT_SUCCESS(s2n_stuffer_read_uint8(&conn->client_ticket_to_decrypt, &version_number));
EXPECT_EQUAL(version_number, S2N_PRE_ENCRYPTED_STATE_V1);
uint8_t key_name[S2N_TICKET_KEY_NAME_LEN] = { 0 };
EXPECT_SUCCESS(s2n_stuffer_read_bytes(&conn->client_ticket_to_decrypt, key_name, sizeof(key_name)));
EXPECT_BYTEARRAY_EQUAL(key_name, "2016.07.26.15\0\0", S2N_TICKET_KEY_NAME_LEN);
uint8_t *info_ptr = s2n_stuffer_raw_read(&conn->client_ticket_to_decrypt, S2N_TICKET_INFO_SIZE);

/* Zero out the info bytes on the ticket.*/
memset(info_ptr, 0, S2N_TICKET_INFO_SIZE);
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->client_ticket_to_decrypt));

EXPECT_ERROR_WITH_ERRNO(s2n_resume_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt),
S2N_ERR_DECRYPT);

/* The correct info bytes should succeed */
EXPECT_SUCCESS(s2n_stuffer_reread(&valid_ticket));
EXPECT_OK(s2n_resume_decrypt_session_ticket(conn, &valid_ticket));
}

/* Check session ticket can never be encrypted with a zero-filled ticket key */
{
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free);
Expand All @@ -1450,10 +1498,7 @@ int main(int argc, char **argv)
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);

/* Add a valid ticket key to the store */
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, 0));
EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));

/* Manually zero out key bytes */
Expand All @@ -1474,13 +1519,9 @@ int main(int argc, char **argv)
const char test_app_proto[] = "https";

/* Setting up session resumption encryption key */
uint64_t current_time = 0;
struct s2n_config *config = s2n_config_new();
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));
EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));

struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
EXPECT_NOT_NULL(conn);
Expand Down
Loading
Loading