From 707b94555875f689e78ef2eaa2e72a4fd4549ea3 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Wed, 30 Oct 2024 00:19:18 +0000 Subject: [PATCH 1/5] fix incorrect docs --- README.md | 6 +++--- compliance/specs/exceptions/rfc5746/4.4.toml | 9 +++------ compliance/specs/exceptions/rfc5746/5.toml | 3 +-- crypto/s2n_sequence.c | 10 ++++++---- tls/s2n_connection.h | 3 +-- tls/s2n_handshake_io.c | 3 +-- 6 files changed, 15 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 939faad8176..75319ac1974 100644 --- a/README.md +++ b/README.md @@ -126,8 +126,8 @@ s2n_config_set_cipher_preferences(config, "20150306") Internally s2n-tls takes a systematic approach to data protection and includes several mechanisms designed to improve safety. -##### Small and auditable code base -Ignoring tests, blank lines and comments, s2n-tls is about 6,000 lines of code. s2n's code is also structured and written with a focus on reviewability. All s2n-tls code is subject to code review, and we plan to complete security evaluations of s2n-tls on an annual basis. +##### Auditable code base +s2n-tls's code is structured and written with a focus on reviewability. All s2n-tls code is subject to code review, and we plan to complete security evaluations of s2n-tls on an annual basis. To date there have been two external code-level reviews of s2n-tls, including one by a commercial security vendor. s2n-tls has also been shared with some trusted members of the broader cryptography, security, and Open Source communities. Any issues discovered are always recorded in the s2n-tls issue tracker. @@ -148,7 +148,7 @@ s2n-tls encrypts or erases plaintext data as quickly as possible. For example, d s2n-tls uses operating system features to protect data from being swapped to disk or appearing in core dumps. ##### Minimalist feature adoption -s2n-tls avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example there is no support for session renegotiation or DTLS. +s2n-tls avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example, there is no support for DTLS. ##### Compartmentalized random number generation The security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n-tls provides every thread with two separate random number generators. One for "public" randomly generated data that may appear in the clear, and one for "private" data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts. diff --git a/compliance/specs/exceptions/rfc5746/4.4.toml b/compliance/specs/exceptions/rfc5746/4.4.toml index f377197af4b..8d6ed2603bd 100644 --- a/compliance/specs/exceptions/rfc5746/4.4.toml +++ b/compliance/specs/exceptions/rfc5746/4.4.toml @@ -7,8 +7,7 @@ servers nevertheless do permit it, they MUST follow the requirements in this section. ''' reason = ''' -s2n-tls servers do not support renegotiation -and do not allow clients to renegotiate. +s2n-tls servers do not support renegotiation. ''' [[exception]] @@ -18,8 +17,7 @@ does not contain the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If the SCSV is present, the server MUST abort the handshake. ''' reason = ''' -s2n-tls servers do not support renegotiation -and do not allow clients to renegotiate. +s2n-tls servers do not support renegotiation. ''' [[exception]] @@ -28,6 +26,5 @@ o The server MUST verify that the "renegotiation_info" extension is not present; if it is, the server MUST abort the handshake. ''' reason = ''' -s2n-tls servers do not support renegotiation -and do not allow clients to renegotiate. +s2n-tls servers do not support renegotiation. ''' diff --git a/compliance/specs/exceptions/rfc5746/5.toml b/compliance/specs/exceptions/rfc5746/5.toml index afd5f84e832..c21cd7c713a 100644 --- a/compliance/specs/exceptions/rfc5746/5.toml +++ b/compliance/specs/exceptions/rfc5746/5.toml @@ -6,6 +6,5 @@ Servers SHOULD NOT allow clients to renegotiate without using this extension. ''' reason = ''' -s2n-tls servers do not support renegotiation -and do not allow clients to renegotiate. +s2n-tls servers do not support renegotiation. ''' diff --git a/crypto/s2n_sequence.c b/crypto/s2n_sequence.c index d7a8d953623..fc9e99a43e5 100644 --- a/crypto/s2n_sequence.c +++ b/crypto/s2n_sequence.c @@ -29,10 +29,12 @@ int s2n_increment_sequence_number(struct s2n_blob *sequence_number) if (sequence_number->data[i]) { break; } - - /* RFC 5246 6.1: If a TLS implementation would need to wrap a sequence number, it must - * renegotiate instead. We don't support renegotiation. Caller needs to create a new session. - * This condition is very unlikely. It requires 2^64 - 1 records to be sent. + + /* This condition is very unlikely. It requires 2^64 - 1 records to be sent. + * + *= https://www.rfc-editor.org/rfc/rfc5246#section-6.1 + *# If a TLS implementation would need to wrap a sequence number, it must + *# renegotiate instead. */ S2N_ERROR_IF(i == 0, S2N_ERR_RECORD_LIMIT); diff --git a/tls/s2n_connection.h b/tls/s2n_connection.h index d3729840cfd..17ccf38ba3b 100644 --- a/tls/s2n_connection.h +++ b/tls/s2n_connection.h @@ -70,8 +70,7 @@ struct s2n_connection { /* Connection can be used by a QUIC implementation */ unsigned quic_enabled : 1; - /* s2n does not support renegotiation. - * RFC5746 Section 4.3 suggests servers implement a minimal version of the + /* RFC5746 Section 4.3 suggests servers implement a minimal version of the * renegotiation_info extension even if renegotiation is not supported. * Some clients may fail the handshake if a corresponding renegotiation_info * extension is not sent back by the server. diff --git a/tls/s2n_handshake_io.c b/tls/s2n_handshake_io.c index a4f93d8d5e6..3d3479683ae 100644 --- a/tls/s2n_handshake_io.c +++ b/tls/s2n_handshake_io.c @@ -1389,8 +1389,7 @@ static S2N_RESULT s2n_handshake_app_data_recv(struct s2n_connection *conn) * types to be interleaved at the record layer. We may get an alert message * during the handshake phase, or messages of types that we don't support (e.g. * HEARTBEAT messages), or during renegotiations we may even get application - * data messages that need to be handled by the application. The latter is punted - * for now (s2n does not support renegotiations). + * data messages that need to be handled by the application. */ static int s2n_handshake_read_io(struct s2n_connection *conn) { From b905a1186721c9e1a7944acb9be9ba185c0f7d92 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Wed, 30 Oct 2024 16:42:45 +0000 Subject: [PATCH 2/5] address PR feedback - revert incorrect doc fix - clang format --- compliance/specs/exceptions/rfc5746/4.4.toml | 9 ++++++--- compliance/specs/exceptions/rfc5746/5.toml | 3 ++- crypto/s2n_sequence.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/compliance/specs/exceptions/rfc5746/4.4.toml b/compliance/specs/exceptions/rfc5746/4.4.toml index 8d6ed2603bd..f377197af4b 100644 --- a/compliance/specs/exceptions/rfc5746/4.4.toml +++ b/compliance/specs/exceptions/rfc5746/4.4.toml @@ -7,7 +7,8 @@ servers nevertheless do permit it, they MUST follow the requirements in this section. ''' reason = ''' -s2n-tls servers do not support renegotiation. +s2n-tls servers do not support renegotiation +and do not allow clients to renegotiate. ''' [[exception]] @@ -17,7 +18,8 @@ does not contain the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If the SCSV is present, the server MUST abort the handshake. ''' reason = ''' -s2n-tls servers do not support renegotiation. +s2n-tls servers do not support renegotiation +and do not allow clients to renegotiate. ''' [[exception]] @@ -26,5 +28,6 @@ o The server MUST verify that the "renegotiation_info" extension is not present; if it is, the server MUST abort the handshake. ''' reason = ''' -s2n-tls servers do not support renegotiation. +s2n-tls servers do not support renegotiation +and do not allow clients to renegotiate. ''' diff --git a/compliance/specs/exceptions/rfc5746/5.toml b/compliance/specs/exceptions/rfc5746/5.toml index c21cd7c713a..afd5f84e832 100644 --- a/compliance/specs/exceptions/rfc5746/5.toml +++ b/compliance/specs/exceptions/rfc5746/5.toml @@ -6,5 +6,6 @@ Servers SHOULD NOT allow clients to renegotiate without using this extension. ''' reason = ''' -s2n-tls servers do not support renegotiation. +s2n-tls servers do not support renegotiation +and do not allow clients to renegotiate. ''' diff --git a/crypto/s2n_sequence.c b/crypto/s2n_sequence.c index fc9e99a43e5..ba683aa8ece 100644 --- a/crypto/s2n_sequence.c +++ b/crypto/s2n_sequence.c @@ -29,7 +29,7 @@ int s2n_increment_sequence_number(struct s2n_blob *sequence_number) if (sequence_number->data[i]) { break; } - + /* This condition is very unlikely. It requires 2^64 - 1 records to be sent. * *= https://www.rfc-editor.org/rfc/rfc5246#section-6.1 From 42a56e7d9e565622ac8dc0b18b88e5189b25d7f1 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Wed, 30 Oct 2024 17:09:20 +0000 Subject: [PATCH 3/5] clarify comment --- crypto/s2n_sequence.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/s2n_sequence.c b/crypto/s2n_sequence.c index ba683aa8ece..6118c15c550 100644 --- a/crypto/s2n_sequence.c +++ b/crypto/s2n_sequence.c @@ -30,7 +30,9 @@ int s2n_increment_sequence_number(struct s2n_blob *sequence_number) break; } - /* This condition is very unlikely. It requires 2^64 - 1 records to be sent. + /* Renegotiation is an unstable feature currently used for delayed client auth. Instead of + * triggering renegotiation, throw an error. + * This condition is very unlikely. It requires 2^64 - 1 records to be sent. * *= https://www.rfc-editor.org/rfc/rfc5246#section-6.1 *# If a TLS implementation would need to wrap a sequence number, it must From 90cdf3888e49d68a52dd81225415927450fa70d4 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Wed, 30 Oct 2024 17:10:46 +0000 Subject: [PATCH 4/5] fix indentation --- crypto/s2n_sequence.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/s2n_sequence.c b/crypto/s2n_sequence.c index 6118c15c550..93103e088ff 100644 --- a/crypto/s2n_sequence.c +++ b/crypto/s2n_sequence.c @@ -30,9 +30,9 @@ int s2n_increment_sequence_number(struct s2n_blob *sequence_number) break; } - /* Renegotiation is an unstable feature currently used for delayed client auth. Instead of - * triggering renegotiation, throw an error. - * This condition is very unlikely. It requires 2^64 - 1 records to be sent. + /* Renegotiation is an unstable feature currently used for delayed client auth. Instead of + * triggering renegotiation, throw an error. + * This condition is very unlikely. It requires 2^64 - 1 records to be sent. * *= https://www.rfc-editor.org/rfc/rfc5246#section-6.1 *# If a TLS implementation would need to wrap a sequence number, it must From d4f6982d8b51da4d3e24770fd55d7aae1a2c639e Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Wed, 30 Oct 2024 22:08:45 +0000 Subject: [PATCH 5/5] remove rfc reference --- crypto/s2n_sequence.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/crypto/s2n_sequence.c b/crypto/s2n_sequence.c index 93103e088ff..52c735f4f94 100644 --- a/crypto/s2n_sequence.c +++ b/crypto/s2n_sequence.c @@ -30,13 +30,8 @@ int s2n_increment_sequence_number(struct s2n_blob *sequence_number) break; } - /* Renegotiation is an unstable feature currently used for delayed client auth. Instead of - * triggering renegotiation, throw an error. + /* If a sequence number would exceed the maximum value, then we need to start a new session. * This condition is very unlikely. It requires 2^64 - 1 records to be sent. - * - *= https://www.rfc-editor.org/rfc/rfc5246#section-6.1 - *# If a TLS implementation would need to wrap a sequence number, it must - *# renegotiate instead. */ S2N_ERROR_IF(i == 0, S2N_ERR_RECORD_LIMIT);