s2n-tls icon indicating copy to clipboard operation
s2n-tls copied to clipboard

Published 20 hours ago verified publisher icon aws

Remove hard-coded assumptions about `use_tickets` and `client_session_resumed` in SAW proofs

Open RyanGlScott opened this issue 3 years ago • 2 comments

Problem:

Currently, the SAW proofs assume that config->use_tickets is always disabled:

https://github.com/aws/s2n-tls/blob/2c27512895e8a2945f97b5137bb0371126549007/tests/saw/spec/handshake/handshake_io_lowlevel.saw#L163-L165

In addition, the proofs currently assume that conn->client_session_resumed will be disabled as well. This assumption is made explicit in #3079—see https://github.com/aws/s2n-tls/pull/3079#discussion_r721291815.

While these assumptions make the proofs somewhat simpler, they have the drawback of making the proofs skip over certain parts of s2n-tls, such as session resumption logic.

Solution:

We should remove these preconditions and repair the SAW proofs accordingly. Here is a rough sketch of how this might go for the particular case of conn->client_session_resumed:

  1. Remove the crucible_precond statement involving conn_client_session_resumed_index.

  2. Add a new field to the Cryptol connection record which tracks if the client_session_resumed bit in s2n_connection is enabled or not.

  3. In setup_connection_common, initialize this new Cryptol field with the appropriate value.

  4. The code in the conn_set_pre_tls13_handshake_type Cryptol function will need to be updated accordingly. Something like this, perhaps:

    diff --git a/tests/saw/spec/handshake/s2n_handshake_io.cry b/tests/saw/spec/handshake/s2n_handshake_io.cry
index b466aa20f8..452f09f7be 100644
--- a/tests/saw/spec/handshake/s2n_handshake_io.cry
+++ b/tests/saw/spec/handshake/s2n_handshake_io.cry
@@ -27,6 +27,7 @@ conn_set_pre_tls13_handshake_type conn = conn'
                 ,server_can_send_ocsp = conn.server_can_send_ocsp
                 ,key_exchange_eph = conn.key_exchange_eph
                 ,client_auth_flag = conn.client_auth_flag
+                ,client_session_resumed = conn.client_session_resumed
                 ,actual_protocol_version = conn.actual_protocol_version
                 ,no_client_cert = conn.no_client_cert
                 ,early_data_state = conn.early_data_state
@@ -36,9 +37,9 @@ conn_set_pre_tls13_handshake_type conn = conn'
         (handshake' : handshake) = {handshake_type = handshake_type'
                                    ,message_number = conn.handshake.message_number
                                    }
-        handshake_type' = NEGOTIATED || full_handshake ||
-                            (if (full_handshake != 0) then
-                              perfect_forward_secrecy || ocsp_status || client_auth
+        handshake_type' = NEGOTIATED || client_auth ||
+                            (if (~is_client_session_resumed) then
+                              full_handshake || perfect_forward_secrecy || ocsp_status
                               else zero)
         full_handshake  = if (conn.is_caching_enabled /\ ~conn.resume_from_cache)
                           then zero
@@ -52,6 +53,7 @@ conn_set_pre_tls13_handshake_type conn = conn'
         client_auth = if conn.client_auth_flag
                       then CLIENT_AUTH
                       else zero
+        is_client_session_resumed = conn.mode == S2N_CLIENT /\ conn.client_session_resumed

 // This function models the update of the s2n_connection struct by the
 // s2n_conn_set_tls13_handshake_type function in s2n.

  5. The rfc_handshake_tls12 proofs will also need to be updated.

  • Does this change what S2N sends over the wire? No.
  • Does this change any public APIs? No.
  • Which versions of TLS will this impact? This should only affect the TLS 1.2–specific code paths in the SAW proofs.

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

  • RFC links: Links to relevant RFC(s)
  • Related Issues: The PR in which the assumptions about client_session_resumed were uncovered: https://github.com/aws/s2n-tls/pull/3079#discussion_r721291815
  • Will the Usage Guide or other documentation need to be updated?
  • Testing: This should be tested by running the make -C tests/saw tmp/verify_handshake.log and make -C tests/saw failure-tests tests.
    • Will this change trigger SAW changes? Yes.
    • Should this change be fuzz tested? No.

Out of scope:

This does not address other hard-coded assumptions made in the SAW proofs, such as what the value of corked_io should be:

https://github.com/aws/s2n-tls/blob/2c27512895e8a2945f97b5137bb0371126549007/tests/saw/spec/handshake/handshake_io_lowlevel.saw#L111-L113

RyanGlScott avatar Oct 04 '21 17:10 RyanGlScott

Has this issue been resolved and can be closed? If not could you update it specify what is left to do. Thank you.

@RyanGlScott

toidiu avatar Apr 19 '22 17:04 toidiu

This issue has not been resolved, although some of the code described in https://github.com/aws/s2n-tls/issues/3080#issue-1015463448 shuffled around in #3155. In particular, the code which assumes that conn->client_session_resumed is disabled now lives here:

https://github.com/aws/s2n-tls/blob/5edafa73bbbd3d7dec6d44785ebff634cc914d2f/tests/saw/spec/handshake/handshake_io_lowlevel.saw#L181-L183

And the code which assumes that config->use_tickets is disabled now lives here:

https://github.com/aws/s2n-tls/blob/5edafa73bbbd3d7dec6d44785ebff634cc914d2f/tests/saw/spec/handshake/handshake_io_lowlevel.saw#L185-L187

Step (1) in my sketched solution would be to remove these lines instead of removing crucible_precond statements (which no longer appear after #3155). The rest of the sketched solution should still apply.

RyanGlScott avatar Apr 19 '22 17:04 RyanGlScott