Skip to content

Commit

Permalink
ktls: handle TLS1.3 key limits (aws#4318)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lrstewart
lrstewart authored Dec 16, 2023
1 parent 69daf63 commit 6eab3ad
Show file tree
Hide file tree
Showing 14 changed files with 590 additions and 18 deletions.
2 changes: 2 additions & 0 deletions error/s2n_errno.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,8 @@ static const char *no_such_error = "Internal s2n error";
ERR_ENTRY(S2N_ERR_ATOMIC, "Atomic operations in this environment would require locking") \
ERR_ENTRY(S2N_ERR_TEST_ASSERTION, "Test assertion failed") \
ERR_ENTRY(S2N_ERR_KTLS_RENEG, "kTLS does not support secure renegotiation") \
ERR_ENTRY(S2N_ERR_KTLS_KEYUPDATE, "Received KeyUpdate from peer, but kernel does not support updating tls keys") \
ERR_ENTRY(S2N_ERR_KTLS_KEY_LIMIT, "Reached key encryption limit, but kernel does not support updating tls keys") \
/* clang-format on */

#define ERR_STR_CASE(ERR, str) \
Expand Down
2 changes: 2 additions & 0 deletions error/s2n_errno.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ typedef enum {
S2N_ERR_MAX_EARLY_DATA_SIZE,
S2N_ERR_EARLY_DATA_TRIAL_DECRYPT,
S2N_ERR_NO_RENEGOTIATION,
S2N_ERR_KTLS_KEYUPDATE,
S2N_ERR_T_PROTO_END,

/* S2N_ERR_T_INTERNAL */
Expand Down Expand Up @@ -319,6 +320,7 @@ typedef enum {
S2N_ERR_KTLS_BAD_CMSG,
S2N_ERR_KTLS_RENEG,
S2N_ERR_ATOMIC,
S2N_ERR_KTLS_KEY_LIMIT,
S2N_ERR_T_USAGE_END,
} s2n_error;

Expand Down
64 changes: 64 additions & 0 deletions tests/unit/s2n_key_update_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,46 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_connection_free(conn));
};

/* Key update messages not allowed with ktls */
{
DEFER_CLEANUP(struct s2n_stuffer input, s2n_stuffer_free);
EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&input, 0));

DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(conn);
conn->actual_protocol_version = S2N_TLS13;
EXPECT_NOT_NULL(conn->secure);
conn->secure->cipher_suite = &s2n_tls13_aes_256_gcm_sha384;

/* Fails if receiving with ktls:
* Kernel key update would be required.
*/
conn->ktls_send_enabled = true;
conn->ktls_recv_enabled = true;
EXPECT_SUCCESS(s2n_stuffer_write_uint8(&input, S2N_KEY_UPDATE_NOT_REQUESTED));
EXPECT_FAILURE_WITH_ERRNO(s2n_key_update_recv(conn, &input), S2N_ERR_KTLS_KEYUPDATE);
EXPECT_SUCCESS(s2n_stuffer_wipe(&input));

/* Fails if only sending with ktls, but peer requested an update:
* Kernel key update would be required.
*/
conn->ktls_send_enabled = true;
conn->ktls_recv_enabled = false;
EXPECT_SUCCESS(s2n_stuffer_write_uint8(&input, S2N_KEY_UPDATE_REQUESTED));
EXPECT_FAILURE_WITH_ERRNO(s2n_key_update_recv(conn, &input), S2N_ERR_KTLS_KEYUPDATE);
EXPECT_EQUAL(s2n_stuffer_data_available(&input), 0);

/* Succeeds if only sending with ktls and no update requested:
* No kernel key update would be required.
*/
conn->ktls_send_enabled = true;
conn->ktls_recv_enabled = false;
EXPECT_SUCCESS(s2n_stuffer_write_uint8(&input, S2N_KEY_UPDATE_NOT_REQUESTED));
EXPECT_SUCCESS(s2n_key_update_recv(conn, &input));
EXPECT_EQUAL(s2n_stuffer_data_available(&input), 0);
};

/* Key update message received contains invalid key update request */
{
DEFER_CLEANUP(struct s2n_stuffer input, s2n_stuffer_free);
Expand Down Expand Up @@ -442,6 +482,30 @@ int main(int argc, char **argv)

EXPECT_EQUAL(key_update_seq_num, expected);
};

/* KeyUpdate fails if ktls */
{
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT),
s2n_connection_ptr_free);
conn->actual_protocol_version = S2N_TLS13;
conn->ktls_send_enabled = true;

/* Passes if no KeyUpdate required */
s2n_blocked_status blocked = 0;
EXPECT_SUCCESS(s2n_key_update_send(conn, &blocked));
EXPECT_FALSE(s2n_atomic_flag_test(&conn->key_update_pending));

/* Set encryption limit */
EXPECT_NOT_NULL(conn->secure);
conn->secure->cipher_suite = cipher_suite_with_limit;
EXPECT_OK(s2n_write_uint64(record_limit, conn->secure->client_sequence_number));

/* Fails if KeyUpdate required */
EXPECT_FAILURE_WITH_ERRNO(
s2n_key_update_send(conn, &blocked),
S2N_ERR_KTLS_KEY_LIMIT);
EXPECT_TRUE(s2n_atomic_flag_test(&conn->key_update_pending));
};
};

/* s2n_check_record_limit */
Expand Down
47 changes: 47 additions & 0 deletions tests/unit/s2n_ktls_io_sendfile_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,20 @@
#include <fcntl.h>
#include <sys/socket.h>

#include "crypto/s2n_sequence.h"
#include "s2n_test.h"
#include "testlib/s2n_testlib.h"
#include "tls/s2n_ktls.h"
#include "utils/s2n_random.h"

static S2N_RESULT s2n_test_get_seq_num(struct s2n_connection *conn, uint64_t *seq_num_out)
{
struct s2n_blob seq_num = { 0 };
RESULT_GUARD(s2n_connection_get_sequence_number(conn, conn->mode, &seq_num));
RESULT_GUARD_POSIX(s2n_sequence_number_to_uint64(&seq_num, seq_num_out));
return S2N_RESULT_OK;
}

int main(int argc, char **argv)
{
BEGIN_TEST();
Expand Down Expand Up @@ -213,6 +222,44 @@ int main(int argc, char **argv)
EXPECT_EQUAL(blocked, S2N_NOT_BLOCKED);
};

/* Test: key encryption limit tracked */
{
struct s2n_record_algorithm test_record_alg = *s2n_tls13_aes_128_gcm_sha256.record_alg;
test_record_alg.encryption_limit = 0;
struct s2n_cipher_suite test_cipher_suite = s2n_tls13_aes_128_gcm_sha256;
test_cipher_suite.record_alg = &test_record_alg;

DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(conn);
conn->ktls_send_enabled = true;
conn->actual_protocol_version = S2N_TLS13;

DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
EXPECT_SUCCESS(s2n_connection_set_write_fd(conn, io_pair.server));

/* Test: The sequence number starts at 0 */
uint64_t seq_num = 1;
EXPECT_OK(s2n_test_get_seq_num(conn, &seq_num));
EXPECT_EQUAL(seq_num, 0);

/* Test: The sequence number tracks data sent */
s2n_blocked_status blocked = S2N_NOT_BLOCKED;
size_t bytes_written = 0;
EXPECT_SUCCESS(s2n_sendfile(conn, ro_file, 0, sizeof(test_data),
&bytes_written, &blocked));
EXPECT_OK(s2n_test_get_seq_num(conn, &seq_num));
EXPECT_TRUE(seq_num > 0);

/* Test: Enforce the encryption limit */
EXPECT_NOT_NULL(conn->secure);
conn->secure->cipher_suite = &test_cipher_suite;
EXPECT_FAILURE_WITH_ERRNO(
s2n_sendfile(conn, ro_file, 0, sizeof(test_data), &bytes_written, &blocked),
S2N_ERR_KTLS_KEY_LIMIT);
};

EXPECT_EQUAL(close(ro_file), 0);
END_TEST();
}
133 changes: 133 additions & 0 deletions tests/unit/s2n_ktls_io_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
* permissions and limitations under the License.
*/

#include "crypto/s2n_sequence.h"
#include "s2n_test.h"
#include "testlib/s2n_ktls_test_utils.h"
#include "testlib/s2n_mem_testlib.h"
Expand Down Expand Up @@ -62,6 +63,15 @@ static ssize_t s2n_test_ktls_recvmsg_eof(void *io_context, struct msghdr *msg)
return 0;
}

static ssize_t s2n_test_ktls_sendmsg_mark_all_sent(void *io_context, const struct msghdr *msg)
{
size_t sent = 0;
for (size_t i = 0; i < msg->msg_iovlen; i++) {
sent += msg->msg_iov[i].iov_len;
}
return sent;
}

ssize_t s2n_test_ktls_recvmsg_io_stuffer_and_ctrunc(void *io_context, struct msghdr *msg)
{
POSIX_ENSURE_REF(msg);
Expand All @@ -74,6 +84,14 @@ ssize_t s2n_test_ktls_recvmsg_io_stuffer_and_ctrunc(void *io_context, struct msg
return ret;
}

static S2N_RESULT s2n_assert_seq_num_equal(struct s2n_blob actual_blob, uint64_t expected)
{
uint64_t actual = 0;
RESULT_GUARD_POSIX(s2n_sequence_number_to_uint64(&actual_blob, &actual));
RESULT_ENSURE(actual == expected, S2N_ERR_TEST_ASSERTION);
return S2N_RESULT_OK;
}

int main(int argc, char **argv)
{
BEGIN_TEST();
Expand Down Expand Up @@ -1185,5 +1203,120 @@ int main(int argc, char **argv)
};
};

/* Test: key encryption limit tracked */
{
uint8_t large_test_data[S2N_TLS_MAXIMUM_FRAGMENT_LENGTH * 10] = { 0 };
const size_t large_test_data_records = sizeof(large_test_data) / S2N_TLS_MAXIMUM_FRAGMENT_LENGTH;
/* For simplicity, keep our test data a positive even multiple of the max frag size */
EXPECT_TRUE(sizeof(large_test_data) % S2N_TLS_MAXIMUM_FRAGMENT_LENGTH == 0);
EXPECT_TRUE(large_test_data_records > 0);
const size_t test_encryption_limit = large_test_data_records;

struct s2n_record_algorithm test_record_alg = *s2n_tls13_aes_128_gcm_sha256.record_alg;
test_record_alg.encryption_limit = test_encryption_limit;
struct s2n_cipher_suite test_cipher_suite = s2n_tls13_aes_128_gcm_sha256;
test_cipher_suite.record_alg = &test_record_alg;

for (s2n_mode mode = 0; mode <= 1; mode++) {
DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(mode),
s2n_connection_ptr_free);
EXPECT_NOT_NULL(conn);
EXPECT_OK(s2n_ktls_set_sendmsg_cb(conn, s2n_test_ktls_sendmsg_mark_all_sent, conn));
conn->ktls_send_enabled = true;
EXPECT_NOT_NULL(conn->secure);
conn->secure->cipher_suite = &test_cipher_suite;
conn->actual_protocol_version = S2N_TLS13;

s2n_blocked_status blocked = S2N_NOT_BLOCKED;

/* Test: Sequence number tracked correctly */
{
DEFER_CLEANUP(struct s2n_blob seq_num = { 0 }, s2n_blob_zero);
EXPECT_OK(s2n_connection_get_sequence_number(conn, conn->mode, &seq_num));

/* Test: All connections start with zero records sent */
uint64_t expected_seq_num = 0;
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, expected_seq_num));

/* Test: Send no data */
EXPECT_EQUAL(s2n_send(conn, large_test_data, 0, &blocked), 0);
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, expected_seq_num));

/* Test: Send one minimum sized record */
expected_seq_num++;
EXPECT_EQUAL(s2n_send(conn, large_test_data, 1, &blocked), 1);
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, expected_seq_num));

/* Test: Send one maximum sized record */
expected_seq_num++;
EXPECT_EQUAL(
s2n_send(conn, large_test_data, S2N_TLS_MAXIMUM_FRAGMENT_LENGTH, &blocked),
S2N_TLS_MAXIMUM_FRAGMENT_LENGTH);
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, expected_seq_num));

/* Test: Send multiple records */
expected_seq_num += 2;
EXPECT_EQUAL(
s2n_send(conn, large_test_data, S2N_TLS_MAXIMUM_FRAGMENT_LENGTH + 1, &blocked),
S2N_TLS_MAXIMUM_FRAGMENT_LENGTH + 1);
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, expected_seq_num));

/* Test: Send enough data to hit the encryption limit */
EXPECT_FAILURE_WITH_ERRNO(
s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked),
S2N_ERR_KTLS_KEY_LIMIT);
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, expected_seq_num));
};

/* Test: Exact encryption limit boundary */
{
DEFER_CLEANUP(struct s2n_blob seq_num = { 0 }, s2n_blob_zero);
EXPECT_OK(s2n_connection_get_sequence_number(conn, conn->mode, &seq_num));

/* Send enough records to hit but not exceed the encryption limit */
for (size_t i = 0; i < test_encryption_limit; i++) {
EXPECT_EQUAL(s2n_send(conn, large_test_data, 1, &blocked), 1);
}
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, test_encryption_limit));

/* One more record should exceed the encryption limit */
EXPECT_FAILURE_WITH_ERRNO(
s2n_send(conn, large_test_data, 1, &blocked),
S2N_ERR_KTLS_KEY_LIMIT);
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, test_encryption_limit));
};

/* Test: Limit not tracked with TLS1.2 */
{
DEFER_CLEANUP(struct s2n_blob seq_num = { 0 }, s2n_blob_zero);
EXPECT_OK(s2n_connection_get_sequence_number(conn, conn->mode, &seq_num));

/* Sequence number not incremented with TLS1.2 */
conn->actual_protocol_version = S2N_TLS12;
EXPECT_EQUAL(
s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked),
sizeof(large_test_data));
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, 0));

/* Sequence number incremented with TLS1.3 */
conn->actual_protocol_version = S2N_TLS13;
EXPECT_EQUAL(
s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked),
sizeof(large_test_data));
EXPECT_OK(s2n_assert_seq_num_equal(seq_num, test_encryption_limit));

/* Passing the limit with TLS1.3 is an error */
conn->actual_protocol_version = S2N_TLS13;
EXPECT_FAILURE_WITH_ERRNO(
s2n_send(conn, large_test_data, 1, &blocked),
S2N_ERR_KTLS_KEY_LIMIT);

/* Passing the limit with TLS1.2 is NOT an error */
conn->actual_protocol_version = S2N_TLS12;
EXPECT_EQUAL(s2n_send(conn, large_test_data, 1, &blocked), 1);
};
}
};

END_TEST();
}
51 changes: 51 additions & 0 deletions tests/unit/s2n_safety_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -387,6 +387,57 @@ int main(int argc, char **argv)
CHECK_OVF(s2n_add_overflow, uint32_t, 100, ACTUAL_MAX - 99);
CHECK_OVF(s2n_add_overflow, uint32_t, 100, ACTUAL_MAX - 1);

/* Test: S2N_ADD_IS_OVERFLOW_SAFE */
{
const size_t num = 100;

uint64_t success_test_values[][3] = {
{ 0, 0, 0 },
{ 1, 0, 1 },
{ 0, 0, UINT8_MAX },
{ 1, 1, UINT8_MAX },
{ UINT8_MAX, 0, UINT8_MAX },
{ UINT8_MAX - num, num, UINT8_MAX },
{ UINT8_MAX / 2, UINT8_MAX / 2, UINT8_MAX },
{ 1, 1, UINT64_MAX },
{ UINT64_MAX, 0, UINT64_MAX },
{ UINT64_MAX - num, num, UINT64_MAX },
{ UINT64_MAX / 2, UINT64_MAX / 2, UINT64_MAX },
};
for (size_t i = 0; i < s2n_array_len(success_test_values); i++) {
uint64_t v1 = success_test_values[i][0];
uint64_t v2 = success_test_values[i][1];
uint64_t max = success_test_values[i][2];
EXPECT_TRUE(S2N_ADD_IS_OVERFLOW_SAFE(v1, v2, max));
EXPECT_TRUE(S2N_ADD_IS_OVERFLOW_SAFE(v2, v1, max));
}

uint64_t failure_test_values[][3] = {
{ 1, 0, 0 },
{ UINT8_MAX, 0, 0 },
{ UINT64_MAX, 0, UINT8_MAX },
{ UINT64_MAX, UINT64_MAX, UINT8_MAX },
{ UINT8_MAX, 1, UINT8_MAX },
{ UINT8_MAX - 1, UINT8_MAX - 1, UINT8_MAX },
{ UINT16_MAX, 1, UINT16_MAX },
{ UINT64_MAX, 1, UINT64_MAX },
{ UINT8_MAX, num, UINT8_MAX },
{ UINT16_MAX, num, UINT16_MAX },
{ UINT64_MAX, num, UINT64_MAX },
{ UINT8_MAX, UINT8_MAX, UINT8_MAX },
{ UINT16_MAX, UINT16_MAX, UINT16_MAX },
{ UINT64_MAX, UINT64_MAX, UINT64_MAX },
{ UINT64_MAX - num, UINT64_MAX - num, UINT64_MAX },
};
for (size_t i = 0; i < s2n_array_len(failure_test_values); i++) {
uint64_t v1 = failure_test_values[i][0];
uint64_t v2 = failure_test_values[i][1];
uint64_t max = failure_test_values[i][2];
EXPECT_FALSE(S2N_ADD_IS_OVERFLOW_SAFE(v1, v2, max));
EXPECT_FALSE(S2N_ADD_IS_OVERFLOW_SAFE(v2, v1, max));
}
}

END_TEST();
return 0;
}
Loading

0 comments on commit 6eab3ad

Please sign in to comment.