mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-04-22 12:35:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

LibTLS: Split TLSv12 to sensible categorical files

Browse source 
This commit splits the TLSv12 file into multiple files, and also removes
some magic values, to make the code less horrible. :^)
This commit is contained in:
AnotherTest 2020-04-25 23:44:27 +04:30 committed by Andreas Kling
parent 75310003e5
commit dace14e70d
Notes: sideshowbarker 2024-07-19 07:04:12 +09:00
9 changed files with 1735 additions and 1404 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

608
Libraries/LibTLS/ClientHandshake.cpp Normal file
View file

@ -0,0 +1,608 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <LibCore/Timer.h>
#include <LibCrypto/ASN1/DER.h>
#include <LibCrypto/PK/Code/EMSA_PSS.h>
#include <LibTLS/TLSv12.h>
namespace TLS {
ssize_t TLSv12::handle_server_hello_done(const ByteBuffer& buffer)
{
if (buffer.size() < 3)
return (i8)Error::NeedMoreData;
size_t size = buffer[0] * 0x10000 + buffer[1] * 0x100 + buffer[2];
if (buffer.size() - 3 < size)
return (i8)Error::NeedMoreData;
return size + 3;
}
ssize_t TLSv12::handle_hello(const ByteBuffer& buffer, WritePacketStage& write_packets)
{
write_packets = WritePacketStage::Initial;
if (m_context.connection_status != ConnectionStatus::Disconnected && m_context.connection_status != ConnectionStatus::Renegotiating) {
dbg() << "unexpected hello message";
return (i8)Error::UnexpectedMessage;
}
ssize_t res = 0;
size_t min_hello_size = 41;
if (min_hello_size > buffer.size()) {
dbg() << "need more data";
return (i8)Error::NeedMoreData;
}
size_t following_bytes = buffer[0] * 0x10000 + buffer[1] * 0x100 + buffer[2];
res += 3;
if (buffer.size() - res < following_bytes) {
dbg() << "not enough data after header: " << buffer.size() - res << " < " << following_bytes;
return (i8)Error::NeedMoreData;
}
if (buffer.size() - res < 2) {
dbg() << "not enough data for version";
return (i8)Error::NeedMoreData;
}
auto version = (Version)convert_between_host_and_network(*(const u16*)buffer.offset_pointer(res));
res += 2;
if (!supports_version(version))
return (i8)Error::NotSafe;
memcpy(m_context.remote_random, buffer.offset_pointer(res), sizeof(m_context.remote_random));
res += sizeof(m_context.remote_random);
u8 session_length = buffer[res++];
if (buffer.size() - res < session_length) {
dbg() << "not enough data for session id";
return (i8)Error::NeedMoreData;
}
if (session_length && session_length <= 32) {
memcpy(m_context.session_id, buffer.offset_pointer(res), session_length);
m_context.session_id_size = session_length;
dbg() << "Remote session ID:";
print_buffer(ByteBuffer::wrap(m_context.session_id, session_length));
} else {
m_context.session_id_size = 0;
}
res += session_length;
if (buffer.size() - res < 2) {
dbg() << "not enough data for cipher suite listing";
return (i8)Error::NeedMoreData;
}
auto cipher = (CipherSuite)convert_between_host_and_network(*(const u16*)buffer.offset_pointer(res));
res += 2;
if (!supports_cipher(cipher)) {
m_context.cipher = CipherSuite::Invalid;
dbg() << "No supported cipher could be agreed upon";
return (i8)Error::NoCommonCipher;
}
m_context.cipher = cipher;
dbg() << "Cipher: " << (u16)cipher;
// The handshake hash function is _always_ SHA256
m_context.handshake_hash.initialize(Crypto::Hash::HashKind::SHA256);
if (buffer.size() - res < 1) {
dbg() << "not enough data for compression spec";
return (i8)Error::NeedMoreData;
}
u8 compression = buffer[res++];
if (compression != 0) {
dbg() << "Server told us to compress, we will not!";
return (i8)Error::CompressionNotSupported;
}
if (res > 0) {
if (m_context.connection_status != ConnectionStatus::Renegotiating)
m_context.connection_status = ConnectionStatus::Negotiating;
if (m_context.is_server) {
dbg() << "unsupported: server mode";
write_packets = WritePacketStage::ServerHandshake;
}
}
if (res > 2) {
res += 2;
}
while ((ssize_t)buffer.size() - res >= 4) {
auto extension_type = (HandshakeExtension)convert_between_host_and_network(*(const u16*)buffer.offset_pointer(res));
res += 2;
u16 extension_length = convert_between_host_and_network(*(const u16*)buffer.offset_pointer(res));
res += 2;
dbg() << "extension " << (u16)extension_type << " with length " << extension_length;
if (extension_length) {
if (buffer.size() - res < extension_length) {
dbg() << "not enough data for extension";
return (i8)Error::NeedMoreData;
}
// SNI
if (extension_type == HandshakeExtension::ServerName) {
u16 sni_host_length = convert_between_host_and_network(*(const u16*)buffer.offset_pointer(res + 3));
if (buffer.size() - res - 5 < sni_host_length) {
dbg() << "Not enough data for sni " << (buffer.size() - res - 5) << " < " << sni_host_length;
return (i8)Error::NeedMoreData;
}
if (sni_host_length) {
m_context.SNI = String { (const char*)buffer.offset_pointer(res + 5), sni_host_length };
dbg() << "server name indicator: " << m_context.SNI;
}
} else if (extension_type == HandshakeExtension::ApplicationLayerProtocolNegotiation && m_context.alpn.size()) {
if (buffer.size() - res > 2) {
auto alpn_length = convert_between_host_and_network(*(const u16*)buffer.offset_pointer(res));
if (alpn_length && alpn_length <= extension_length - 2) {
const u8* alpn = buffer.offset_pointer(res + 2);
size_t alpn_position = 0;
while (alpn_position < alpn_length) {
u8 alpn_size = alpn[alpn_position++];
if (alpn_size + alpn_position >= extension_length)
break;
String alpn_str { (const char*)alpn + alpn_position, alpn_length };
if (alpn_size && m_context.alpn.contains_slow(alpn_str)) {
m_context.negotiated_alpn = alpn_str;
dbg() << "negotiated alpn: " << alpn_str;
break;
}
alpn_position += alpn_length;
if (!m_context.is_server) // server hello must contain one ALPN
break;
}
}
}
} else if (extension_type == HandshakeExtension::SignatureAlgorithms) {
dbg() << "supported signatures: ";
print_buffer(buffer.slice_view(res, extension_length));
// FIXME: what are we supposed to do here?
}
res += extension_length;
}
}
return res;
}
ssize_t TLSv12::handle_finished(const ByteBuffer& buffer, WritePacketStage& write_packets)
{
if (m_context.connection_status < ConnectionStatus::KeyExchange || m_context.connection_status == ConnectionStatus::Established) {
dbg() << "unexpected finished message";
return (i8)Error::UnexpectedMessage;
}
write_packets = WritePacketStage::Initial;
if (buffer.size() < 3) {
return (i8)Error::NeedMoreData;
}
size_t index = 3;
u32 size = buffer[0] * 0x10000 + buffer[1] * 0x100 + buffer[2];
index += 3;
if (size < 12) {
dbg() << "finished packet smaller than minimum size: " << size;
return (i8)Error::BrokenPacket;
}
if (size < buffer.size() - index) {
dbg() << "not enough data after length: " << size << " > " << buffer.size() - index;
return (i8)Error::NeedMoreData;
}
// TODO: Compare Hashes
dbg() << "FIXME: handle_finished :: Check message validity";
m_context.connection_status = ConnectionStatus::Established;
return handle_message(buffer);
}
void TLSv12::build_random(PacketBuilder& builder)
{
u8 random_bytes[48];
size_t bytes = 48;
arc4random_buf(random_bytes, bytes);
// remove zeros from the random bytes
for (size_t i = 0; i < bytes; ++i)
if (!random_bytes[i])
random_bytes[i--] = arc4random();
if (m_context.is_server) {
dbg() << "Server mode not supported";
return;
} else {
*(u16*)random_bytes = convert_between_host_and_network((u16)Version::V12);
}
m_context.premaster_key = ByteBuffer::copy(random_bytes, bytes);
const auto& certificate = m_context.certificates[0];
#ifdef TLS_DEBUG
dbg() << "PreMaster secret";
print_buffer(m_context.premaster_key);
#endif
Crypto::PK::RSA_PKCS1_EME rsa(certificate.public_key.modulus(), 0, certificate.public_key.public_exponent());
u8 out[rsa.output_size()];
auto outbuf = ByteBuffer::wrap(out, rsa.output_size());
rsa.encrypt(m_context.premaster_key, outbuf);
#ifdef TLS_DEBUG
dbg() << "Encrypted: ";
print_buffer(outbuf);
#endif
if (!compute_master_secret(bytes)) {
dbg() << "oh noes we could not derive a master key :(";
return;
}
builder.append_u24(outbuf.size() + 2);
builder.append((u16)outbuf.size());
builder.append(outbuf);
}
ssize_t TLSv12::handle_payload(const ByteBuffer& vbuffer)
{
if (m_context.connection_status == ConnectionStatus::Established) {
auto packet = build_alert(false, (u8)AlertDescription::NoRenegotiation);
write_packet(packet);
return 1;
}
auto buffer = vbuffer;
auto buffer_length = buffer.size();
auto original_length = buffer_length;
while (buffer_length >= 4 && !m_context.critical_error) {
ssize_t payload_res = 0;
if (buffer_length < 1)
return (i8)Error::NeedMoreData;
auto type = buffer[0];
auto write_packets { WritePacketStage::Initial };
size_t payload_size = buffer[1] * 0x10000 + buffer[2] * 0x100 + buffer[3] + 3;
#ifdef TLS_DEBUG
dbg() << "payload size: " << payload_size << " buffer length: " << buffer_length;
#endif
if (payload_size + 1 > buffer_length)
return (i8)Error::NeedMoreData;
switch (type) {
case HelloRequest:
if (m_context.handshake_messages[0] >= 1) {
dbg() << "unexpected hello request message";
payload_res = (i8)Error::UnexpectedMessage;
break;
}
++m_context.handshake_messages[0];
dbg() << "hello request (renegotiation?)";
if (m_context.connection_status == ConnectionStatus::Established) {
// renegotiation
payload_res = (i8)Error::NoRenegotiation;
} else {
// :shrug:
payload_res = (i8)Error::UnexpectedMessage;
}
break;
case ClientHello:
// FIXME: We only support client mode right now
if (m_context.is_server) {
ASSERT_NOT_REACHED();
}
payload_res = (i8)Error::UnexpectedMessage;
break;
case ServerHello:
if (m_context.handshake_messages[2] >= 1) {
dbg() << "unexpected server hello message";
payload_res = (i8)Error::UnexpectedMessage;
break;
}
++m_context.handshake_messages[2];
#ifdef TLS_DEBUG
dbg() << "server hello";
#endif
if (m_context.is_server) {
dbg() << "unsupported: server mode";
ASSERT_NOT_REACHED();
} else {
payload_res = handle_hello(buffer.slice_view(1, payload_size), write_packets);
}
break;
case HelloVerifyRequest:
dbg() << "unsupported: DTLS";
payload_res = (i8)Error::UnexpectedMessage;
break;
case CertificateMessage:
if (m_context.handshake_messages[4] >= 1) {
dbg() << "unexpected certificate message";
payload_res = (i8)Error::UnexpectedMessage;
break;
}
++m_context.handshake_messages[4];
#ifdef TLS_DEBUG
dbg() << "certificate";
#endif
if (m_context.connection_status == ConnectionStatus::Negotiating) {
if (m_context.is_server) {
dbg() << "unsupported: server mode";
ASSERT_NOT_REACHED();
}
payload_res = handle_certificate(buffer.slice_view(1, payload_size));
} else {
payload_res = (i8)Error::UnexpectedMessage;
}
break;
case ServerKeyExchange:
if (m_context.handshake_messages[5] >= 1) {
dbg() << "unexpected server key exchange message";
payload_res = (i8)Error::UnexpectedMessage;
break;
}
++m_context.handshake_messages[5];
#ifdef TLS_DEBUG
dbg() << "server key exchange";
#endif
if (m_context.is_server) {
dbg() << "unsupported: server mode";
ASSERT_NOT_REACHED();
} else {
payload_res = handle_server_key_exchange(buffer.slice_view(1, payload_size));
}
break;
case CertificateRequest:
if (m_context.handshake_messages[6] >= 1) {
dbg() << "unexpected certificate request message";
payload_res = (i8)Error::UnexpectedMessage;
break;
}
++m_context.handshake_messages[6];
if (m_context.is_server) {
dbg() << "invalid request";
dbg() << "unsupported: server mode";
ASSERT_NOT_REACHED();
} else {
// we do not support "certificate request"
dbg() << "certificate request";
ASSERT_NOT_REACHED();
}
break;
case ServerHelloDone:
if (m_context.handshake_messages[7] >= 1) {
dbg() << "unexpected server hello done message";
payload_res = (i8)Error::UnexpectedMessage;
break;
}
++m_context.handshake_messages[7];
#ifdef TLS_DEBUG
dbg() << "server hello done";
#endif
if (m_context.is_server) {
dbg() << "unsupported: server mode";
ASSERT_NOT_REACHED();
} else {
payload_res = handle_server_hello_done(buffer.slice_view(1, payload_size));
if (payload_res > 0)
write_packets = WritePacketStage::ClientHandshake;
}
break;
case CertificateVerify:
if (m_context.handshake_messages[8] >= 1) {
dbg() << "unexpected certificate verify message";
payload_res = (i8)Error::UnexpectedMessage;
break;
}
++m_context.handshake_messages[8];
#ifdef TLS_DEBUG
dbg() << "certificate verify";
#endif
if (m_context.connection_status == ConnectionStatus::KeyExchange) {
payload_res = handle_verify(buffer.slice_view(1, payload_size));
} else {
payload_res = (i8)Error::UnexpectedMessage;
}
break;
case ClientKeyExchange:
if (m_context.handshake_messages[9] >= 1) {
dbg() << "unexpected client key exchange message";
payload_res = (i8)Error::UnexpectedMessage;
break;
}
++m_context.handshake_messages[9];
#ifdef TLS_DEBUG
dbg() << "client key exchange";
#endif
if (m_context.is_server) {
dbg() << "unsupported: server mode";
ASSERT_NOT_REACHED();
} else {
payload_res = (i8)Error::UnexpectedMessage;
}
break;
case Finished:
if (m_context.cached_handshake) {
m_context.cached_handshake.clear();
}
if (m_context.handshake_messages[10] >= 1) {
dbg() << "unexpected finished message";
payload_res = (i8)Error::UnexpectedMessage;
break;
}
++m_context.handshake_messages[10];
#ifdef TLS_DEBUG
dbg() << "finished";
#endif
payload_res = handle_finished(buffer.slice_view(1, payload_size), write_packets);
if (payload_res > 0) {
memset(m_context.handshake_messages, 0, sizeof(m_context.handshake_messages));
}
break;
default:
dbg() << "message type not understood: " << type;
return (i8)Error::NotUnderstood;
}
if (type != HelloRequest) {
update_hash(buffer.slice_view(0, payload_size + 1));
}
// if something went wrong, send an alert about it
if (payload_res < 0) {
switch ((Error)payload_res) {
case Error::UnexpectedMessage: {
auto packet = build_alert(true, (u8)AlertDescription::UnexpectedMessage);
write_packet(packet);
break;
}
case Error::CompressionNotSupported: {
auto packet = build_alert(true, (u8)AlertDescription::DecompressionFailure);
write_packet(packet);
break;
}
case Error::BrokenPacket: {
auto packet = build_alert(true, (u8)AlertDescription::DecodeError);
write_packet(packet);
break;
}
case Error::NotVerified: {
auto packet = build_alert(true, (u8)AlertDescription::BadRecordMAC);
write_packet(packet);
break;
}
case Error::BadCertificate: {
auto packet = build_alert(true, (u8)AlertDescription::BadCertificate);
write_packet(packet);
break;
}
case Error::UnsupportedCertificate: {
auto packet = build_alert(true, (u8)AlertDescription::UnsupportedCertificate);
write_packet(packet);
break;
}
case Error::NoCommonCipher: {
auto packet = build_alert(true, (u8)AlertDescription::InsufficientSecurity);
write_packet(packet);
break;
}
case Error::NotUnderstood: {
auto packet = build_alert(true, (u8)AlertDescription::InternalError);
write_packet(packet);
break;
}
case Error::NoRenegotiation: {
auto packet = build_alert(true, (u8)AlertDescription::NoRenegotiation);
write_packet(packet);
break;
}
case Error::DecryptionFailed: {
auto packet = build_alert(true, (u8)AlertDescription::DecryptionFailed);
write_packet(packet);
break;
}
default:
dbg() << "Unknown TLS::Error with value " << payload_res;
ASSERT_NOT_REACHED();
break;
}
if (payload_res < 0)
return payload_res;
}
switch (write_packets) {
case WritePacketStage::Initial:
// nothing to write
break;
case WritePacketStage::ClientHandshake:
// Note: currently not used
if (m_context.client_verified == VerificationNeeded) {
auto packet = build_certificate();
write_packet(packet);
m_context.client_verified = Verified;
}
{
#ifdef TLS_DEBUG
dbg() << "> Key exchange";
#endif
auto packet = build_client_key_exchange();
write_packet(packet);
}
{
#ifdef TLS_DEBUG
dbg() << "> change cipher spec";
#endif
auto packet = build_change_cipher_spec();
write_packet(packet);
}
m_context.cipher_spec_set = 1;
m_context.local_sequence_number = 0;
{
#ifdef TLS_DEBUG
dbg() << "> client finished";
#endif
auto packet = build_finished();
write_packet(packet);
}
m_context.cipher_spec_set = 0;
break;
case WritePacketStage::ServerHandshake:
// server handshake
dbg() << "UNSUPPORTED: Server mode";
ASSERT_NOT_REACHED();
break;
case WritePacketStage::Finished:
// finished
{
#ifdef TLS_DEBUG
dbg() << "> change cipher spec";
#endif
auto packet = build_change_cipher_spec();
write_packet(packet);
}
{
#ifdef TLS_DEBUG
dbg() << "> client finished";
#endif
auto packet = build_finished();
write_packet(packet);
}
m_context.connection_status = ConnectionStatus::Established;
break;
}
payload_size++;
buffer_length -= payload_size;
buffer = buffer.slice(payload_size, buffer_length);
}
return original_length;
}
}

216
Libraries/LibTLS/Exchange.cpp Normal file
View file

@ -0,0 +1,216 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <LibCore/Timer.h>
#include <LibCrypto/ASN1/DER.h>
#include <LibCrypto/PK/Code/EMSA_PSS.h>
#include <LibTLS/TLSv12.h>
namespace TLS {
bool TLSv12::expand_key()
{
u8 key[192]; // soooooooo many constants
auto key_buffer = ByteBuffer::wrap(key, 192);
if (m_context.master_key.size() == 0) {
dbg() << "expand_key() with empty master key";
return false;
}
auto key_size = key_length();
auto mac_size = mac_length();
auto iv_size = iv_length();
pseudorandom_function(
key_buffer,
m_context.master_key,
(const u8*)"key expansion", 13,
ByteBuffer::wrap(m_context.remote_random, 32),
ByteBuffer::wrap(m_context.local_random, 32));
size_t offset = 0;
memcpy(m_context.crypto.local_mac, key + offset, mac_size);
offset += mac_size;
memcpy(m_context.crypto.remote_mac, key + offset, mac_size);
offset += mac_size;
auto client_key = key + offset;
offset += key_size;
auto server_key = key + offset;
offset += key_size;
auto client_iv = key + offset;
offset += iv_size;
auto server_iv = key + offset;
offset += iv_size;
#ifdef TLS_DEBUG
dbg() << "client key";
print_buffer(client_key, key_size);
dbg() << "server key";
print_buffer(server_key, key_size);
dbg() << "client iv";
print_buffer(client_iv, iv_size);
dbg() << "server iv";
print_buffer(server_iv, iv_size);
dbg() << "client mac key";
print_buffer(m_context.crypto.local_mac, mac_size);
dbg() << "server mac key";
print_buffer(m_context.crypto.remote_mac, mac_size);
#endif
memcpy(m_context.crypto.local_iv, client_iv, iv_size);
memcpy(m_context.crypto.remote_iv, server_iv, iv_size);
m_aes_local = make<Crypto::Cipher::AESCipher::CBCMode>(ByteBuffer::wrap(client_key, key_size), key_size * 8, Crypto::Cipher::Intent::Encryption, Crypto::Cipher::PaddingMode::RFC5246);
m_aes_remote = make<Crypto::Cipher::AESCipher::CBCMode>(ByteBuffer::wrap(server_key, key_size), key_size * 8, Crypto::Cipher::Intent::Decryption, Crypto::Cipher::PaddingMode::RFC5246);
m_context.crypto.created = 1;
return true;
}
void TLSv12::pseudorandom_function(ByteBuffer& output, const ByteBuffer& secret, const u8* label, size_t label_length, const ByteBuffer& seed, const ByteBuffer& seed_b)
{
if (!secret.size()) {
dbg() << "null secret";
return;
}
// RFC 5246: "In this section, we define one PRF, based on HMAC. This PRF with the
// SHA-256 hash function is used for all cipher suites defined in this
// document and in TLS documents published prior to this document when
// TLS 1.2 is negotiated."
// Apparently this PRF _always_ uses SHA256
Crypto::Authentication::HMAC<Crypto::Hash::SHA256> hmac(secret);
auto l_seed_size = label_length + seed.size() + seed_b.size();
u8 l_seed[l_seed_size];
auto label_seed_buffer = ByteBuffer::wrap(l_seed, l_seed_size);
label_seed_buffer.overwrite(0, label, label_length);
label_seed_buffer.overwrite(label_length, seed.data(), seed.size());
label_seed_buffer.overwrite(label_length + seed.size(), seed_b.data(), seed_b.size());
auto digest_size = hmac.digest_size();
u8 digest[digest_size];
auto digest_0 = ByteBuffer::wrap(digest, digest_size);
digest_0.overwrite(0, hmac.process(label_seed_buffer).immutable_data(), digest_size);
size_t index = 0;
while (index < output.size()) {
hmac.update(digest_0);
hmac.update(label_seed_buffer);
auto digest_1 = hmac.digest();
auto copy_size = min(digest_size, output.size() - index);
output.overwrite(index, digest_1.immutable_data(), copy_size);
index += copy_size;
digest_0.overwrite(0, hmac.process(digest_0).immutable_data(), digest_size);
}
}
bool TLSv12::compute_master_secret(size_t length)
{
if (m_context.premaster_key.size() == 0 || length < 48) {
dbg() << "there's no way I can make a master secret like this";
dbg() << "I'd like to talk to your manager about this length of " << length;
return false;
}
m_context.master_key.clear();
m_context.master_key.grow(length);
pseudorandom_function(
m_context.master_key,
m_context.premaster_key,
(const u8*)"master secret", 13,
ByteBuffer::wrap(m_context.local_random, 32),
ByteBuffer::wrap(m_context.remote_random, 32));
m_context.premaster_key.clear();
#ifdef TLS_DEBUG
dbg() << "master key:";
print_buffer(m_context.master_key);
#endif
expand_key();
return true;
}
ByteBuffer TLSv12::build_certificate()
{
dbg() << "FIXME: build_certificate";
return {};
}
ByteBuffer TLSv12::build_change_cipher_spec()
{
PacketBuilder builder { MessageType::ChangeCipher, m_context.version, 64 };
builder.append((u8)1);
auto packet = builder.build();
update_packet(packet);
m_context.local_sequence_number = 0;
return packet;
}
ByteBuffer TLSv12::build_server_key_exchange()
{
dbg() << "FIXME: build_server_key_exchange";
return {};
}
ByteBuffer TLSv12::build_client_key_exchange()
{
PacketBuilder builder { MessageType::Handshake, m_context.version };
builder.append((u8)HandshakeType::ClientKeyExchange);
build_random(builder);
m_context.connection_status = ConnectionStatus::KeyExchange;
auto packet = builder.build();
update_packet(packet);
return packet;
}
ssize_t TLSv12::handle_server_key_exchange(const ByteBuffer&)
{
dbg() << "FIXME: parse_server_key_exchange";
return 0;
}
ssize_t TLSv12::handle_verify(const ByteBuffer&)
{
dbg() << "FIXME: parse_verify";
return 0;
}
}

162
Libraries/LibTLS/Handshake.cpp Normal file
View file

@ -0,0 +1,162 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <LibCore/Timer.h>
#include <LibCrypto/ASN1/DER.h>
#include <LibCrypto/PK/Code/EMSA_PSS.h>
#include <LibTLS/TLSv12.h>
namespace TLS {
ByteBuffer TLSv12::build_hello()
{
arc4random_buf(&m_context.local_random, 32);
auto packet_version = (u16)m_context.version;
auto version = (u16)m_context.version;
PacketBuilder builder { MessageType::Handshake, packet_version };
builder.append((u8)ClientHello);
// hello length (for later)
u8 dummy[3];
builder.append(dummy, 3);
auto start_length = builder.length();
builder.append(version);
builder.append(m_context.local_random, sizeof(m_context.local_random));
builder.append(m_context.session_id_size);
if (m_context.session_id_size)
builder.append(m_context.session_id, m_context.session_id_size);
size_t extension_length = 0;
size_t alpn_length = 0;
size_t alpn_negotiated_length = 0;
// ALPN
if (!m_context.negotiated_alpn.is_null()) {
alpn_negotiated_length = m_context.negotiated_alpn.length();
alpn_length = alpn_negotiated_length + 1;
extension_length += alpn_length + 6;
} else if (m_context.alpn.size()) {
for (auto& alpn : m_context.alpn) {
size_t length = alpn.length();
alpn_length += length + 1;
}
if (alpn_length)
extension_length += alpn_length + 6;
}
// Ciphers
builder.append((u16)(4 * sizeof(u16)));
builder.append((u16)CipherSuite::RSA_WITH_AES_128_CBC_SHA256);
builder.append((u16)CipherSuite::RSA_WITH_AES_256_CBC_SHA256);
builder.append((u16)CipherSuite::RSA_WITH_AES_128_CBC_SHA);
builder.append((u16)CipherSuite::RSA_WITH_AES_256_CBC_SHA);
// we don't like compression
builder.append((u8)1);
builder.append((u8)0);
// set SNI if we have one
auto sni_length = 0;
if (!m_context.SNI.is_null())
sni_length = m_context.SNI.length();
if (sni_length)
extension_length += sni_length + 9;
builder.append((u16)extension_length);
if (sni_length) {
// SNI extension
builder.append((u16)HandshakeExtension::ServerName);
// extension length
builder.append((u16)(sni_length + 5));
// SNI length
builder.append((u16)(sni_length + 3));
// SNI type
builder.append((u8)0);
// SNI host length + value
builder.append((u16)sni_length);
builder.append((const u8*)m_context.SNI.characters(), sni_length);
}
if (alpn_length) {
// TODO
ASSERT_NOT_REACHED();
}
// set the "length" field of the packet
size_t remaining = builder.length() - start_length;
size_t payload_position = 6;
builder.set(payload_position, remaining / 0x10000);
remaining %= 0x10000;
builder.set(payload_position + 1, remaining / 0x100);
remaining %= 0x100;
builder.set(payload_position + 2, remaining);
auto packet = builder.build();
update_packet(packet);
return packet;
}
ByteBuffer TLSv12::build_alert(bool critical, u8 code)
{
dbg() << "FIXME: build_alert";
(void)critical;
(void)code;
return {};
}
ByteBuffer TLSv12::build_finished()
{
PacketBuilder builder { MessageType::Handshake, m_context.version, 12 + 64 };
builder.append((u8)HandshakeType::Finished);
u32 out_size = 12;
builder.append_u24(out_size);
u8 out[out_size];
auto outbuffer = ByteBuffer::wrap(out, out_size);
auto dummy = ByteBuffer::create_zeroed(0);
auto digest = m_context.handshake_hash.digest();
auto hashbuf = ByteBuffer::wrap(digest.immutable_data(), m_context.handshake_hash.digest_size());
pseudorandom_function(outbuffer, m_context.master_key, (const u8*)"client finished", 15, hashbuf, dummy);
builder.append(outbuffer);
auto packet = builder.build();
update_packet(packet);
return packet;
}
}

7
Libraries/LibTLS/Makefile
View file

@ -1,4 +1,9 @@
LIBTLS_OBJS = TLSv12.o
LIBTLS_OBJS = TLSv12.o \
ClientHandshake.o \
Exchange.o \
Handshake.o \
Record.o \
Socket.o
OBJS = $(LIBTLS_OBJS)

316
Libraries/LibTLS/Record.cpp Normal file
View file

@ -0,0 +1,316 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <LibCore/Timer.h>
#include <LibCrypto/ASN1/DER.h>
#include <LibCrypto/PK/Code/EMSA_PSS.h>
#include <LibTLS/TLSv12.h>
namespace TLS {
void TLSv12::write_packet(ByteBuffer& packet)
{
m_context.tls_buffer.append(packet.data(), packet.size());
}
void TLSv12::update_packet(ByteBuffer& packet)
{
u32 header_size = 5;
*(u16*)packet.offset_pointer(3) = convert_between_host_and_network((u16)(packet.size() - header_size));
if (packet[0] != (u8)MessageType::ChangeCipher) {
if (packet[0] == (u8)MessageType::Handshake && packet.size() > header_size) {
u8 handshake_type = packet[header_size];
if (handshake_type != HandshakeType::HelloRequest && handshake_type != HandshakeType::HelloVerifyRequest) {
update_hash(packet.slice_view(header_size, packet.size() - header_size));
}
}
if (m_context.cipher_spec_set && m_context.crypto.created) {
size_t length = packet.size() - header_size + mac_length();
auto block_size = m_aes_local->cipher().block_size();
// if length is a multiple of block size, pad it up again
// since it seems no one handles aligned unpadded blocks
size_t padding = 0;
if (length % block_size == 0) {
padding = block_size;
length += padding;
}
size_t mac_size = mac_length();
if (m_context.crypto.created == 1) {
// `buffer' will continue to be encrypted
auto buffer = ByteBuffer::create_zeroed(length);
size_t buffer_position = 0;
u16 aligned_length = length + block_size - length % block_size;
auto iv_size = iv_length();
// we need enough space for a header, iv_length bytes of IV and whatever the packet contains
auto ct = ByteBuffer::create_zeroed(aligned_length + header_size + iv_size);
// copy the header over
ct.overwrite(0, packet.data(), header_size - 2);
// copy the packet, sans the header
buffer.overwrite(buffer_position, packet.offset_pointer(header_size), packet.size() - header_size);
buffer_position += packet.size() - header_size;
// get the appropricate HMAC value for the entire packet
auto mac = hmac_message(packet, {}, mac_size, true);
// write the MAC
buffer.overwrite(buffer_position, mac.data(), mac.size());
buffer_position += mac.size();
// if there's some padding to be done (since a packet MUST always be padded)
// apply it manually
if (padding) {
memset(buffer.offset_pointer(buffer_position), padding - 1, padding);
buffer_position += padding;
}
// should be the same value, but the manual padding
// throws a wrench into our plans
buffer.trim(buffer_position);
// FIXME: REALLY Should be filled with random bytes
auto iv = ByteBuffer::create_zeroed(iv_size);
// write it into the ciphertext portion of the message
ct.overwrite(header_size, iv.data(), iv.size());
ct.trim(length + block_size - length % block_size + header_size + block_size - padding);
// get a block to encrypt into
auto view = ct.slice_view(header_size + iv_size, length + block_size - length % block_size + block_size - padding - iv_size);
// encrypt the message
m_aes_local->encrypt(buffer, view, iv);
// store the correct ciphertext length into the packet
u16 ct_length = (u16)ct.size() - header_size;
*(u16*)ct.offset_pointer(header_size - 2) = convert_between_host_and_network(ct_length);
// replace the packet with the ciphertext
packet = ct;
}
}
}
++m_context.local_sequence_number;
}
void TLSv12::update_hash(const ByteBuffer& message)
{
m_context.handshake_hash.update(message);
}
ByteBuffer TLSv12::hmac_message(const ByteBuffer& buf, const Optional<ByteBuffer> buf2, size_t mac_length, bool local)
{
u64 sequence_number = convert_between_host_and_network(local ? m_context.local_sequence_number : m_context.remote_sequence_number);
ensure_hmac(mac_length, local);
auto& hmac = local ? *m_hmac_local : *m_hmac_remote;
#ifdef TLS_DEBUG
dbg() << "========================= PACKET DATA ==========================";
print_buffer((const u8*)&sequence_number, sizeof(u64));
print_buffer(buf);
if (buf2.has_value())
print_buffer(buf2.value());
dbg() << "========================= PACKET DATA ==========================";
#endif
hmac.update((const u8*)&sequence_number, sizeof(u64));
hmac.update(buf);
if (buf2.has_value() && buf2.value().size()) {
hmac.update(buf2.value());
}
auto digest = hmac.digest();
auto mac = ByteBuffer::copy(digest.immutable_data(), digest.data_length());
#ifdef TLS_DEBUG
dbg() << "HMAC of the block for sequence number " << m_context.local_sequence_number;
print_buffer(mac);
#endif
return mac;
}
ssize_t TLSv12::handle_message(const ByteBuffer& buffer)
{
auto res { 5ll };
size_t header_size = res;
ssize_t payload_res = 0;
#ifdef TLS_DEBUG
dbg() << "buffer size: " << buffer.size();
#endif
if (buffer.size() < 5) {
return (i8)Error::NeedMoreData;
}
auto type = (MessageType)buffer[0];
size_t buffer_position { 1 };
// FIXME: Read the version and verify it
#ifdef TLS_DEBUG
auto version = (Version) * (const u16*)buffer.offset_pointer(buffer_position);
dbg() << "type: " << (u8)type << " version: " << (u16)version;
#endif
buffer_position += 2;
auto length = convert_between_host_and_network(*(const u16*)buffer.offset_pointer(buffer_position));
#ifdef TLS_DEBUG
dbg() << "record length: " << length << " at offset: " << buffer_position;
#endif
buffer_position += 2;
if (buffer_position + length > buffer.size()) {
dbg() << "record length more than what we have: " << buffer.size();
return (i8)Error::NeedMoreData;
}
#ifdef TLS_DEBUG
dbg() << "message type: " << (u8)type << ", length: " << length;
#endif
ByteBuffer plain = buffer.slice_view(buffer_position, buffer.size() - buffer_position);
if (m_context.cipher_spec_set && type != MessageType::ChangeCipher) {
#ifdef TLS_DEBUG
dbg() << "Encrypted: ";
print_buffer(buffer.slice_view(header_size, length));
#endif
ASSERT(m_aes_remote);
auto iv_size = iv_length();
auto decrypted = m_aes_remote->create_aligned_buffer(length - iv_size);
auto iv = buffer.slice_view(header_size, iv_size);
m_aes_remote->decrypt(buffer.slice_view(header_size + iv_size, length - iv_size), decrypted, iv);
length = decrypted.size();
#ifdef TLS_DEBUG
dbg() << "Decrypted: ";
print_buffer(decrypted);
#endif
auto mac_size = mac_length();
if (length < mac_size) {
dbg() << "broken packet";
auto packet = build_alert(true, (u8)AlertDescription::DecryptError);
write_packet(packet);
return (i8)Error::BrokenPacket;
}
const u8* message_hmac = decrypted.offset_pointer(length - mac_size);
u8 temp_buf[5];
memcpy(temp_buf, buffer.offset_pointer(0), 3);
*(u16*)(temp_buf + 3) = convert_between_host_and_network(length);
auto hmac = hmac_message(ByteBuffer::wrap(temp_buf, 5), decrypted, mac_size);
auto message_mac = ByteBuffer::wrap(message_hmac, mac_size);
if (hmac != message_mac) {
dbg() << "integrity check failed (mac length " << length << ")";
dbg() << "mac received:";
print_buffer(message_mac);
dbg() << "mac computed:";
print_buffer(hmac);
auto packet = build_alert(true, (u8)AlertDescription::BadRecordMAC);
write_packet(packet);
return (i8)Error::IntegrityCheckFailed;
}
plain = decrypted.slice(0, length - mac_size);
}
m_context.remote_sequence_number++;
switch (type) {
case MessageType::ApplicationData:
if (m_context.connection_status != ConnectionStatus::Established) {
dbg() << "unexpected application data";
payload_res = (i8)Error::UnexpectedMessage;
auto packet = build_alert(true, (u8)AlertDescription::UnexpectedMessage);
write_packet(packet);
} else {
#ifdef TLS_DEBUG
dbg() << "application data message of size " << plain.size();
#endif
m_context.application_buffer.append(plain.data(), plain.size());
}
break;
case MessageType::Handshake:
#ifdef TLS_DEBUG
dbg() << "tls handshake message";
#endif
payload_res = handle_payload(plain);
break;
case MessageType::ChangeCipher:
if (m_context.connection_status != ConnectionStatus::KeyExchange) {
dbg() << "unexpected change cipher message";
auto packet = build_alert(true, (u8)AlertDescription::UnexpectedMessage);
payload_res = (i8)Error::UnexpectedMessage;
} else {
#ifdef TLS_DEBUG
dbg() << "change cipher spec message";
#endif
m_context.cipher_spec_set = true;
m_context.remote_sequence_number = 0;
}
break;
case MessageType::Alert:
dbg() << "alert message of length " << length;
if (length >= 2) {
print_buffer(plain);
auto level = plain[0];
auto code = plain[1];
if (level == (u8)AlertLevel::Critical) {
dbg() << "We were alerted of a critical error: " << code;
m_context.critical_error = code;
res = (i8)Error::UnknownError;
} else {
dbg() << "Alert: " << code;
}
if (code == 0) {
// close notify
res += 2;
auto closure_alert = build_alert(true, (u8)AlertDescription::CloseNotify);
write_packet(closure_alert);
flush();
m_context.connection_finished = true;
}
m_context.error_code = (Error)code;
}
break;
default:
dbg() << "message not understood";
return (i8)Error::NotUnderstood;
}
if (payload_res < 0)
return payload_res;
if (res > 0)
return header_size + length;
return res;
}
}

212
Libraries/LibTLS/Socket.cpp Normal file
View file

@ -0,0 +1,212 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <LibCore/Timer.h>
#include <LibCrypto/ASN1/DER.h>
#include <LibCrypto/PK/Code/EMSA_PSS.h>
#include <LibTLS/TLSv12.h>
namespace TLS {
Optional<ByteBuffer> TLSv12::read()
{
if (m_context.application_buffer.size()) {
auto buf = m_context.application_buffer.slice(0, m_context.application_buffer.size());
m_context.application_buffer.clear();
return buf;
}
return {};
}
ByteBuffer TLSv12::read(size_t max_size)
{
if (m_context.application_buffer.size()) {
auto length = min(m_context.application_buffer.size(), max_size);
auto buf = m_context.application_buffer.slice(0, length);
m_context.application_buffer = m_context.application_buffer.slice(length, m_context.application_buffer.size() - length);
return buf;
}
return {};
}
ByteBuffer TLSv12::read_line(size_t max_size)
{
if (!can_read_line())
return {};
auto* start = m_context.application_buffer.data();
auto* newline = (u8*)memchr(m_context.application_buffer.data(), '\n', m_context.application_buffer.size());
ASSERT(newline);
size_t offset = newline - start;
if (offset > max_size)
return {};
auto buffer = ByteBuffer::copy(start, offset);
m_context.application_buffer = m_context.application_buffer.slice(offset + 1, m_context.application_buffer.size() - offset - 1);
return buffer;
}
bool TLSv12::write(const ByteBuffer& buffer)
{
if (m_context.connection_status != ConnectionStatus::Established) {
dbg() << "write request while not connected";
return false;
}
PacketBuilder builder { MessageType::ApplicationData, m_context.version, buffer.size() };
builder.append(buffer);
auto packet = builder.build();
update_packet(packet);
write_packet(packet);
return true;
}
bool TLSv12::connect(const String& hostname, int port)
{
set_sni(hostname);
return Core::Socket::connect(hostname, port);
}
bool TLSv12::common_connect(const struct sockaddr* saddr, socklen_t length)
{
if (m_context.critical_error)
return false;
if (Core::Socket::is_connected()) {
if (is_established()) {
ASSERT_NOT_REACHED();
} else {
Core::Socket::close(); // reuse?
}
}
auto packet = build_hello();
write_packet(packet);
Core::Socket::on_connected = [this] {
Core::Socket::on_ready_to_read = [this] {
if (!Core::Socket::is_open()) {
// an abrupt closure (the server is a jerk)
dbg() << "Socket not open, assuming abrupt closure";
m_context.connection_finished = true;
}
if (m_context.critical_error) {
dbg() << "READ CRITICAL ERROR " << m_context.critical_error << " :(";
if (on_tls_error)
on_tls_error((AlertDescription)m_context.critical_error);
return;
}
if (m_context.application_buffer.size() == 0 && m_context.connection_finished) {
if (on_tls_finished)
on_tls_finished();
if (m_context.tls_buffer.size()) {
dbg() << "connection closed without finishing data transfer, " << m_context.tls_buffer.size() << " bytes still in buffer";
} else {
m_context.connection_finished = false;
}
if (!m_context.application_buffer.size())
m_context.connection_status = ConnectionStatus::Disconnected;
return;
}
flush();
consume(Core::Socket::read(4096)); // FIXME: how much is proper?
if (is_established() && m_context.application_buffer.size())
if (on_tls_ready_to_read)
on_tls_ready_to_read(*this);
};
Core::Socket::on_ready_to_write = [this] {
if (!Core::Socket::is_open()) {
// an abrupt closure (the server is a jerk)
dbg() << "Socket not open, assuming abrupt closure";
m_context.connection_finished = true;
}
if (m_context.critical_error) {
dbg() << "WRITE CRITICAL ERROR " << m_context.critical_error << " :(";
if (on_tls_error)
on_tls_error((AlertDescription)m_context.critical_error);
return;
}
if (m_context.connection_finished) {
if (on_tls_finished)
on_tls_finished();
if (m_context.tls_buffer.size()) {
dbg() << "connection closed without finishing data transfer, " << m_context.tls_buffer.size() << " bytes still in buffer";
} else {
m_context.connection_finished = false;
dbg() << "FINISHED";
}
if (!m_context.application_buffer.size()) {
m_context.connection_status = ConnectionStatus::Disconnected;
return;
}
}
flush();
if (is_established() && !m_context.application_buffer.size()) // hey client, you still have stuff to read...
if (on_tls_ready_to_write)
on_tls_ready_to_write(*this);
};
if (on_tls_connected)
on_tls_connected();
};
bool success = Core::Socket::common_connect(saddr, length);
if (!success)
return false;
return true;
}
bool TLSv12::flush()
{
auto out_buffer = write_buffer().data();
size_t out_buffer_index { 0 };
size_t out_buffer_length = write_buffer().size();
if (out_buffer_length == 0)
return true;
#ifdef TLS_DEBUG
dbg() << "SENDING...";
print_buffer(out_buffer, out_buffer_length);
#endif
if (Core::Socket::write(&out_buffer[out_buffer_index], out_buffer_length)) {
write_buffer().clear();
return true;
}
if (m_context.send_retries++ == 10) {
// drop the records, we can't send
dbg() << "Dropping " << write_buffer().size() << " bytes worth of TLS records as max retries has been reached";
write_buffer().clear();
m_context.send_retries = 0;
}
return false;
}
}

118
Libraries/LibTLS/TLSPacketBuilder.h Normal file
View file

@ -0,0 +1,118 @@
/*
* Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#pragma once
#include <AK/ByteBuffer.h>
#include <AK/Types.h>
namespace TLS {
enum class MessageType : u8 {
ChangeCipher = 0x14,
Alert = 0x15,
Handshake = 0x16,
ApplicationData = 0x17,
};
enum class Version : u16 {
V10 = 0x0301,
V11 = 0x0302,
V12 = 0x0303,
V13 = 0x0304
};
class PacketBuilder {
public:
PacketBuilder(MessageType type, u16 version, size_t size_hint = 0xfdf)
: PacketBuilder(type, (Version)version, size_hint)
{
}
PacketBuilder(MessageType type, Version version, size_t size_hint = 0xfdf)
{
m_packet_data = ByteBuffer::create_uninitialized(size_hint + 16);
m_current_length = 5;
m_packet_data[0] = (u8)type;
*(u16*)m_packet_data.offset_pointer(1) = convert_between_host_and_network((u16)version);
}
inline void append(u16 value)
{
value = convert_between_host_and_network(value);
append((const u8*)&value, sizeof(value));
}
inline void append(u8 value)
{
append((const u8*)&value, sizeof(value));
}
inline void append(const ByteBuffer& data)
{
append(data.data(), data.size());
}
inline void append_u24(u32 value)
{
u8 buf[3];
buf[0] = value / 0x10000;
value %= 0x10000;
buf[1] = value / 0x100;
value %= 0x100;
buf[2] = value;
append(buf, 3);
}
inline void append(const u8* data, size_t bytes)
{
if (bytes == 0)
return;
auto old_length = m_current_length;
m_current_length += bytes;
if (m_packet_data.size() < m_current_length) {
m_packet_data.grow(m_current_length);
}
m_packet_data.overwrite(old_length, data, bytes);
}
inline ByteBuffer build()
{
auto length = m_current_length;
m_current_length = 0;
return m_packet_data.slice(0, length);
}
inline void set(size_t offset, u8 value)
{
ASSERT(offset < m_current_length);
m_packet_data[offset] = value;
}
size_t length() const { return m_current_length; }
private:
ByteBuffer m_packet_data;
size_t m_current_length;
};
}

1383
Libraries/LibTLS/TLSv12.cpp
View file

File diff suppressed because it is too large Load diff

117
Libraries/LibTLS/TLSv12.h
View file

@ -40,37 +40,22 @@
namespace TLS {
inline static void print_buffer(const ByteBuffer& buffer)
{
for (size_t i { 0 }; i < buffer.size(); ++i)
dbgprintf("%02x ", buffer[i]);
dbgprintf("\n");
}
inline static void print_buffer(const u8* buffer, size_t size)
{
for (size_t i { 0 }; i < size; ++i)
dbgprintf("%02x ", buffer[i]);
dbgprintf("\n");
}
class Socket;
enum class KeyExchangeAlgorithms {
DHE_DSS,
DHE_RSA,
DH_Anon,
RSA,
DH_DSS,
DH_RSA,
EC_DiffieHellman
};
enum class ClientCertificateType {
RSA_Sign = 1,
DSS_Sign = 2,
RSA_FixedDH = 3,
DSS_FixedDH = 4,
RSA_EphemeralDH = 5,
DSS_EphemeralDH = 6,
ECDSA_Sign = 64,
RSA_FixedECDH = 65,
ECDSA_FixedECDH = 66
};
enum class SignatureAlgorithm {
Anonymous = 0,
RSA = 1,
DSA = 2,
ECDSA = 3
};
enum class CipherSuite {
Invalid = 0,
AES_128_GCM_SHA256 = 0x1301,
@ -145,6 +130,46 @@ enum class AlertLevel : u8 {
Critical = 0x02
};
enum HandshakeType {
HelloRequest = 0x00,
ClientHello = 0x01,
ServerHello = 0x02,
HelloVerifyRequest = 0x03,
CertificateMessage = 0x0b,
ServerKeyExchange = 0x0c,
CertificateRequest = 0x0d,
ServerHelloDone = 0x0e,
CertificateVerify = 0x0f,
ClientKeyExchange = 0x10,
Finished = 0x14
};
enum class HandshakeExtension : u16 {
ServerName = 0x00,
ApplicationLayerProtocolNegotiation = 0x10,
SignatureAlgorithms = 0x0d,
};
enum class WritePacketStage {
Initial = 0,
ClientHandshake = 1,
ServerHandshake = 2,
Finished = 3,
};
enum class ConnectionStatus {
Disconnected,
Negotiating,
KeyExchange,
Renegotiating,
Established,
};
enum ClientVerificationStaus {
Verified,
VerificationNeeded,
};
struct Certificate {
u16 version;
u32 algorithm;
@ -183,7 +208,7 @@ struct Context {
u8 remote_random[32];
// To be predictable
u8 local_random[32] { 0 };
u8 local_random[32];
u8 session_id[32];
u8 session_id_size { 0 };
CipherSuite cipher;
@ -209,7 +234,7 @@ struct Context {
u64 remote_sequence_number { 0 };
u64 local_sequence_number { 0 };
u8 connection_status { 0 };
ConnectionStatus connection_status { ConnectionStatus::Disconnected };
u8 critical_error { 0 };
Error error_code { Error::NoError };
@ -225,7 +250,7 @@ struct Context {
ByteBuffer cached_handshake;
u8 client_verified { 0 };
ClientVerificationStaus client_verified { Verified };
bool connection_finished { false };
@ -236,6 +261,8 @@ struct Context {
Vector<String> alpn;
StringView negotiated_alpn;
size_t send_retries { 0 };
};
class TLSv12 : public Core::Socket {
@ -258,19 +285,19 @@ public:
}
ByteBuffer& write_buffer() { return m_context.tls_buffer; }
bool established() const { return m_context.connection_status == 0xff; }
bool is_established() const { return m_context.connection_status == ConnectionStatus::Established; }
virtual bool connect(const String&, int) override;
void set_sni(const StringView& sni)
{
if (m_context.is_server || m_context.critical_error || m_context.connection_status != 0) {
if (m_context.is_server || m_context.critical_error || m_context.connection_status != ConnectionStatus::Disconnected) {
dbg() << "invalid state for set_sni";
return;
}
m_context.SNI = sni;
}
Optional<Certificate> parse_asn1(const ByteBuffer& buffer, bool client_cert = false);
Optional<Certificate> parse_asn1(const ByteBuffer& buffer, bool client_cert = false) const;
bool load_certificates(const ByteBuffer& pem_buffer);
bool load_private_key(const ByteBuffer& pem_buffer);
@ -280,12 +307,12 @@ public:
void add_alpn(const StringView& alpn);
bool has_alpn(const StringView& alpn) const;
bool cipher_supported(CipherSuite suite) const
bool supports_cipher(CipherSuite suite) const
{
return suite == CipherSuite::RSA_WITH_AES_128_CBC_SHA256 || suite == CipherSuite::RSA_WITH_AES_256_CBC_SHA256 || suite == CipherSuite::RSA_WITH_AES_128_CBC_SHA || suite == CipherSuite::RSA_WITH_AES_256_CBC_SHA;
}
bool version_supported(Version v) const
bool supports_version(Version v) const
{
return v == Version::V12;
}
@ -312,6 +339,7 @@ private:
void consume(const ByteBuffer& record);
ByteBuffer hmac_message(const ByteBuffer& buf, const Optional<ByteBuffer> buf2, size_t mac_length, bool local = false);
void ensure_hmac(size_t digest_size, bool local);
void update_packet(ByteBuffer& packet);
void update_hash(const ByteBuffer& in);
@ -332,8 +360,8 @@ private:
bool flush();
ssize_t handle_hello(const ByteBuffer& buffer, size_t&);
ssize_t handle_finished(const ByteBuffer& buffer, size_t&);
ssize_t handle_hello(const ByteBuffer& buffer, WritePacketStage&);
ssize_t handle_finished(const ByteBuffer& buffer, WritePacketStage&);
ssize_t handle_certificate(const ByteBuffer& buffer);
ssize_t handle_server_key_exchange(const ByteBuffer& buffer);
ssize_t handle_server_hello_done(const ByteBuffer& buffer);
@ -410,10 +438,12 @@ private:
bool compute_master_secret(size_t length);
Context m_context;
RefPtr<Core::Notifier> m_notifier;
OwnPtr<Crypto::Cipher::AESCipher::CBCMode> m_aes_local { nullptr };
OwnPtr<Crypto::Cipher::AESCipher::CBCMode> m_aes_remote { nullptr };
OwnPtr<Crypto::Authentication::HMAC<Crypto::Hash::Manager>> m_hmac_local;
OwnPtr<Crypto::Authentication::HMAC<Crypto::Hash::Manager>> m_hmac_remote;
OwnPtr<Crypto::Cipher::AESCipher::CBCMode> m_aes_local;
OwnPtr<Crypto::Cipher::AESCipher::CBCMode> m_aes_remote;
};
namespace Constants {
@ -441,6 +471,5 @@ constexpr static const u8 TLS_RSA_SIGN_SHA256_OID[] { 0x2a, 0x86, 0x48, 0x86, 0x
}
namespace Utilities {
}
using namespace Crypto;
}