1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
|
// This module provides an specification of the TLS 1.2 handshake message
// state machine according to RFCs 5246, 5077 and 6066 (OCSP extension only).
// The NPN extension is based on the draft
// https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03
module rfc_handshake_tls12 where
import s2n_handshake_io
// Main correctness property: a simulation of the S2N handshake state
// machine by an RFC-derived state machine. Every pair of related initial
// 'connection' and 'Parameters' generates the same sequence of messages.
tls12rfcSimulatesS2N : {len} (fin len) => connection -> Parameters -> Bool
tls12rfcSimulatesS2N conn pars =
initial_connection conn /\ connectionParameters conn pars ==>
map rfc2S2N (traceRFC `{n = len} pars) == traceS2N `{n = len} conn
// Generate a sequence of states for the the RFC handshake state machine given
// handshake parameters
traceRFC : {n} (fin n) => Parameters -> [n]Message
traceRFC params = take (map message (iterate (handshakeTransition params) clientHelloSent))
// RFC Handshake states
type State = [5]
// Handshake states
(helloRequestSent : State) = 0
(clientHelloSent : State) = 1
(serverHelloSent : State) = 2
(serverCertificateSent : State) = 3
(serverKeyExchangeSent : State) = 4
(certificateRequestSent : State) = 5
(serverHelloDoneSent : State) = 6
(serverHelloDoneSentCertRequested : State) = 7
(clientCertificateSent : State) = 8
(clientKeyExchangeSent : State) = 9
(clientKeyExchangeSentCertSent : State) = 10
(certificateVerifySent : State) = 11
(clientChangeCipherSpecSent : State) = 12
(clientFinishedSent : State) = 13
(serverChangeCipherSpecSent : State) = 14
(serverFinishedSent : State) = 15
(applicationDataTransmission : State) = 16
(serverNewSessionTicketSent : State) = 17
(serverRenewSessionTicketSent : State) = 18
(serverChangeCipherSpecWithTicketSent : State) = 19
(serverFinishedWithTicketSent : State) = 20
(clientChangeCipherSpecWithTicketSent : State) = 21
(clientFinishedWithTicketSent : State) = 22
(serverCertificateStatusSent : State) = 23
(nextProtocolSent : State) = 24
(nextProtocolWithTicketSent : State) = 25
// TLS protocol types
type Protocol = [2]
(handshake : Protocol) = 0
(changeCipherSpec : Protocol) = 1
(alert : Protocol) = 2
(data : Protocol) = 3
// TLS Message types
type MessageType = [4]
//handshake message types
(helloRequest : MessageType) = 0
(clientHello : MessageType) = 1
(serverHello : MessageType) = 2
(certificate : MessageType) = 3
(serverKeyExchange : MessageType) = 4
(certificateRequest : MessageType) = 5
(serverHelloDone : MessageType) = 6
(certificateVerify : MessageType) = 7
(clientKeyExchange : MessageType) = 8
(finished : MessageType) = 9
(newSessionTicket : MessageType) = 10
(certificateStatus : MessageType) = 11
(nextProtocol : MessageType) = 12
// ChangeCipherSpec message types
(changeCipherSpecMessage : MessageType) = 0
// Data message types
(applicationData : MessageType) = 0
(error : MessageType) = 1
// Sender (data flow direction)
type Sender = [2]
(server : Sender) = 0
(client : Sender) = 1
(both : Sender) = 2
(noSender : Sender) = 3
// Key exchange algorithms
type KeyExchange = [3]
(DH_anon : KeyExchange) = 0
(DHE_DSS : KeyExchange) = 1
(DHE_RSA : KeyExchange) = 2
(RSA : KeyExchange) = 3
(DH_DSS : KeyExchange) = 4
(DH_RSA : KeyExchange) = 5
// TLS protocol parameters that determine the transition to take in each state.
// Some of these fields are set as a configuration to the end-point, while others
// are determined from the messages send by the counterparty. We model both as
// parameters since the state machine model reasons about both end-points.
type Parameters = {keyExchange : KeyExchange
//^ Negotiated key exchange algorithm
,sessionTicket : Bit
//^ The client had a session ticket
,renewSessionTicket : Bit
//^ Whether the server decides to renew a session ticket
,sendCertificateStatus : Bit
//^ Whether the server decides to send the certificate status
// message
,requestClientCert : Bit
//^ Whether the server requests a certificate from the client
,includeSessionTicket : Bit
//^ Whether the server includes a session ticket extension in
// SERVER_HELLO
,npnNegotiated : Bit
//^ Whether the client sends a ``NextProtocol'' message.
// This allows the application layer to negotiate which
// protocol should be performed over the secure connection.
}
// A relation between the s2n_connection struct and the parameters
connectionParameters : connection -> Parameters -> Bit
connectionParameters conn params =
conn.server_can_send_ocsp == params.sendCertificateStatus
/\ ((conn.key_exchange_eph /\ ~keyExchangeNonEphemeral params /\ params.keyExchange != DH_anon) \/
(~conn.key_exchange_eph /\ keyExchangeNonEphemeral params))
/\ (conn.is_caching_enabled /\ ~conn.resume_from_cache) == params.sessionTicket
/\ (~params.includeSessionTicket) // s2n server does not issue tickets at this time
/\ (~params.renewSessionTicket) // s2n server does not issue tickets at this time
/\ conn.client_auth_flag == params.requestClientCert
/\ conn.npn_negotiated == params.npnNegotiated
/\ conn.actual_protocol_version != S2N_TLS13
// A predicate that tells whether key-exchange is non-ephemeral and uses server certificate
// data for exchanging a premaster secret (RFC 5246 7.4.3). In this case the key exchange
// algorithm does not require KeyExchange messages.
keyExchangeNonEphemeral : Parameters -> Bit
keyExchangeNonEphemeral params = params.keyExchange == RSA \/ params.keyExchange == DH_DSS \/ params.keyExchange == DH_RSA
// Handshake state transition relation per the RFCs. Given handshake parameters
// and a handshake state, return the next state. If there is no valid next state,
// the state machine stutters (returns the previous state).
handshakeTransition : Parameters -> State -> State
handshakeTransition params old =
snd (find fst (True, old) [ (old == from /\ p, to) | (from, p, to) <- valid_transitions])
where // The encoding of the transition relation of the state machine is a triple
// (oldState, transitionCondition, newState) with the meaning "if we are
// in the oldState, the transitionCondition is True (for the given
// Parameters) then the next state is newState.
valid_transitions =
[(helloRequestSent, True, clientHelloSent)
,(clientHelloSent, True, serverHelloSent)
,(serverHelloSent, params.keyExchange != DH_anon /\ ~params.sessionTicket, serverCertificateSent)
,(serverHelloSent, params.keyExchange == DH_anon /\ ~params.sessionTicket, serverKeyExchangeSent)
,(serverHelloSent, params.sessionTicket /\ params.renewSessionTicket, serverNewSessionTicketSent)
,(serverHelloSent, params.sessionTicket /\ ~params.renewSessionTicket, serverChangeCipherSpecWithTicketSent)
,(serverCertificateSent, keyExchangeNonEphemeral params /\ ~params.requestClientCert /\ ~params.sendCertificateStatus, serverHelloDoneSent)
,(serverCertificateSent, keyExchangeNonEphemeral params /\ params.requestClientCert /\ ~params.sendCertificateStatus, certificateRequestSent)
,(serverCertificateSent, ~(keyExchangeNonEphemeral params) /\ ~params.sendCertificateStatus, serverKeyExchangeSent)
,(serverCertificateSent, params.sendCertificateStatus, serverCertificateStatusSent)
,(serverKeyExchangeSent, ~params.requestClientCert, serverHelloDoneSent)
,(serverKeyExchangeSent, params.requestClientCert, certificateRequestSent)
,(certificateRequestSent, True, serverHelloDoneSentCertRequested)
,(serverHelloDoneSent, True, clientKeyExchangeSent)
,(clientKeyExchangeSent, True, clientChangeCipherSpecSent)
,(serverHelloDoneSentCertRequested, True, clientCertificateSent)
,(clientCertificateSent, True, clientKeyExchangeSentCertSent)
,(clientKeyExchangeSentCertSent, True, certificateVerifySent)
,(certificateVerifySent, True, clientChangeCipherSpecSent)
,(clientChangeCipherSpecSent, ~params.npnNegotiated, clientFinishedSent)
,(clientChangeCipherSpecSent, params.npnNegotiated, nextProtocolSent)
,(nextProtocolSent, True, clientFinishedSent)
,(clientFinishedSent, ~params.includeSessionTicket, serverChangeCipherSpecSent)
,(clientFinishedSent, params.includeSessionTicket, serverNewSessionTicketSent)
,(serverNewSessionTicketSent, True, serverChangeCipherSpecSent)
,(serverChangeCipherSpecSent, True, serverFinishedSent)
,(serverFinishedSent, True, applicationDataTransmission)
,(serverChangeCipherSpecWithTicketSent, True, serverFinishedWithTicketSent)
,(serverFinishedWithTicketSent, True, clientChangeCipherSpecWithTicketSent)
,(clientChangeCipherSpecWithTicketSent, ~params.npnNegotiated, clientFinishedWithTicketSent)
,(clientChangeCipherSpecWithTicketSent, params.npnNegotiated, nextProtocolWithTicketSent)
,(nextProtocolWithTicketSent, True, clientFinishedWithTicketSent)
,(clientFinishedWithTicketSent, True, applicationDataTransmission)
,(serverCertificateStatusSent, keyExchangeNonEphemeral params /\ ~params.requestClientCert, serverHelloDoneSent)
,(serverCertificateStatusSent, keyExchangeNonEphemeral params /\ params.requestClientCert, certificateRequestSent)
,(serverCertificateStatusSent, ~(keyExchangeNonEphemeral params), serverKeyExchangeSent)
]
// Abstraction of the TLS message which records the protocol, message type and
// direction
type Message = {messageType : MessageType
,protocol : Protocol
,sender : Sender
}
mkMessage : Sender -> Protocol -> MessageType -> Message
mkMessage s p mt = {sender = s, protocol = p, messageType = mt}
// Message sent in each handshake state
message : State -> Message
message = lookupDefault messages (mkMessage noSender data error)
where messages =
[(helloRequestSent, mkMessage server handshake helloRequest)
,(clientHelloSent, mkMessage client handshake clientHello)
,(serverHelloSent, mkMessage server handshake serverHello)
,(serverCertificateSent, mkMessage server handshake certificate)
,(serverKeyExchangeSent, mkMessage server handshake serverKeyExchange)
,(certificateRequestSent, mkMessage server handshake certificateRequest)
,(serverHelloDoneSent, mkMessage server handshake serverHelloDone)
,(serverHelloDoneSentCertRequested, mkMessage server handshake serverHelloDone)
,(clientCertificateSent, mkMessage client handshake certificate)
,(clientKeyExchangeSent, mkMessage client handshake clientKeyExchange)
,(clientKeyExchangeSentCertSent, mkMessage client handshake clientKeyExchange)
,(certificateVerifySent, mkMessage client handshake certificateVerify)
,(clientChangeCipherSpecSent, mkMessage client changeCipherSpec changeCipherSpecMessage)
,(clientFinishedSent, mkMessage client handshake finished)
,(serverChangeCipherSpecSent, mkMessage server changeCipherSpec changeCipherSpecMessage)
,(serverFinishedSent, mkMessage server handshake finished)
,(applicationDataTransmission, mkMessage both data applicationData)
,(serverNewSessionTicketSent, mkMessage server handshake newSessionTicket)
,(serverChangeCipherSpecWithTicketSent, mkMessage server changeCipherSpec changeCipherSpecMessage)
,(serverFinishedWithTicketSent, mkMessage server handshake finished)
,(clientChangeCipherSpecWithTicketSent, mkMessage client changeCipherSpec changeCipherSpecMessage)
,(clientFinishedWithTicketSent, mkMessage client handshake finished)
,(serverCertificateStatusSent, mkMessage server handshake certificateStatus)
,(nextProtocolSent, mkMessage client handshake nextProtocol)
,(nextProtocolWithTicketSent, mkMessage client handshake nextProtocol)
]
// a mapping from RFC messages to s2n handshake_action's
rfc2S2N : Message -> handshake_action
rfc2S2N msg = {writer = sender2writer msg.sender
,record_type = protocol2recordType msg.protocol
,message_type = s2nMessageType msg
}
// an equality relation between RFC and s2n messages
msgRFCS2N : Message -> handshake_action -> Bool
msgRFCS2N msg hsa = rfc2S2N msg == hsa
// convert a specification representation of sender to a 'writer' character in s2n.
sender2writer : Sender -> [8]
sender2writer sndr = if sndr == server then 'S'
else if sndr == client then 'C'
else if sndr == both then 'B'
else 'E'
// Convert the RFC protocol number to s2n TLS record type constant
protocol2recordType : Protocol -> [8]
protocol2recordType = lookupDefault protocols TLS_APPLICATION_DATA
where protocols = [(handshake, TLS_HANDSHAKE)
,(changeCipherSpec, TLS_CHANGE_CIPHER_SPEC)
,(alert, TLS_ALERT)
,(data, TLS_APPLICATION_DATA)
]
// Returns the s2n message type for a given RFC Message
s2nMessageType : Message -> [8]
s2nMessageType msg =
if prot == handshake then (if mt == helloRequest then TLS_HELLO_REQUEST
else if mt == clientHello then TLS_CLIENT_HELLO
else if mt == serverHello then TLS_SERVER_HELLO
else if mt == certificate then TLS_CERTIFICATE
else if mt == serverKeyExchange then TLS_SERVER_KEY
else if mt == certificateRequest then TLS_CERTIFICATE_REQ
else if mt == serverHelloDone then TLS_SERVER_HELLO_DONE
else if mt == certificateVerify then TLS_CERT_VERIFY
else if mt == clientKeyExchange then TLS_CLIENT_KEY
else if mt == finished then TLS_FINISHED
else if mt == newSessionTicket then TLS_SERVER_NEW_SESSION_TICKET
else if mt == certificateStatus then TLS_CERTIFICATE_STATUS
else if mt == nextProtocol then TLS_NPN
else ERROR_MESSAGE)
else 0
where mt = msg.messageType
send = msg.sender
prot = msg.protocol
ERROR_MESSAGE = 10 // unused in current s2n
|
