LibTLS: Split TLSv12 to sensible categorical files

This commit splits the TLSv12 file into multiple files, and also removes some magic values, to make the code less horrible. :^)
2025-07-25 20:27:45 +00:00 · 2020-04-25 23:44:27 +04:30 · 2020-04-25 23:44:27 +04:30 · dace14e70d
commit dace14e70d
parent 75310003e5
9 changed files with 1735 additions and 1404 deletions
--- a/Libraries/LibTLS/Exchange.cpp
+++ b/Libraries/LibTLS/Exchange.cpp
@ -0,0 +1,216 @@
+/*
+ * Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice, this
+ *    list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <LibCore/Timer.h>
+#include <LibCrypto/ASN1/DER.h>
+#include <LibCrypto/PK/Code/EMSA_PSS.h>
+#include <LibTLS/TLSv12.h>
+
+namespace TLS {
+
+bool TLSv12::expand_key()
+{
+    u8 key[192]; // soooooooo many constants
+    auto key_buffer = ByteBuffer::wrap(key, 192);
+
+    if (m_context.master_key.size() == 0) {
+        dbg() << "expand_key() with empty master key";
+        return false;
+    }
+
+    auto key_size = key_length();
+    auto mac_size = mac_length();
+    auto iv_size = iv_length();
+
+    pseudorandom_function(
+        key_buffer,
+        m_context.master_key,
+        (const u8*)"key expansion", 13,
+        ByteBuffer::wrap(m_context.remote_random, 32),
+        ByteBuffer::wrap(m_context.local_random, 32));
+
+    size_t offset = 0;
+    memcpy(m_context.crypto.local_mac, key + offset, mac_size);
+    offset += mac_size;
+    memcpy(m_context.crypto.remote_mac, key + offset, mac_size);
+    offset += mac_size;
+
+    auto client_key = key + offset;
+    offset += key_size;
+    auto server_key = key + offset;
+    offset += key_size;
+    auto client_iv = key + offset;
+    offset += iv_size;
+    auto server_iv = key + offset;
+    offset += iv_size;
+
+#ifdef TLS_DEBUG
+    dbg() << "client key";
+    print_buffer(client_key, key_size);
+    dbg() << "server key";
+    print_buffer(server_key, key_size);
+    dbg() << "client iv";
+    print_buffer(client_iv, iv_size);
+    dbg() << "server iv";
+    print_buffer(server_iv, iv_size);
+    dbg() << "client mac key";
+    print_buffer(m_context.crypto.local_mac, mac_size);
+    dbg() << "server mac key";
+    print_buffer(m_context.crypto.remote_mac, mac_size);
+#endif
+
+    memcpy(m_context.crypto.local_iv, client_iv, iv_size);
+    memcpy(m_context.crypto.remote_iv, server_iv, iv_size);
+
+    m_aes_local = make<Crypto::Cipher::AESCipher::CBCMode>(ByteBuffer::wrap(client_key, key_size), key_size * 8, Crypto::Cipher::Intent::Encryption, Crypto::Cipher::PaddingMode::RFC5246);
+    m_aes_remote = make<Crypto::Cipher::AESCipher::CBCMode>(ByteBuffer::wrap(server_key, key_size), key_size * 8, Crypto::Cipher::Intent::Decryption, Crypto::Cipher::PaddingMode::RFC5246);
+
+    m_context.crypto.created = 1;
+
+    return true;
+}
+
+void TLSv12::pseudorandom_function(ByteBuffer& output, const ByteBuffer& secret, const u8* label, size_t label_length, const ByteBuffer& seed, const ByteBuffer& seed_b)
+{
+    if (!secret.size()) {
+        dbg() << "null secret";
+        return;
+    }
+
+    // RFC 5246: "In this section, we define one PRF, based on HMAC.  This PRF with the
+    //            SHA-256 hash function is used for all cipher suites defined in this
+    //            document and in TLS documents published prior to this document when
+    //            TLS 1.2 is negotiated."
+    // Apparently this PRF _always_ uses SHA256
+    Crypto::Authentication::HMAC<Crypto::Hash::SHA256> hmac(secret);
+
+    auto l_seed_size = label_length + seed.size() + seed_b.size();
+    u8 l_seed[l_seed_size];
+    auto label_seed_buffer = ByteBuffer::wrap(l_seed, l_seed_size);
+    label_seed_buffer.overwrite(0, label, label_length);
+    label_seed_buffer.overwrite(label_length, seed.data(), seed.size());
+    label_seed_buffer.overwrite(label_length + seed.size(), seed_b.data(), seed_b.size());
+
+    auto digest_size = hmac.digest_size();
+
+    u8 digest[digest_size];
+
+    auto digest_0 = ByteBuffer::wrap(digest, digest_size);
+
+    digest_0.overwrite(0, hmac.process(label_seed_buffer).immutable_data(), digest_size);
+
+    size_t index = 0;
+    while (index < output.size()) {
+        hmac.update(digest_0);
+        hmac.update(label_seed_buffer);
+        auto digest_1 = hmac.digest();
+
+        auto copy_size = min(digest_size, output.size() - index);
+
+        output.overwrite(index, digest_1.immutable_data(), copy_size);
+        index += copy_size;
+
+        digest_0.overwrite(0, hmac.process(digest_0).immutable_data(), digest_size);
+    }
+}
+
+bool TLSv12::compute_master_secret(size_t length)
+{
+    if (m_context.premaster_key.size() == 0 || length < 48) {
+        dbg() << "there's no way I can make a master secret like this";
+        dbg() << "I'd like to talk to your manager about this length of " << length;
+        return false;
+    }
+
+    m_context.master_key.clear();
+    m_context.master_key.grow(length);
+
+    pseudorandom_function(
+        m_context.master_key,
+        m_context.premaster_key,
+        (const u8*)"master secret", 13,
+        ByteBuffer::wrap(m_context.local_random, 32),
+        ByteBuffer::wrap(m_context.remote_random, 32));
+
+    m_context.premaster_key.clear();
+#ifdef TLS_DEBUG
+    dbg() << "master key:";
+    print_buffer(m_context.master_key);
+#endif
+    expand_key();
+    return true;
+}
+
+ByteBuffer TLSv12::build_certificate()
+{
+    dbg() << "FIXME: build_certificate";
+    return {};
+}
+
+ByteBuffer TLSv12::build_change_cipher_spec()
+{
+    PacketBuilder builder { MessageType::ChangeCipher, m_context.version, 64 };
+    builder.append((u8)1);
+    auto packet = builder.build();
+    update_packet(packet);
+    m_context.local_sequence_number = 0;
+    return packet;
+}
+
+ByteBuffer TLSv12::build_server_key_exchange()
+{
+    dbg() << "FIXME: build_server_key_exchange";
+    return {};
+}
+
+ByteBuffer TLSv12::build_client_key_exchange()
+{
+    PacketBuilder builder { MessageType::Handshake, m_context.version };
+    builder.append((u8)HandshakeType::ClientKeyExchange);
+    build_random(builder);
+
+    m_context.connection_status = ConnectionStatus::KeyExchange;
+
+    auto packet = builder.build();
+
+    update_packet(packet);
+
+    return packet;
+}
+
+ssize_t TLSv12::handle_server_key_exchange(const ByteBuffer&)
+{
+    dbg() << "FIXME: parse_server_key_exchange";
+    return 0;
+}
+
+ssize_t TLSv12::handle_verify(const ByteBuffer&)
+{
+    dbg() << "FIXME: parse_verify";
+    return 0;
+}
+
+}