Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Changes ticket encryption scheme to be nonce-reuse resistant #4663

Merged
merged 19 commits into from
Aug 7, 2024
Merged

feat: Changes ticket encryption scheme to be nonce-reuse resistant #4663

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
1ba7ea7
Adds version num
maddeleine Jul 22, 2024
7f60b97
Adds forgotten rust binding
maddeleine Jul 23, 2024
c655887
Remove magic num
maddeleine Jul 23, 2024
2f1ba35
Fixes comment style
maddeleine Jul 24, 2024
e3f003e
Removes extra variable
maddeleine Jul 24, 2024
e1bc4e9
Adds extra check
maddeleine Jul 24, 2024
3c2879c
PR feedback
maddeleine Jul 26, 2024
9441a9c
Whoops
maddeleine Jul 26, 2024
4822b3b
cargo fmt
maddeleine Jul 26, 2024
ec37462
clippy
maddeleine Jul 26, 2024
5d7796d
fmt
maddeleine Jul 27, 2024
ec15171
PR feedback
maddeleine Jul 31, 2024
315926c
Fixed mem issue
maddeleine Aug 1, 2024
9bd07dd
PR feedback
maddeleine Aug 1, 2024
da3934f
Update tests/unit/s2n_resume_test.c
maddeleine Aug 5, 2024
c60581f
Merge branch 'main' into stek_nonce_misuse_2
maddeleine Aug 5, 2024
ce1131b
Merge branch 'main' into stek_nonce_misuse_2
maddeleine Aug 5, 2024
d509be6
Merge branch 'main' into stek_nonce_misuse_2
maddeleine Aug 6, 2024
e8ff5b9
Merge branch 'main' into stek_nonce_misuse_2
maddeleine Aug 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions bindings/rust/s2n-tls/src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -752,6 +752,14 @@ impl Builder {
Ok(self)
}

/// Requires that session tickets are only used when forward secrecy is possible
pub fn ticket_forward_secrecy(&mut self) -> Result<&mut Self, Error> {
unsafe {
s2n_config_require_ticket_forward_secrecy(self.as_mut_ptr(), true).into_result()
}?;
Ok(self)
}

pub fn build(mut self) -> Result<Config, Error> {
if self.load_system_certs {
unsafe {
Expand Down
79 changes: 37 additions & 42 deletions tests/unit/s2n_resume_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1281,13 +1281,8 @@ int main(int argc, char **argv)
};
};

/* s2n_resume_encrypt_session_ticket */
/* s2n_resume_encrypt/decrypt_session_ticket */
{
/* Session ticket keys. Taken from test vectors in https://tools.ietf.org/html/rfc5869 */
uint8_t ticket_key_name[16] = "2016.07.26.15\0";
S2N_BLOB_FROM_HEX(ticket_key,
"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5");

/* Check error is thrown when no ticket key is available */
{
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
Expand All @@ -1302,16 +1297,11 @@ int main(int argc, char **argv)
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);

/* Adds a valid ticket encryption key */
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
uint64_t current_time = 0;
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));

DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(conn);

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));

struct s2n_stuffer output = { 0 };
Expand All @@ -1322,15 +1312,10 @@ int main(int argc, char **argv)
{
struct s2n_connection *conn = NULL;
struct s2n_config *config = NULL;
uint64_t current_time = 0;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_NOT_NULL(config = s2n_config_new());

EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
conn->actual_protocol_version = S2N_TLS12;
conn->handshake.handshake_type = NEGOTIATED;
Expand Down Expand Up @@ -1362,16 +1347,10 @@ int main(int argc, char **argv)
{
struct s2n_connection *conn = NULL;
struct s2n_config *config = NULL;
uint64_t current_time = 0;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_NOT_NULL(config = s2n_config_new());

/* Setting up session resumption encryption key */
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));

conn->actual_protocol_version = S2N_TLS13;
Expand Down Expand Up @@ -1404,16 +1383,10 @@ int main(int argc, char **argv)
{
struct s2n_connection *conn = NULL;
struct s2n_config *config = NULL;
uint64_t current_time = 0;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
EXPECT_NOT_NULL(config = s2n_config_new());

/* Setting up session resumption encryption key */
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));

conn->actual_protocol_version = S2N_TLS13;
Expand Down Expand Up @@ -1442,6 +1415,35 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_config_free(config));
};

/* Check error is thrown when wrong version number is read */
{
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free);
EXPECT_NOT_NULL(conn);
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);

EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
conn->actual_protocol_version = S2N_TLS12;
conn->handshake.handshake_type = NEGOTIATED;

EXPECT_OK(s2n_resume_encrypt_session_ticket(conn, &conn->client_ticket_to_decrypt));
EXPECT_NOT_EQUAL(s2n_stuffer_data_available(&conn->client_ticket_to_decrypt), 0);

/* Modify the version number of the ticket */
uint8_t *version_num = conn->client_ticket_to_decrypt.blob.data;
EXPECT_EQUAL(*version_num, S2N_PRE_ENCRYPTED_STATE_V1);
*version_num = S2N_PRE_ENCRYPTED_STATE_V1 + 100;

EXPECT_ERROR_WITH_ERRNO(s2n_resume_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt),
S2N_ERR_SAFETY);

/* The correct version number should succeed */
*version_num = S2N_PRE_ENCRYPTED_STATE_V1;
EXPECT_SUCCESS(s2n_stuffer_reread(&conn->client_ticket_to_decrypt));
EXPECT_OK(s2n_resume_decrypt_session_ticket(conn, &conn->client_ticket_to_decrypt));
}

/* Check session ticket can never be encrypted with a zero-filled ticket key */
{
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free);
Expand All @@ -1450,10 +1452,7 @@ int main(int argc, char **argv)
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);

/* Add a valid ticket key to the store */
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, 0));
EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));

/* Manually zero out key bytes */
Expand All @@ -1474,13 +1473,9 @@ int main(int argc, char **argv)
const char test_app_proto[] = "https";

/* Setting up session resumption encryption key */
uint64_t current_time = 0;
struct s2n_config *config = s2n_config_new();
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, &current_time));
EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *) ticket_key_name),
ticket_key.data, ticket_key.size, current_time / ONE_SEC_IN_NANOS));
EXPECT_OK(s2n_resumption_test_ticket_key_setup(config));

struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
EXPECT_NOT_NULL(conn);
Expand Down
43 changes: 33 additions & 10 deletions tests/unit/s2n_session_ticket_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,9 @@ int main(int argc, char **argv)
/* Verify that the client received NST */
serialized_session_state_length = s2n_connection_get_session_length(client_conn);
EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name1, s2n_array_len(ticket_key_name1));
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name1, s2n_array_len(ticket_key_name1));

/* Verify the lifetime hint from the server */
EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
Expand Down Expand Up @@ -393,7 +395,9 @@ int main(int argc, char **argv)
EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);

/* Verify that the new NST is encrypted using second ST */
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, s2n_array_len(ticket_key_name2));
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name2, s2n_array_len(ticket_key_name2));

EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));

Expand Down Expand Up @@ -504,7 +508,9 @@ int main(int argc, char **argv)
/* Verify that the client received NST */
serialized_session_state_length = s2n_connection_get_session_length(client_conn);
EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name1, s2n_array_len(ticket_key_name1));
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name1, s2n_array_len(ticket_key_name1));

/* Verify the lifetime hint from the server */
EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
Expand Down Expand Up @@ -574,7 +580,9 @@ int main(int argc, char **argv)
/* Verify that the client received NST */
serialized_session_state_length = s2n_connection_get_session_length(client_conn);
EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, s2n_array_len(ticket_key_name2));
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name2, s2n_array_len(ticket_key_name2));

/* Verify the lifetime hint from the server */
EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
Expand Down Expand Up @@ -640,7 +648,9 @@ int main(int argc, char **argv)
/* Verify that the client received NST */
serialized_session_state_length = s2n_connection_get_session_length(client_conn);
EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name1, s2n_array_len(ticket_key_name1));
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name1, s2n_array_len(ticket_key_name1));

/* Verify the lifetime hint from the server */
EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
Expand Down Expand Up @@ -686,7 +696,10 @@ int main(int argc, char **argv)
/* Verify that client_ticket is empty */
EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), 1 + 1 + client_conn->session_id_len + S2N_TLS12_STATE_SIZE_IN_BYTES);
EXPECT_EQUAL(memcmp(serialized_session_state, &s2n_state_with_session_id, 1), 0);
EXPECT_NOT_EQUAL(memcmp(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, s2n_array_len(ticket_key_name2)), 0);
EXPECT_NOT_EQUAL(memcmp(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name2, s2n_array_len(ticket_key_name2)),
0);

/* Verify the lifetime hint from the server */
EXPECT_FAILURE_WITH_ERRNO(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_ERR_SESSION_TICKET_NOT_SUPPORTED);
Expand Down Expand Up @@ -809,7 +822,9 @@ int main(int argc, char **argv)
/* Verify that the client received NST which is encrypted using a key which is at it's peak encryption */
serialized_session_state_length = s2n_connection_get_session_length(client_conn);
EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name1, s2n_array_len(ticket_key_name1));
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name1, s2n_array_len(ticket_key_name1));

/* Verify the lifetime hint from the server */
EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
Expand Down Expand Up @@ -893,7 +908,9 @@ int main(int argc, char **argv)
serialized_session_state_length = s2n_connection_get_session_length(client_conn);
EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length),
serialized_session_state_length);
int result = memcmp(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2,
int result = memcmp(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name2,
s2n_array_len(ticket_key_name2));
if (result == 0) {
expected_key_chosen = true;
Expand Down Expand Up @@ -967,7 +984,9 @@ int main(int argc, char **argv)
/* Verify that the client received NST which is encrypted using a key which is at it's peak encryption */
serialized_session_state_length = s2n_connection_get_session_length(client_conn);
EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, s2n_array_len(ticket_key_name2));
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name2, s2n_array_len(ticket_key_name2));

/* Verify the lifetime hint from the server */
EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), 86400 + 18000);
Expand Down Expand Up @@ -1027,7 +1046,9 @@ int main(int argc, char **argv)
/* Verify that the client received NST which is encrypted using a key which is at it's peak encryption */
serialized_session_state_length = s2n_connection_get_session_length(client_conn);
EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, s2n_array_len(ticket_key_name2));
EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES
+ S2N_TICKET_VERSION_SIZE,
ticket_key_name2, s2n_array_len(ticket_key_name2));

/* Verify that the keys are stored from oldest to newest */
EXPECT_OK(s2n_set_get(server_config->ticket_keys, 0, (void **) &ticket_key));
Expand Down Expand Up @@ -1098,6 +1119,7 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));

/* Setup stuffers value containing the valid key name, valid iv and invalid encrypted blob */
POSIX_GUARD(s2n_stuffer_write_uint8(&server_conn->client_ticket_to_decrypt, S2N_PRE_ENCRYPTED_STATE_V1));
POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, ticket_key_name1, s2n_array_len(ticket_key_name1)));

uint8_t valid_iv[S2N_TLS_GCM_IV_LEN] = { 0 };
Expand All @@ -1124,6 +1146,7 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));

/* Setup stuffers value containing the invalid key name, valid iv and invalid encrypted blob */
POSIX_GUARD(s2n_stuffer_write_uint8(&server_conn->client_ticket_to_decrypt, S2N_PRE_ENCRYPTED_STATE_V1));
POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, ticket_key_name2, s2n_array_len(ticket_key_name2)));

uint8_t valid_iv[S2N_TLS_GCM_IV_LEN] = { 0 };
Expand Down
Loading
Loading