RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 08:17:45 +00:00
Code Issues Activity Actions

LibTLS: Replace cipher selection with a variant

Browse source
This commit is contained in:
DexesTTP 2021-05-18 22:58:13 +02:00 committed by Andreas Kling
parent 851e254e8f
commit 2e9a4bb95c
3 changed files with 200 additions and 176 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Userland/Libraries/LibTLS/HandshakeClient.cpp
View file

@ -75,14 +75,14 @@ bool TLSv12::expand_key()
memcpy(m_context.crypto.local_aead_iv, client_iv, iv_size); memcpy(m_context.crypto.local_aead_iv, client_iv, iv_size);
memcpy(m_context.crypto.remote_aead_iv, server_iv, iv_size); memcpy(m_context.crypto.remote_aead_iv, server_iv, iv_size);
m_aes_local.gcm = make<Crypto::Cipher::AESCipher::GCMMode>(ReadonlyBytes { client_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Encryption, Crypto::Cipher::PaddingMode::RFC5246); m_cipher_local = Crypto::Cipher::AESCipher::GCMMode(ReadonlyBytes { client_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Encryption, Crypto::Cipher::PaddingMode::RFC5246);
m_aes_remote.gcm = make<Crypto::Cipher::AESCipher::GCMMode>(ReadonlyBytes { server_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Decryption, Crypto::Cipher::PaddingMode::RFC5246); m_cipher_remote = Crypto::Cipher::AESCipher::GCMMode(ReadonlyBytes { server_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Decryption, Crypto::Cipher::PaddingMode::RFC5246);
} else { } else {
memcpy(m_context.crypto.local_iv, client_iv, iv_size); memcpy(m_context.crypto.local_iv, client_iv, iv_size);
memcpy(m_context.crypto.remote_iv, server_iv, iv_size); memcpy(m_context.crypto.remote_iv, server_iv, iv_size);
m_aes_local.cbc = make<Crypto::Cipher::AESCipher::CBCMode>(ReadonlyBytes { client_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Encryption, Crypto::Cipher::PaddingMode::RFC5246); m_cipher_local = Crypto::Cipher::AESCipher::CBCMode(ReadonlyBytes { client_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Encryption, Crypto::Cipher::PaddingMode::RFC5246);
m_aes_remote.cbc = make<Crypto::Cipher::AESCipher::CBCMode>(ReadonlyBytes { server_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Decryption, Crypto::Cipher::PaddingMode::RFC5246); m_cipher_remote = Crypto::Cipher::AESCipher::CBCMode(ReadonlyBytes { server_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Decryption, Crypto::Cipher::PaddingMode::RFC5246);
} }
m_context.crypto.created = 1; m_context.crypto.created = 1;

358
Userland/Libraries/LibTLS/Record.cpp
View file

@ -67,22 +67,29 @@ void TLSv12::update_packet(ByteBuffer& packet)
} }
if (m_context.cipher_spec_set && m_context.crypto.created) { if (m_context.cipher_spec_set && m_context.crypto.created) {
size_t length = packet.size() - header_size; size_t length = packet.size() - header_size;
size_t block_size, padding, mac_size; size_t block_size = 0;
size_t padding = 0;
size_t mac_size = 0;
if (!is_aead()) { m_cipher_local.visit(
block_size = m_aes_local.cbc->cipher().block_size(); [&](Empty&) { VERIFY_NOT_REACHED(); },
// If the length is already a multiple a block_size, [&](Crypto::Cipher::AESCipher::GCMMode& gcm) {
// an entire block of padding is added. VERIFY(is_aead());
// In short, we _never_ have no padding. block_size = gcm.cipher().block_size();
mac_size = mac_length(); padding = 0;
length += mac_size; mac_size = 0; // AEAD provides its own authentication scheme.
padding = block_size - length % block_size; },
length += padding; [&](Crypto::Cipher::AESCipher::CBCMode& cbc) {
} else { VERIFY(!is_aead());
block_size = m_aes_local.gcm->cipher().block_size(); block_size = cbc.cipher().block_size();
padding = 0; // If the length is already a multiple a block_size,
mac_size = 0; // AEAD provides its own authentication scheme. // an entire block of padding is added.
} // In short, we _never_ have no padding.
mac_size = mac_length();
length += mac_size;
padding = block_size - length % block_size;
length += padding;
});
if (m_context.crypto.created == 1) { if (m_context.crypto.created == 1) {
// `buffer' will continue to be encrypted // `buffer' will continue to be encrypted
@ -96,87 +103,91 @@ void TLSv12::update_packet(ByteBuffer& packet)
ByteBuffer ct; ByteBuffer ct;
if (is_aead()) { m_cipher_local.visit(
// We need enough space for a header, the data, a tag, and the IV [&](Empty&) { VERIFY_NOT_REACHED(); },
ct = ByteBuffer::create_uninitialized(length + header_size + iv_size + 16); [&](Crypto::Cipher::AESCipher::GCMMode& gcm) {
VERIFY(is_aead());
// We need enough space for a header, the data, a tag, and the IV
ct = ByteBuffer::create_uninitialized(length + header_size + iv_size + 16);
// copy the header over // copy the header over
ct.overwrite(0, packet.data(), header_size - 2); ct.overwrite(0, packet.data(), header_size - 2);
// AEAD AAD (13) // AEAD AAD (13)
// Seq. no (8) // Seq. no (8)
// content type (1) // content type (1)
// version (2) // version (2)
// length (2) // length (2)
u8 aad[13]; u8 aad[13];
Bytes aad_bytes { aad, 13 }; Bytes aad_bytes { aad, 13 };
OutputMemoryStream aad_stream { aad_bytes }; OutputMemoryStream aad_stream { aad_bytes };
u64 seq_no = AK::convert_between_host_and_network_endian(m_context.local_sequence_number); u64 seq_no = AK::convert_between_host_and_network_endian(m_context.local_sequence_number);
u16 len = AK::convert_between_host_and_network_endian((u16)(packet.size() - header_size)); u16 len = AK::convert_between_host_and_network_endian((u16)(packet.size() - header_size));
aad_stream.write({ &seq_no, sizeof(seq_no) }); aad_stream.write({ &seq_no, sizeof(seq_no) });
aad_stream.write(packet.bytes().slice(0, 3)); // content-type + version aad_stream.write(packet.bytes().slice(0, 3)); // content-type + version
aad_stream.write({ &len, sizeof(len) }); // length aad_stream.write({ &len, sizeof(len) }); // length
VERIFY(aad_stream.is_end()); VERIFY(aad_stream.is_end());
// AEAD IV (12) // AEAD IV (12)
// IV (4) // IV (4)
// (Nonce) (8) // (Nonce) (8)
// -- Our GCM impl takes 16 bytes // -- Our GCM impl takes 16 bytes
// zero (4) // zero (4)
u8 iv[16]; u8 iv[16];
Bytes iv_bytes { iv, 16 }; Bytes iv_bytes { iv, 16 };
Bytes { m_context.crypto.local_aead_iv, 4 }.copy_to(iv_bytes); Bytes { m_context.crypto.local_aead_iv, 4 }.copy_to(iv_bytes);
fill_with_random(iv_bytes.offset(4), 8); fill_with_random(iv_bytes.offset(4), 8);
memset(iv_bytes.offset(12), 0, 4); memset(iv_bytes.offset(12), 0, 4);
// write the random part of the iv out // write the random part of the iv out
iv_bytes.slice(4, 8).copy_to(ct.bytes().slice(header_size)); iv_bytes.slice(4, 8).copy_to(ct.bytes().slice(header_size));
// Write the encrypted data and the tag // Write the encrypted data and the tag
m_aes_local.gcm->encrypt( gcm.encrypt(
packet.bytes().slice(header_size, length), packet.bytes().slice(header_size, length),
ct.bytes().slice(header_size + 8, length), ct.bytes().slice(header_size + 8, length),
iv_bytes, iv_bytes,
aad_bytes, aad_bytes,
ct.bytes().slice(header_size + 8 + length, 16)); ct.bytes().slice(header_size + 8 + length, 16));
VERIFY(header_size + 8 + length + 16 == ct.size()); VERIFY(header_size + 8 + length + 16 == ct.size());
},
[&](Crypto::Cipher::AESCipher::CBCMode& cbc) {
VERIFY(!is_aead());
// We need enough space for a header, iv_length bytes of IV and whatever the packet contains
ct = ByteBuffer::create_uninitialized(length + header_size + iv_size);
} else { // copy the header over
// We need enough space for a header, iv_length bytes of IV and whatever the packet contains ct.overwrite(0, packet.data(), header_size - 2);
ct = ByteBuffer::create_uninitialized(length + header_size + iv_size);
// copy the header over // get the appropricate HMAC value for the entire packet
ct.overwrite(0, packet.data(), header_size - 2); auto mac = hmac_message(packet, {}, mac_size, true);
// get the appropricate HMAC value for the entire packet // write the MAC
auto mac = hmac_message(packet, {}, mac_size, true); buffer.overwrite(buffer_position, mac.data(), mac.size());
buffer_position += mac.size();
// write the MAC // Apply the padding (a packet MUST always be padded)
buffer.overwrite(buffer_position, mac.data(), mac.size()); memset(buffer.offset_pointer(buffer_position), padding - 1, padding);
buffer_position += mac.size(); buffer_position += padding;
// Apply the padding (a packet MUST always be padded) VERIFY(buffer_position == buffer.size());
memset(buffer.offset_pointer(buffer_position), padding - 1, padding);
buffer_position += padding;
VERIFY(buffer_position == buffer.size()); auto iv = ByteBuffer::create_uninitialized(iv_size);
fill_with_random(iv.data(), iv.size());
auto iv = ByteBuffer::create_uninitialized(iv_size); // write it into the ciphertext portion of the message
fill_with_random(iv.data(), iv.size()); ct.overwrite(header_size, iv.data(), iv.size());
// write it into the ciphertext portion of the message VERIFY(header_size + iv_size + length == ct.size());
ct.overwrite(header_size, iv.data(), iv.size()); VERIFY(length % block_size == 0);
VERIFY(header_size + iv_size + length == ct.size()); // get a block to encrypt into
VERIFY(length % block_size == 0); auto view = ct.bytes().slice(header_size + iv_size, length);
cbc.encrypt(buffer, view, iv);
// get a block to encrypt into });
auto view = ct.bytes().slice(header_size + iv_size, length);
m_aes_local.cbc->encrypt(buffer, view, iv);
}
// store the correct ciphertext length into the packet // store the correct ciphertext length into the packet
u16 ct_length = (u16)ct.size() - header_size; u16 ct_length = (u16)ct.size() - header_size;
@ -303,115 +314,126 @@ ssize_t TLSv12::handle_message(ReadonlyBytes buffer)
print_buffer(buffer.slice(header_size, length)); print_buffer(buffer.slice(header_size, length));
} }
if (is_aead()) { Error return_value = Error::NoError;
VERIFY(m_aes_remote.gcm); m_cipher_remote.visit(
[&](Empty&) { VERIFY_NOT_REACHED(); },
[&](Crypto::Cipher::AESCipher::GCMMode& gcm) {
VERIFY(is_aead());
if (length < 24) {
dbgln("Invalid packet length");
auto packet = build_alert(true, (u8)AlertDescription::DecryptError);
write_packet(packet);
return_value = Error::BrokenPacket;
return;
}
if (length < 24) { auto packet_length = length - iv_length() - 16;
dbgln("Invalid packet length"); auto payload = plain;
auto packet = build_alert(true, (u8)AlertDescription::DecryptError); decrypted = ByteBuffer::create_uninitialized(packet_length);
write_packet(packet);
return (i8)Error::BrokenPacket;
}
auto packet_length = length - iv_length() - 16; // AEAD AAD (13)
auto payload = plain; // Seq. no (8)
decrypted = ByteBuffer::create_uninitialized(packet_length); // content type (1)
// version (2)
// length (2)
u8 aad[13];
Bytes aad_bytes { aad, 13 };
OutputMemoryStream aad_stream { aad_bytes };
// AEAD AAD (13) u64 seq_no = AK::convert_between_host_and_network_endian(m_context.remote_sequence_number);
// Seq. no (8) u16 len = AK::convert_between_host_and_network_endian((u16)packet_length);
// content type (1)
// version (2)
// length (2)
u8 aad[13];
Bytes aad_bytes { aad, 13 };
OutputMemoryStream aad_stream { aad_bytes };
u64 seq_no = AK::convert_between_host_and_network_endian(m_context.remote_sequence_number); aad_stream.write({ &seq_no, sizeof(seq_no) }); // Sequence number
u16 len = AK::convert_between_host_and_network_endian((u16)packet_length); aad_stream.write(buffer.slice(0, header_size - 2)); // content-type + version
aad_stream.write({ &len, sizeof(u16) });
VERIFY(aad_stream.is_end());
aad_stream.write({ &seq_no, sizeof(seq_no) }); // Sequence number auto nonce = payload.slice(0, iv_length());
aad_stream.write(buffer.slice(0, header_size - 2)); // content-type + version payload = payload.slice(iv_length());
aad_stream.write({ &len, sizeof(u16) });
VERIFY(aad_stream.is_end());
auto nonce = payload.slice(0, iv_length()); // AEAD IV (12)
payload = payload.slice(iv_length()); // IV (4)
// (Nonce) (8)
// -- Our GCM impl takes 16 bytes
// zero (4)
u8 iv[16];
Bytes iv_bytes { iv, 16 };
Bytes { m_context.crypto.remote_aead_iv, 4 }.copy_to(iv_bytes);
nonce.copy_to(iv_bytes.slice(4));
memset(iv_bytes.offset(12), 0, 4);
// AEAD IV (12) auto ciphertext = payload.slice(0, payload.size() - 16);
// IV (4) auto tag = payload.slice(ciphertext.size());
// (Nonce) (8)
// -- Our GCM impl takes 16 bytes
// zero (4)
u8 iv[16];
Bytes iv_bytes { iv, 16 };
Bytes { m_context.crypto.remote_aead_iv, 4 }.copy_to(iv_bytes);
nonce.copy_to(iv_bytes.slice(4));
memset(iv_bytes.offset(12), 0, 4);
auto ciphertext = payload.slice(0, payload.size() - 16); auto consistency = gcm.decrypt(
auto tag = payload.slice(ciphertext.size()); ciphertext,
decrypted,
iv_bytes,
aad_bytes,
tag);
auto consistency = m_aes_remote.gcm->decrypt( if (consistency != Crypto::VerificationConsistency::Consistent) {
ciphertext, dbgln("integrity check failed (tag length {})", tag.size());
decrypted, auto packet = build_alert(true, (u8)AlertDescription::BadRecordMAC);
iv_bytes, write_packet(packet);
aad_bytes,
tag);
if (consistency != Crypto::VerificationConsistency::Consistent) { return_value = Error::IntegrityCheckFailed;
dbgln("integrity check failed (tag length {})", tag.size()); return;
auto packet = build_alert(true, (u8)AlertDescription::BadRecordMAC); }
write_packet(packet);
return (i8)Error::IntegrityCheckFailed; plain = decrypted;
} },
[&](Crypto::Cipher::AESCipher::CBCMode& cbc) {
VERIFY(!is_aead());
auto iv_size = iv_length();
plain = decrypted; decrypted = cbc.create_aligned_buffer(length - iv_size);
} else { auto iv = buffer.slice(header_size, iv_size);
VERIFY(m_aes_remote.cbc);
auto iv_size = iv_length();
decrypted = m_aes_remote.cbc->create_aligned_buffer(length - iv_size); Bytes decrypted_span = decrypted;
auto iv = buffer.slice(header_size, iv_size); cbc.decrypt(buffer.slice(header_size + iv_size, length - iv_size), decrypted_span, iv);
Bytes decrypted_span = decrypted; length = decrypted_span.size();
m_aes_remote.cbc->decrypt(buffer.slice(header_size + iv_size, length - iv_size), decrypted_span, iv);
length = decrypted_span.size(); if constexpr (TLS_DEBUG) {
dbgln("Decrypted: ");
print_buffer(decrypted);
}
if constexpr (TLS_DEBUG) { auto mac_size = mac_length();
dbgln("Decrypted: "); if (length < mac_size) {
print_buffer(decrypted); dbgln("broken packet");
} auto packet = build_alert(true, (u8)AlertDescription::DecryptError);
write_packet(packet);
return_value = Error::BrokenPacket;
return;
}
auto mac_size = mac_length(); length -= mac_size;
if (length < mac_size) {
dbgln("broken packet");
auto packet = build_alert(true, (u8)AlertDescription::DecryptError);
write_packet(packet);
return (i8)Error::BrokenPacket;
}
length -= mac_size; const u8* message_hmac = decrypted_span.offset(length);
u8 temp_buf[5];
memcpy(temp_buf, buffer.offset_pointer(0), 3);
*(u16*)(temp_buf + 3) = AK::convert_between_host_and_network_endian(length);
auto hmac = hmac_message({ temp_buf, 5 }, decrypted_span.slice(0, length), mac_size);
auto message_mac = ReadonlyBytes { message_hmac, mac_size };
if (hmac != message_mac) {
dbgln("integrity check failed (mac length {})", mac_size);
dbgln("mac received:");
print_buffer(message_mac);
dbgln("mac computed:");
print_buffer(hmac);
auto packet = build_alert(true, (u8)AlertDescription::BadRecordMAC);
write_packet(packet);
const u8* message_hmac = decrypted_span.offset(length); return_value = Error::IntegrityCheckFailed;
u8 temp_buf[5]; return;
memcpy(temp_buf, buffer.offset_pointer(0), 3); }
*(u16*)(temp_buf + 3) = AK::convert_between_host_and_network_endian(length); plain = decrypted.bytes().slice(0, length);
auto hmac = hmac_message({ temp_buf, 5 }, decrypted_span.slice(0, length), mac_size); });
auto message_mac = ReadonlyBytes { message_hmac, mac_size };
if (hmac != message_mac) {
dbgln("integrity check failed (mac length {})", mac_size);
dbgln("mac received:");
print_buffer(message_mac);
dbgln("mac computed:");
print_buffer(hmac);
auto packet = build_alert(true, (u8)AlertDescription::BadRecordMAC);
write_packet(packet);
return (i8)Error::IntegrityCheckFailed; if (return_value != Error::NoError) {
} return (i8)return_value;
plain = decrypted.bytes().slice(0, length);
} }
} }
m_context.remote_sequence_number++; m_context.remote_sequence_number++;

10
Userland/Libraries/LibTLS/TLSv12.h
View file

@ -463,10 +463,12 @@ private:
OwnPtr<Crypto::Authentication::HMAC<Crypto::Hash::Manager>> m_hmac_local; OwnPtr<Crypto::Authentication::HMAC<Crypto::Hash::Manager>> m_hmac_local;
OwnPtr<Crypto::Authentication::HMAC<Crypto::Hash::Manager>> m_hmac_remote; OwnPtr<Crypto::Authentication::HMAC<Crypto::Hash::Manager>> m_hmac_remote;
struct { using CipherVariant = Variant<
OwnPtr<Crypto::Cipher::AESCipher::CBCMode> cbc; Empty,
OwnPtr<Crypto::Cipher::AESCipher::GCMMode> gcm; Crypto::Cipher::AESCipher::CBCMode,
} m_aes_local, m_aes_remote; Crypto::Cipher::AESCipher::GCMMode>;
CipherVariant m_cipher_local { Empty {} };
CipherVariant m_cipher_remote { Empty {} };
bool m_has_scheduled_write_flush { false }; bool m_has_scheduled_write_flush { false };
i32 m_max_wait_time_for_handshake_in_seconds { 10 }; i32 m_max_wait_time_for_handshake_in_seconds { 10 };